Patch Management Release 3.10 API

November 09, 2025

Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.

To support your understanding, definitions of key terms such as End-of-Support (EOS) and End-of-life (EOL) are given below,  explaining the lifecycle of each endpoint. 
End of Support (EOS)End of Support (EOS)

End-of-Support for an API version signifies the point at which Qualys will no longer actively maintain or enhance that specific version. While the API may continue to function, it will not receive new features, performance improvements, or security updates. This phase is intended to provide a grace period for API consumers to migrate to newer versions.

Implications of End-of-Support

  • No New Features: The API version will not receive any further functional enhancements or new capabilities.
  • Limited Bug Fixes: Critical security vulnerabilities may be addressed on a case-by-case basis, but general bug fixes for non-critical issues will stop.
  • No Performance Improvements: Optimization efforts focus solely on newer API versions.
  • Reduced Support Channels: Technical support for issues related to this specific API version may become limited, and users are strongly recommended to upgrade.
  • No Guarantees of Reliability: While the API may remain operational, Qualys offers no guarantees regarding its continued reliability beyond the EOS date.

End of Life (EOL)End of Life (EOL)

End-of-Life for an API version is the final stage where the API version is officially retired and will be completely decommissioned. After the EOL date, the API will no longer be available, and any calls to it will result in errors. This marks the complete discontinuation of service for that specific API version.

Implications of End-of-Life

  • API Decommissioning: The API endpoint for this version is shut down and will no longer accept requests.
  • Complete Service Stoppage: All functionalities provided by this API version will cease to exist.
  • Error Responses: Any attempt to call the EOL API results in HTTP error codes, such as 404 Not Found or 410 Gone, or similar error messages.
  • No Support: All forms of support, documentation, and resources related to this API version will be discontinued. 

New API: Get List of Report Columns

New or Updated API New
API Endpoint  /pm/v1/report/columns
Method GET
DTD or XSD changes Not Applicable

We have introduced a new Get List of Columns API that fetches the list of available columns that can be selected to generate a report. This API generates list Patch, Asset, Job Progress, and Job Progress Action columns, supporting only Windows and Linux platforms. 

Sample - Get List of columns in a reportSample - Get List of columns in a report

API Request

  curl -X 'GET' \
  '<qualys_base_url>/pm/v1/report/columns?platform=Windows&reportSection=Asset' 
  -H 'accept: application/json' 
  -H 'Authorization: Bearer <JWT_Token>

API Response

[
  "rowId",
  "assetId",
  "assetName",
  "operatingSystem",
  "assetStatus",
  "scannedOn",
  "lastUser",
  "netBios",
  "patchStatus",
  "patchId",
  "patchTitle",
  "publishedDate",
  "architecture",
  "category",
  "bulletin",
  "kb",
  "qid",
  "cve",
  "severity"
]

Updated API: Get Assets Report

New or Updated API Updated
API Endpoint  /pm/v1/report/asset
EOS Timeline: October 2025
EOL Timeline: March 2026
API Endpoint (New Version) /pm/v2/report/asset
Method POST
DTD or XSD changes Not Applicable

With this release, we have updated the Get Assets Report API, which allows you to provide only the required columns and generate a customized assets report according to the filters provided in the input. All columns are selected by default, but you can modify and provide only the required columns. 

If you provide an empty request body and null parameters, the API will generate a report including all the columns. 

Sample - Generate Asset ReportSample - Generate Asset Report

API Request

curl -X 'POST' \
  '<qualys_base_url>/pm/v2/report/asset' 
  -H 'accept: application/json' 
  -H 'Authorization: Bearer <JWT_Token>
  -H 'Content-Type: application/json' 
  -d

API Body

'{
  "name": "Asset Report",
  "description": "Asset Report Description",
  "platform": "Windows",
  "query": "asset.status:Scanned",
  "havingQuery": "patch.isRebootRequired:false",
  "columnsToDisplay": {
    "asset": [
      "rowId",
      "assetId",
      "assetName",
      "operatingSystem",
      "assetStatus",
      "scannedOn",
      "lastUser",
      "netBios",
      "patchStatus",
      "patchId",
      "patchTitle",
      "publishedDate",
      "architecture",
      "category",
      "bulletin",
      "kb",
      "qid",
      "cve",
      "severity"
    ]
  }
}'

