TotalAppSec Release 2.9 | Web Application Scanning Release 1.29 API
July 05, 2026
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For these API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
External Identity Provider Authentication Support for WAS V4 APIs
We are introducing support for External Identity Provider (IdP) authentication for WAS V4 Public APIs (/qps/rest/webapp/4.0 and related endpoints). You can now authenticate WAS API requests using Bearer JWT tokens issued by third-party OIDC-compliant identity providers such as Microsoft Azure AD and Okta.
This enhancement enables a unified authentication experience across Qualys modules, eliminating the need for separate credential management for WAS APIs.
Previously, WAS APIs accepted only Qualys Basic Authentication and Qualys-native OIDC (Qualys as IdP). External IdP tokens were rejected with Error U0003 (Unauthorized), even when the same tokens worked with other Qualys modules such as VMDR.
WAS APIs now validate External IdP tokens through Qualys Authentication Services (QAS), resolving this inconsistency across modules.
Supported Authentication Methods
The following table summarizes the authentication methods supported across V3 and V4 APIs:
| Authentication Method | Token Level | Endpoint Used | V3 APIs | V4 APIs |
|---|---|---|---|---|
| Qualys Basic Authentication | N/A | N/A | Supported | Supported |
| External IdP OIDC (Azure Active Directory (AD), Okta) | User-level | Customer IdP token URL | Supported | Supported |
| Qualys Managed OIDC | User-level |
|
Supported | Supported |
| Qualys Managed OAuth | Subscription-level |
|
Not supported | Not supported |
WAS and TAS APIs require user-level context for permission enforcement and audit logging. Therefore, subscription-level OAuth tokens (/auth/oauth) are not supported for any WAS and TAS API endpoint. This applies to both methods - External IdP OIDC and Qualys Managed OIDC.
External IdP must be configured in Qualys Authentication Services (QAS) before using this feature. For setup details, refer to the Qualys Token-based Authentication Technical Brief.
New V4 APIs for TotalAppSec and Web Application Scanning
Over the past several releases, we have continued to enhance the TotalAppSec API framework to provide broader functionality, improved consistency, and expanded integration capabilities.
This update brings together these existing capabilities into a unified and clearly documented API set, making it easier for users to discover, understand, and adopt them. The APIs included here reflect ongoing improvements across key areas such as application management, scan operations, findings workflow, reporting, configuration, and third‑party integrations.
Why Upgrade to the V4 API
The V4 API delivers the following benefits to help you build better integrations:
- Stronger, Simpler Security – JWT Bearer token authentication with Azure AD/Okta support (starting TotalAppSec 2.9 | Web Application Scanning 1.29) removes the need to pass credentials with every request, offering a more secure and easily revocable access model.
- Faster at Any Scale – On-demand field selection cuts response sizes by 60–70%, while cursor-based pagination keeps performance consistent even with large datasets.
- Faster, More Reliable Search – A unified Qualys Query Language (QQL) delivers consistent, high-performance search across all endpoints.
- Simpler Integration – A fully RESTful, JSON-only design with consistent patterns, sub-resource endpoints, and partial updates reduces complexity and shortens the learning curve.
- Uninterrupted Service – Independent scaling and isolated failure handling keep integrations running smoothly without impacting portal performance.
For TotalAppSec V4 API documentation, refer to TotalAppSec APIs.
New APIs in TAS 2.9 Release
| Method | Endpoint | Description |
|---|---|---|
|
|
/rest/api/1.0/schedule | Schedule API scan |
|
|
/rest/webapp/4.0/schedule | Schedule web application scan |
|
|
/rest/authRecord/4.0/download/ selenium/{authRecordId} |
Download authentication record (Selenium) |
|
|
/rest/schedule/report/1.0 | Create scheduled report |
|
|
/rest/schedule/report/1.0/{id} | Get scheduled report |
|
|
/rest/schedule/report/1.0/{id} | Update scheduled report |
|
|
/rest/schedule/report/1.0/{id} | Delete scheduled report |
|
|
/rest/schedule/report/1.0/search | Search scheduled reports |
|
|
/rest/schedule/report/1.0/count | Count scheduled reports |
|
|
/rest/schedule/report/1.0/launch/now/{id} | Launch scheduled report now |
|
|
/rest/schedule/report/1.0/activate | Activate scheduled report |
|
|
/rest/schedule/report/1.0/deActivate | Deactivate scheduled report |
|
|
/rest/schedule/report/1.0/delete | Delete scheduled report (bulk) |
|
|
/rest/misc/1.0/entityList/webapp | Get web application entity list |
|
|
/rest/misc/1.0/entityList/api | Get API entity list |
|
|
/rest/misc/1.0/entityList/optionProfile | Get option profile entity list |
|
|
/rest/misc/1.0/entityList/authRecord | Get authentication record entity list |
New API Reference
The following APIs are available for different operations in TotalAppSec and Web Application Scanning.
