Authentication

This section describes how to authenticate with the QFlow public APIs. Authentication is required before making any API requests.

Creating a Client

The first step to authenticating yourself is obtaining the necessary Client credentials. For this, you must create a Client from the Qualys platform. Follow the steps below.

  1. Select your profile in the upper-right corner.
  2. Go to Auth ID Client Management.

  3. If there are already clients created, you should see a list as above. If not, you will need to create a client. There are two types of clients -

    User Level - Authentication is done using the user's RBAC
    Subscription Level - Authentication is done at the subscription level, and the user context will not be available in the JWT.

    For now, we are only supporting the User Level clients.

  4. From the User Level tab, click New Client.
    1. Provide a descriptive name.
    2. Select the required modules and permissions. Clients must have the Qualys Flow Access permission to access public APIs.

      Note: The available permissions reflect those assigned to the logged-in user.
    3. Save the client.

Upon saving, a secret key is displayed. Copy the key and store it securely. The secret key is only displayed once, so save it without fail.

Copy the Client ID of your newly created client from the Auth ID Client Management page.

 

Generating a JWT Token

Once you have the required client credentials , you may proceed with generating the JWT token and fully authenticating your user. Follow the steps below.

  1. Open an API client (e.g., Postman).
  2. Send a POST request to the authorization endpoint:
    POST https: //<qualys_base_url>.qualys.com/auth/oidc
    Headers: Content-Type: application/x-www-form-urlencoded
                    clientId: ********-****-****-****-************
                    clientSecret: *******************************

In response, you will receive a JWT token, for example: 

ey***************************.ey***************************.KEm***************************

 Do not share JWT tokens. Use only trusted tools such as jwt.io to decode tokens.

Token Validity

Tokens are valid for 4 hours. A token remains valid until it expires, even if:

  • The client is deleted.
  • The client is recreated or modified.

Once expired, the token cannot be used again. To obtain a new token, repeat the request to:

https://<qualys_base_url>.qualys.com/auth/oidc

Using the JWT Token

After obtaining a JWT token, include it in the Authorization header of API requests:

Authorization: Bearer <your_jwt_token>

Example Request:

Retrieve Workflows

curl --location 'https://<qualys_base_url>.qualys.com/qflowapi/v1/workflows?pageSize=10&pageNumber=1'

--header 'Authorization: Bearer ey***************************'

The response will vary depending on the token’s permissions and validity.

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.