API Body

'{
  "name": "Asset Report",
  "description": "Asset Report Description",
  "platform": "Windows",
  "query": "asset.status:Scanned",
  "havingQuery": "patch.isRebootRequired:false",
  "columnsToDisplay": {
    "asset": [
      "assetName",
      "assetStatus",
      "patchStatus"
    ]
  }
}'

API Response

{
  "reportId": "3c41aa33-f4bd-4982-8880-87024741e3f9"
}

Updated API: Get Patches Report

New or Updated API Updated
API Endpoint  /pm/v1/report/patch
EOS Timeline: October 2025
EOL Timeline: March 2026
API Endpoint (New Version) /pm/v2/report/patch
Method POST
DTD or XSD changes Not Applicable

With this release, we have updated the Get Patches Report API, which allows you to provide only the required columns and generate a customized patches report according to the filters provided in the input. All columns are selected by default, but you can modify and provide only the required columns. 

If you provide an empty request body and null parameters, the API will generate a report including all the columns. 

Sample - Get Patches ReportSample - Get Patches Report

API Request

curl -X 'POST' \
  '<qualys_base_url>/pm/v2/report/patch' 
  -H 'accept: application/json' 
  -H 'Authorization: Bearer <JWT_Token>
  -H 'Content-Type: application/json' 
  -d

API Body

'{
  "name": "Patch Report",
  "description": "Patch report description",
  "platform": "Windows",
  "query": "patch.vendorSeverity:Important",
  "havingQuery": "asset.isLicensed:true",
  "columnsToDisplay": {
    "patch": [
      "rowId",
      "patchId",
      "patchTitle",
      "publishedDate",
      "rebootRequired",
      "architecture",
      "bulletin",
      "kb",
      "category",
      "qid",
      "cve",
      "severity",
      "patchStatus",
      "assetId",
      "assetName",
      "operatingSystem",
      "assetStatus",
      "isEsuPatch"
    ]
  }
}'

API Response

{
 "reportId": "7cc93f88-70be-4076-83e8-7a0f45b684dc"
}

Updated API: Get Deployment Job Progress Report

New or Updated API Updated
API Endpoint  /pm/v1/report/jobProgress/{deploymentJobId}
EOS Timeline: October 2025
EOL Timeline: March 2026
API Endpoint (New Version) /pm/v2/report/jobProgress/{deploymentJobId}
Method POST
DTD or XSD changes Not Applicable

With this release, we have updated the Get Deployment Job Progress API, which allows you to generate a customized patches report by providing only the required columns for the specified job ID. All columns are selected by default, but you can modify and provide only the required columns. This API supports only Windows and Linux platforms. 

 For the specified job ID, if you provide an empty request body and null parameters, it will generate a job progress report excluding the action columns. If you add only the includeActionReport: true parameter, the API will generate a report with deployment action result. 

Sample - Get Deployment Job Progress ReportSample - Get Deployment Job Progress Report

API Request

curl -X 'POST' \
  '<qualys_base_url>/pm/v2/report/jobprogress/c98a5a66-829e-4f2c-975c-837b1f639cfa' \
  -H 'accept: application/json' 
  -H 'Authorization: Bearer <JWT_Token>
  -H 'Content-Type: application/json' 
  -d

API Body

'{
  "name": "Job Progress Report",
  "description": "Job Progress Report Description",
  "query": "job.asset.status:Completed",
  "includeActionReport": true,
  "jobInstanceId": 1,
  "columnsToDisplay": {
    "jobProgress": [
       "rowId",
      "assetId",
      "assetName",
      "status",
      "pendingInRebootJobName",
      "scanDateTime",
      "operatingSystem",
      "patchStatusType",
      "patchId",
      "title",
      "category",
      "severity",
      "bulletin",
      "kb",
      "qid",
      "cve",
      "reason",
      "reasonCode",
      "osStatus",
      "exitCode",
      "httpStatus",
      "patchInstallDate",
      "assetIp",
      "patchStatusReason",
      "reasonId"
    ],
    "jobProgressActions": [
      "rowId",
      "assetId",
      "assetName",
      "status",
      "pendingInRebootJobName",
      "scanDateTime",
      "operatingSystem",
      "action",
      "actionId",
      "actionType",
      "actionParams",
      "returnCode",
      "errorMessage"
    ]
  }
}'

