Getting Started with SAQ APIs

Welcome to Qualys Security Assessment Questionnaire (SAQ) API. This user guide is intended for application developers who uses the Qualys SAQ APIs.


Authentication to your Qualys account with valid Qualys credentials is required for making Qualys API requests to the Qualys API servers. 

Qualys User Account

Authentication with valid Qualys user account credentials is required for making Qualys API requests to the Qualys API servers. These servers are hosted at the Qualys platform, also referred to as the Security Operations Center (SOC), where your account is located. If you need assistance with obtaining a Qualys account, please contact your Qualys account representative. Qualys user accounts that have been enabled with VIP two-factor authentication can be used with the Qualys API, however, two-factor authentication is not used when making API requests. Two-factor authentication is only supported when logging into the Qualys GUI.

Making API Calls

Curl Samples in Our API Document

We use curl in our API documentation to show an example of how to form REST API calls, and it is not meant to be an actual production example of implementation.

GET and POST Methods

Qualys API functions allow API users to submit parameters (name=value pairs) using the GET and/or POST method. There are known limits for the amount of data that can be sent using the GET method, and these limits are dependent on the toolkit used. Please refer to the individual descriptions of the API function calls to learn about the supported methods for each function

Parameters in URLs

API parameters, as documented in this user guide, should be specified one time for each URL. In the case where the same parameter is specified multiple times in a single URL, the last parameter takes effect and the previous instances are silently ignored. URL elements are case-sensitive.

Date Format in API Results

The Qualys API has adopted a date/time format to provide consistency and interoperability of the Qualys API with third-party applications. The date format follows standards published in RFC 3339 and ISO 8601, and applies throughout the Qualys API. The date format is: yyyy-mm-ddThh-mm-ssZ This represents a UTC value (GMT time zone).

URL Encoding in API Code

You must URL encode variables when using the Qualys API. This is standard practice for HTTP communications. If your application passes special characters, like the single quote (‘), parentheses, and symbols, they must be URL encoded. For example, the pound (#) character cannot be used as an input parameter in URLs. If “#” is specified, the Qualys API returns an error. To specify the “#” character in a URL you must enter the encoded value “%23”. The “#” character is considered by browsers and other Internet tools as a separator between the URL and the results page, so whatever follows an un-encoded “#” character is not passed to the Qualys API server and returns an error.

Know Your Portal Version

Using the Version API you can find out the installed version of Portal and its sub-modules that are available in your subscription.

GET POST /qps/rest/portal/version/

Sample XMLSample XML

API Request

curl -u "USERNAME:PASSWORD" -X "GET" -H "Accept: application/xml"


<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="" xsi:noNamespaceSchemaLocation="">
            <PortalApplication-VERSION> DEVELOP #352 (2018-05-07T22:53:43Z)</PortalApplication-VERSION>

Sample JSONSample JSON

API Request

curl -u "USERNAME:PASSWORD" -X "GET" -H "Accept: application/json"



  "ServiceResponse": {
    "data": [
        "Portal-Version": {
          "PortalApplication-VERSION": " DEVELOP #352 (2018-05-07T22:53:43Z)",
          "WAS-VERSION": "",
          "VM-VERSION": "1.0.3",
          "CM-VERSION": "1.20.1",
          "MDS-VERSION": "",
          "CA-VERSION": "",
          "WAF-VERSION": ""
    "responseCode": "SUCCESS",
    "count": 1

URL to Qualys API Server

Qualys maintains multiple Qualys Cloud Platforms. The API server URL that you should use for  API requests depends on the platform where your Qualys account is located. To identify your Qualys platform and get the API URL, visit

Account Location

API Server URL

Qualys US Platform 1

Qualys US Platform 2

Qualys US Platform 3

Qualys EU Platform 1

Qualys EU Platform 2

Qualys India Platform 1

Qualys Private Cloud Platform



Looking for your API server URL for your account? You can find this easily. Just log in to your Qualys account and go to Help > About. You'll see this information under Security Operations Center (SOC).

Get API Notifications

We recommend you join our Community and subscribe to our API Notifications RSS Feeds for announcements and discussions.