Generating the JSON Web Token (JWT) for External Authentication

Some Patch Management features are available through REST APIs. To use the Patch Management APIs from the command line, you must authenticate to the Qualys Cloud Platform using Qualys account credentials (user name and password) and get the JSON Web Token (JWT) before you can start using the Patch APIs.  

Use the Qualys Authentication API to get the JWT. Access support information at

Example Authentication Curl Request:

API Request

       curl -X POST 
       "https://<QualysBaseURL>/auth" -H "Content-Type: application/x-www-form-urlencoded" -d "username=value1&password=value2&token=true&permissions=true" 


The following table explains the various components of this request:


It is the base URL for the Qualys API server where your account is located. 

The base URL for Qualys US Platform 1 is: https:///

value1 and value2

value1 is the username and value 2 is the password of the user account for which you want to fetch Asset Management data.


It must be true.


It must be true.


It must be application/x-www-form-urlencoded.


The Authentication API returns a JSON Web Token (JWT), which you can use for authentication during Patch API calls. The token expires in 4 hours. You must regenerate the token to continue using the Patch APIs.

To make calls using the Patch APIs, you must have the PM.API.ACCESS permission.