API Response

{
  "reportId": "dad52003-0fdb-4742-9fcb-8e3931f37035"
}

New API: Change Mitigation Job Status

New or Updated API New
API Endpoint  /mtg/v1/deploymentjobs/update/status/${action}
Method POST
DTD or XSD changes Not Applicable

We have introduced a new Change Mitigation Job Status API to change the status of Mitigation Jobs (Pass mitigation job Ids)

Input ParametersInput Parameters

Parameter

Mandatory/
Optional

Data Type

Description
 action Mandatory string Specify the value as Enabled or Disabled.
This parameter is used to enable on-demand and run once mitigation job from disabled to enabled state.

Sample - Change mitigation job statusSample - Change mitigation job status

API Request

curl -X 'POST' '<qualys_base_url>/mtg/v1/deploymentjobs/update/status/Enabled'
-H 'accept: application/json' 
-H 'Authorization: Bearer <JWT_Token>
-d

API Body

{
    "ids": [
        "6c8d9f5a-51c3-46eb-a85c-b2ad3539c854",
        "5e90a160-6262-4f2e-9cd5-bd83ef5a35be"
    ]
}

API Response

[
  {
    "id": "6c8d9f5a-51c3-46eb-a85c-b2ad3539c854",
    "name": "MTG_JOB1",
    "status": "success"
  },
{
    "id": "5e90a160-6262-4f2e-9cd5-bd83ef5a35be ",
    "name": " MTG_JOB2",
    "status": "success"
  }
]

Sample - Change mitigation job status for enabled jobsSample - Change mitigation job status for enabled jobs

For a mitigation job that is already in the Enabled state, if you try to change the status to Disabled, the API response displays the status as failure as shown in the following sample.

API Request

curl -X 'POST' '<qualys_base_url>/mtg/v1/deploymentjobs/update/status/Disabled'
-H 'accept: application/json'
-H 'Authorization: Bearer <JWT_Token>
-d

API Body

{  
  "ids": [
    "390f9223-d173-455d-b6b9-47c82b122d73"
  ]
}

API Response

[
  {
    "id": "390f9223-d173-455d-b6b9-47c82b122d73",
    "name": "RISKELIMINATIONMITIGATENOW_1759139816574",
    "status": "failure",
    "error": "Non-recurring jobs cannot be disabled once enabled by user"
  }
]

Support for OAuth 2.0 and OpenID Connect Authentication Standards 

With this release, we have upgraded our API security by incorporating OAuth 2.0 and OpenID Connect for Qualys API authentication and authorization. When OpenID Connect API authentication is implemented along with OAuth 2.0, IdP is used for user authentication and JWT token generation for the Qualys API access.

Key Updates

  • Seamless integration of OAuth 2.0 and OpenID Connect to enhance API authentication and authorization measures.
  • Compatibility with current identity providers and authentication to facilitate a seamless integration experience.
  • This authentication is supported by all Qualys APIs.
  • It eliminates the need for users to provide a username and password. This streamlines Qualys API access by allowing users to use JWT tokens, bypassing the hassle associated with usernames and passwords.

Enable OpenID Connect API Authentication

This feature is not available by default. Contact Qualys support to enable it for your subscription. You must follow the onboarding process. This feature requires IdP.

Benefits

  • Enhanced API security

    OpenID Connect (OIDC) uses tokens to establish a user's identity and grant access.

  • Standardized access control

    OpenID Connect (OIDC) provides a standardized way to manage user identities and access control

  • Centralized Authentication

    By enabling IDP-initiated SSO, users can authenticate once through your organization’s Identity Provider (IDP) and gain access to all the necessary APIs without needing to log in again. This simplifies the user experience and reduces password fatigue, making access faster and more secure.

  • Compliance and Security

    Helps to meet compliance requirements by ensuring that user authentication processes adhere to established security protocols like SAML and OIDC.

Prerequisites

Public signing certificates for verifying the authenticity of SAML responses. Upto 3 certificates can be provided. The certificate must be in X.509 format (usuallyin .pem or .cer files).

