Token-based Authentication from Qualys Application UI

The token-based authentication provides you with the means for a secure and scalable authentication service. The token-based authentication supports generating JSON Web Tokens (JWT), granular permission control, and user and subscription-level client creation for authentication. The token-based authentication helps you achieve greater flexibility and compliance with industry-adopted security practices.

Scope of Token-based Authentication

Previously, Qualys API authentication was primarily based on user credentials, such as username and password. This approach had certain limitations when it came to credential storage, automated job execution, and role-based access control. With the token-based authentication, we provide you an enhanced authentication service to help you cater to the above-mentioned limitations.

The enhanced token-based authentication also helps with:

Leverage Identity Provider (IdP): The enhanced token-based authentication helps you leverage the IdP benefits even if you do not own a separate IdP.

Automated API Access: Token-based authentication helps with automated API access by providing an alternative to user-credentials for API authorization. 

Role-based Access Control: Token-based authentication helps you with role-based access control for automated API execution to, greatly enhancing security and minimizing the risk of unauthenticated access.

Token-based authentication using Client ID and Client Secret Key generated from Qualys applications does not require any Identity Provider (IdP). Refer to Open ID Connect API Authentication using IdP to learn more about the IdP-based solution.

User Benefits

The enhanced token-based authentication provides you with the following benefits:

  • Qualys-generated JWT tokens: You can use the token-based authentication service to use the Qualys-generated JWT tokens without any external Identity Provider.
  • User-level and subscription-level clients: User-level clients are associated with a specific user. Both the manager and non-manager users can create these clients. The authentication tokens generated by user-level clients can be used only by the associated users. The user-level clients are invalidated if the associated users are deactivated. The user-level clients are a good fit for access control and manual API workflows.

    Subscription-level clients are created for all the users in the subscription. The authentication tokens generated by subscription-level clients can be used for automated API workflows. Only the manager users can create the subscription-level clients.
  • Role-based access control: The token-based authentication service helps you allocate application-level permissions. The API-based permissions can be used for access control and to restrict unauthorized access.
  • Credential-less API access: With subscription-level clients, you can execute automated API workflows without user credentials and improve security posture by minimizing credential exposure.

Next Topic: Set up Token-based Authentication from UI

Related TopicOIDC Token-based API Authentication using IdP

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: November, 2025