Getting Started with Patch Management APIs

A few Patch Management features are available through REST APIs. You can use the Swagger tool to access the REST APIs we support. You cannot use Patch Management APIs with the Free License.

Note: Patch Management APIs support fetching a maximum of 10,000 records only.

Values of the query parameters must be encoded. URL encoding conversion to ASCII character set is required to ensure characters are transmitted correctly. The URLs contain characters that might not be in the ASCII character, so the URL must be converted into a valid ASCII format. Encoding the URL replaces the unsafe ASCII characters with a % followed by two hexadecimal digits. Because a URL must not contain spaces, the encoding replaces a space with a plus sign (+) or %20.

Accessing APIs Using Swagger

Swagger is a widely-adopted specification for programmatically describing REST APIs. The Swagger UI provides all the details about the APIs and how to invoke them. This includes the HTTP verbs (GET, POST, PUT, etc.), the URL paths, allowable parameters and types, etc.

You can directly access the Swagger UI from the following URL:


For example, if your account is on US Platform 2

Qualys Platforms

Qualys maintains multiple platforms. The Qualys URL that you should use for API requests depends on the platform where your account is located. To identify your Qualys platform and get the API URL, visit:

Do I need to Authenticate to use the Swagger UI?

Authentication to the Qualys Cloud Platform is necessary before you try the APIs.

1. Enter the username and password.

2. Select the  Permissions check box and click Login.

3. Copy the token and paste it into the Value box.

4. Click Authorize.

You can now use the APIs using the Swagger UI.

Using token values in the API calls

You can use QQL tokens in your API requests. Click here to view the supported tokens.

Note: For Patch Reports APIs, the API rate limit is ten times per hour per customer. For more information, refer to Get Assets ReportGet Deployment Job Progress ReportGet List of Generated ReportsGet Patches Report, and Get Report in CSV Format.

For other APIs, the rate limit is as mentioned in your subscription. If it's not defined in the subscription, the default rate limit per subscription per API is 300 calls per hour.

API Response Codes

The response codes of the Patch Management public APIs are as per the API standards. It enables you to understand incorrect or invalid request values better. As a result, you can troubleshoot and fix the API requests to get the correct response. If you provide incorrect base URL or incorrect query parameters, you get the 404 response code. If you provide invalid input parameters, you get a 400 response code.