  • IdP Name

    The name of the Identity Provider (IdP) being configured. This can be a customname or provided by the customer.
    Example: "TestNameforIDP Qualys Internal"

  • Entity ID

    The unique identifier for the customer’s IdP. Typically, this is a URN or URL that serves as the IdP’s primary identifier during OIDC communications.
    Example: "https://example.com/idp"

  • Single Sign-On (SSO) URL

    The URL where authentication requests will be sent. This is the endpoint where users are redirected to authenticate with the customer’s IdP.
    Example: "https://example.com/login"

  • Single Logout (SLO) URL (if applicable)

    The URL for handling logout requests. If you support Single Logout, this endpoint will manage the termination of sessions both at the IdP and within Qualys.
    Example: "https://example.com/logout"

  • SSO Exit URL (optional)

    The URL where users will be redirected after successful authentication.

  • Certificates

    Public signing certificates for verifying the authenticity of SAML responses. Upto 3 certificates can be provided. The certificate must be in X.509 format (usuallyin .pem or .cer files).

Only Patch Management and Mitigation APIs are supported.

Onboarding Process

To start using OpenID Connect API authentication, the following onboarding process must be completed.

  1. Contact Qualys Support (www.qualys.com/support) to request OpenID Connect API authentication activation for your subscription. A CRM ticket is automatically created and is used as a reference and tracking for all discussions concerning the activation.
  2. Qualys Support replies to the ticket to share and request the required technical information used to enable OIDC. see the Prerequisites for the details.
  3. Upon receipt of the response, Qualys enables OpenID Connect API authentication support. This process takes approximately one week to complete.

Use OpenID Connect API Authentication

Once the onboarding process is complete and the OpenID Connect API authentication is enabled, you can begin using it. To start using it, you must first generate the JWT token and then use that token to execute the Qualys APIs. The following subsections provide API request and response samples for generating a JWT token and executing APIs using this token.

You can generate the JWT access token by providing the client ID and client secret key in the following API request headers.

For more information on client ID and client secret key, refer to Support for Auth ID Client Management from UI.

Sample: Generate JWT Token using User CredentialsSample: Generate JWT Token using User Credentials

API Request

curl --location '
https://qualys.oktapreview.com/oauth2/aus27sviwo8jbrP4T0h8/v1/token'
--header 'Content-Type: application/x-www-form-urlencoded' 
--data-urlencode 'grant_type=password'
--data-urlencode '[email protected]'
--data-urlencode 'password= ' 
--data-urlencode 'client_id=0oa27l586h672nMy90h8' 
--data-urlencode 'scope=openid profile'

Response

{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": " ",
  "scope": "openid profile",
  "id_token": " "
}

Sample:  - Generate JWT Token using Client ID and Secret keySample:  - Generate JWT Token using Client ID and Secret key

API Request

curl -X POST
'<qualys_base_url>/auth/oidc'
--header 'clientSecret: wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY'
--header 'clientId: 123e4567-e89b-12d3-a456-426614174000'

API Response

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJjbGllbnQxMjM0NTYiLCJzYwZXM
iOlsiYXBpLnJlYWQiLCJhcGkud3JpdGUiXSwi
aXNzIjoiaHR0cHM6Ly9kdW1teS1hdXRoLmNvb
SIsImV4cCI6MTcwMDAwMDAwMH0.SdXn3I6yTb-
JNk9LPjR8W9xAtH7dN3Mqf3HdJ5WnRfE

Sample: Use JWT Token to access PM APIsSample: Use JWT Token to access PM APIs

This sample uses JWT token generated using credentials or client ID and secret key to access PM APIs.

API Request

curl -X 'POST' 
'<qualys_base_url>/pm/v1/patchcatalog/patches/domains?platform=Windows' 
 -H 'accept: application/json' 
 -H 'Authorization: Bearer <JWT_Token>' 
 -H 'Content-Type: application/json'
 -d ''

Response

[
  "https://osdn.mirror.constant.com",
  "http://updates-http.cdn-apple.com",
  "http://www.tightvnc.com",
  "https://forums.ivanti.com",
  "http://sourceforge.net",
  "http://download.techsmith.com",
  "https://aimp.ru",
  "http://www.wireshark.org"
]

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.