Getting Started with SAQ APIs
Welcome to Qualys Security Assessment Questionnaire (SAQ) API. This user guide is intended for application developers who uses the Qualys SAQ APIs.
Authentication
Authentication to your Qualys account with valid Qualys credentials is required for making Qualys API requests to the Qualys API servers.
Qualys User Account
Authentication with valid Qualys user account credentials is required for making Qualys API requests to the Qualys API servers. These servers are hosted at the Qualys platform, also referred to as the Security Operations Center (SOC), where your account is located. If you need assistance with obtaining a Qualys account, please contact your Qualys account representative. Qualys user accounts that have been enabled with VIP two-factor authentication can be used with the Qualys API, however, two-factor authentication is not used when making API requests. Two-factor authentication is only supported when logging into the Qualys GUI.
Making API Calls
Curl Samples in Our API Document
We use curl in our API documentation to show an example of how to form REST API calls, and it is not meant to be an actual production example of implementation.
GET and POST Methods
Qualys API functions allow API users to submit parameters (name=value pairs) using the GET and/or POST method. There are known limits for the amount of data that can be sent using the GET method, and these limits are dependent on the toolkit used. Please refer to the individual descriptions of the API function calls to learn about the supported methods for each function
Parameters in URLs
API parameters, as documented in this user guide, should be specified one time for each URL. In the case where the same parameter is specified multiple times in a single URL, the last parameter takes effect and the previous instances are silently ignored. URL elements are case-sensitive.
Date Format in API Results
The Qualys API has adopted a date/time format to provide consistency and interoperability of the Qualys API with third-party applications. The date format follows standards published in RFC 3339 and ISO 8601, and applies throughout the Qualys API. The date format is: yyyy-mm-ddThh-mm-ssZ This represents a UTC value (GMT time zone).
URL Encoding in API Code
You must URL encode variables when using the Qualys API. This is standard practice for HTTP communications. If your application passes special characters, like the single quote (‘), parentheses, and symbols, they must be URL encoded. For example, the pound (#) character cannot be used as an input parameter in URLs. If “#” is specified, the Qualys API returns an error. To specify the “#” character in a URL you must enter the encoded value “%23”. The “#” character is considered by browsers and other Internet tools as a separator between the URL and the results page, so whatever follows an un-encoded “#” character is not passed to the Qualys API server and returns an error.
Know Your Portal Version
Using the Version API you can find out the installed version of Portal and its sub-modules that are available in your subscription.
Sample XMLSample XML
API Request
curl -u "USERNAME:PASSWORD" -X "GET" -H "Accept: application/xml"
https://<qualysbaseurl>/qps/rest/portal/version
Response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/version.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<Portal-Version>
<PortalApplication-VERSION>2.33.0.0-SNAPSHOT-1 DEVELOP #352 (2018-05-07T22:53:43Z)</PortalApplication-VERSION>
<WAS-VERSION>6.0.0.0</WAS-VERSION>
<FIM-VERSION>1.5.1</FIM-VERSION>
<VM-VERSION>1.0.3</VM-VERSION>
<CERTVIEW-VERSION>1.1.0.0</CERTVIEW-VERSION>
<CM-VERSION>1.20.1</CM-VERSION>
<MDS-VERSION>2.11.7.0</MDS-VERSION>
<CA-VERSION>2.9.1.0</CA-VERSION>
<IOC-VERSION>1.1.0</IOC-VERSION>
<AV2-VERSION>0.1.0</AV2-VERSION>
<QUESTIONNAIRE-VERSION>2.14.0.4</QUESTIONNAIRE-VERSION>
<WAF-VERSION>2.7.0.0</WAF-VERSION>
</Portal-Version>
</data>
</ServiceResponse>
Sample JSONSample JSON
API Request
curl -u "USERNAME:PASSWORD" -X "GET" -H "Accept: application/json"
https://<qualysbaseurl>/qps/rest/portal/version
Response
{
"ServiceResponse": {
"data": [
{
"Portal-Version": {
"PortalApplication-VERSION": "2.33.0.0-SNAPSHOT-1 DEVELOP #352 (2018-05-07T22:53:43Z)",
"WAS-VERSION": "6.0.0.0",
"VM-VERSION": "1.0.3",
"CM-VERSION": "1.20.1",
"MDS-VERSION": "2.11.7.0",
"CA-VERSION": "2.9.1.0",
"QUESTIONNAIRE-VERSION": "2.14.0.4",
"WAF-VERSION": "2.7.0.0"
},
...
}
}
],
"responseCode": "SUCCESS",
"count": 1
}
}
URL to Qualys API Server
Qualys maintains multiple Qualys Cloud Platforms. The API server URL that you should use for API requests depends on the platform where your Qualys account is located. To identify your Qualys platform and get the API URL, visit https://www.qualys.com/platform-identification/.
|
Account Location |
API Server URL |
|---|---|
|
Qualys US Platform 1 |
https://qualysapi.qualys.com |
|
Qualys US Platform 2 |
https://qualysapi.qg2.apps.qualys.com |
|
Qualys US Platform 3 |
https://qualysapi.qg3.apps.qualys.com |
|
Qualys EU Platform 1 |
https://qualysapi.qualys.eu |
|
Qualys EU Platform 2 |
https://qualysapi.qg2.apps.qualys.eu |
|
Qualys India Platform 1 |
https://qualysapi.qg1.apps.qualys.in |
|
Qualys Private Cloud Platform |
https://qualysapi.<customer_base_url> |
Looking for your API server URL for your account? You can find this easily. Just log in to your Qualys account and go to Help > About. You'll see this information under Security Operations Center (SOC).
Get API Notifications
We recommend you join our Community and subscribe to our API Notifications RSS Feeds for announcements and discussions.
https://community.qualys.com/community/developer/notifications-api