Get Started With SaaSDR API

The Qualys SDR API uses the following framework.

The URL for making API requests respects the following structure: https://<baseurl>/<module>/<object>/<object_id>/<operation> where the components are described below.

The Qualys API URL you should use for API requests depends on the Qualys platform where your account is located.

Click here to identify your Qualys platform and get the API URL

This documentation uses the API gateway URL for Qualys US Platform 1 (https://gateway.qg1.apps.qualys.com) in sample API requests. If you’re on another platform, please replace this URL with the appropriate gateway URL for your account.

Get tips on using the Curl command-line tool to make API requests. Every API request must authenticate using a JSON Web Token (JWT) obtained from the Qualys Authentication API.

You must authenticate to the Qualys SDR using Qualys account credentials (user name and password) and get the JSON Web Token (JWT). Use the Qualys Authentication API to get the JWT.The client will first have to call the /auth API to fetch the token and then make actual API calls while passing the token in the headers as Bearer.

Auth request: Refer, Product / Service / API On-boarding#Authentication

For example,

Auth Request

URL: https://gateway.qg1.qualys.com/auth

HTTP: POST

Header

Content/Type - application/x-www-form-urlencoded

Body

username: <username>

password:<password>

token:true

where Post is the base URL to the Qualys API server where your account is located.

- username and password are the credentials of the user account for which you want to fetch SaaSDR data

- token should be true

The Authentication API returns a JSON Web Token (JWT) which you can use for authentication in SaaSDR.

Rate limit: Qgateway provides a facility of rate limiting based on the configurations done in QWeb BO. SaaSDR would ride on this already existing feature.

Curl is a multi-platform command-line tool used to transfer data using multiple protocols. This tool is supported on many systems, including Windows, Unix, Linux and Mac. In this document Curl is used in the examples to build Qualys API requests using the HTTP over SSL (https) protocol, which is required.

Want to learn more? Visit https://curl.haxx.se/

The following Curl options are used according to different situations:

Limit Your Results

Use the optional “fields” parameter for any API request to limit the amount of information returned in the results. Simply specify the fields you want to include or exclude in the output, and all other information will be filtered out (excluded). Multiple fields are comma separated. Limit is set between 100-200.

Sample HTTP Response Headers

1) Name : X-XSS-Protection, Value : 1; mode=block

2) Name : X-Content-Type-Options, Value : nosniff

3) Name : X-Permitted-Cross-Domain-Policies, Value : none

4) Name : Referrer-Policy, Value : same-origin

5) Name : X-Frame-Options, Value : sameorigin

6) Name : X-Powered-By, Value : Qualys

7) Name : X-Application-Context, Value : saas-svc-common

8) Name : Server, Value : Qualys

Steps to generate bearer token to access SDR APIs:

URL: https://gateway.qg1.qualys.com/auth

HTTP method: POST

Header

1) Content-Type : application/x-www-form-urlencoded

Body :

1) Body type : x-www-form-urlencoded

2) Body

username:<username>

password:<password>

token:true

Hit the service and generate the token.

SDR APIs

Pass the bearer token generated in the initial step in the header when accessing the SDR apis.

Example: Authorization:Bearer <Token> (Note: Reference taken as qg1)

Base url : https://gateway.qg1.qualys.com

Header : Authorization:Bearer <Token> (generated at the start)

HTTP method : GET