Web Application
The following endpoints enable you to create, update, manage, and search web application assets within TotalAppSec.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/webapp/4.0 | Create a web application |
|
|
/rest/webapp/4.0/{id} | Get a web application |
|
|
/rest/webapp/4.0/{id} | Update a web application |
|
|
/rest/webapp/4.0/{id} | Delete a web application |
|
|
/rest/webapp/4.0/search | Search web applications |
|
|
/rest/webapp/4.0/count | Count web applications |
|
|
/rest/webapp/4.0/purge | Purge a web application |
|
|
/rest/webapp/4.0/download/selenium/ {webAppId}/{seleniumScriptId} |
Download a Selenium script |
|
|
/rest/webapp/4.0/tag/add | Add a tag to a web application |
|
|
/rest/webapp/4.0/tag/remove | Remove a tag from a web application |
|
|
/rest/webapp/4.0/delete | Delete web applications using a filter |
API
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/api/1.0 | Create Api |
|
|
/rest/api/1.0/{id} | Get Api |
|
|
/rest/api/1.0/{id} | Update Api |
|
|
/rest/api/1.0/{id} | Delete Api |
|
|
/rest/api/1.0/search | Search Api |
|
|
/rest/api/1.0/count | Count Api |
|
|
/rest/api/1.0/purge | Purge API |
|
|
/rest/api/1.0/tag/add | Add Tag to Api |
|
|
/rest/api/1.0/tag/remove | Remove Tag from Api |
|
|
/rest/api/1.0/delete | Delete API using Filter |
Scans
The following endpoints enable you to launch, monitor, manage, and search application scans.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/scan/4.0/launch | Launch a scan |
|
|
/rest/scan/4.0/status/{id} | Get the status of a scan |
|
|
/rest/scan/4.0/result/{id} | Get the scan result report |
|
|
/rest/scan/4.0/{id} | Get a scan |
|
|
/rest/scan/4.0/{id} | Delete a scan |
|
|
/rest/scan/4.0/cancel | Cancel a scan |
|
|
/rest/scan/4.0/relaunch | Relaunch a scan |
|
|
/rest/scan/4.0/search | Search scans |
|
|
/rest/scan/4.0/count | Count scans |
|
|
/rest/scan/4.0/delete | Delete scans using a filter |
Findings
The following endpoints enable you to retrieve, search, and manage findings, including performing actions such as retesting, updating severity, and adding comments.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/finding/4.0/{uuid} | Get a finding |
|
|
/rest/finding/4.0/search | Search findings |
|
|
/rest/finding/4.0/count | Count findings |
|
|
/rest/finding/4.0/history/{uuid} | Get the history of a finding |
|
|
/rest/finding/4.0/purge | Purge a finding |
|
|
/rest/finding/4.0/retest | Retest a finding |
|
|
/rest/finding/4.0/cancel/retest | Cancel a retest |
|
|
/rest/finding/4.0/ignore | Ignore a finding |
|
|
/rest/finding/4.0/activate | Activate a finding |
|
|
/rest/finding/4.0/severity/edit | Edit the severity of a finding |
|
|
/rest/finding/4.0/severity/restore | Restore the severity of a finding |
|
|
/rest/finding/4.0/comment | Add a comment to a finding |
Reports
The following endpoints enable you to create, manage, search, and download scan reports and report templates.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/report/4.0 | Create a report |
|
|
/rest/report/4.0/{id} | Get a report |
|
|
/rest/report/4.0/{id} | Delete a report |
|
|
/rest/report/4.0/search | Search reports |
|
|
/rest/report/4.0/count | Count reports |
|
|
/rest/report/4.0/status/{id} | Get the status of a report |
|
|
/rest/report/4.0/download/{id} | Download a report |
|
|
/rest/report/4.0/tag/add | Add a tag to a report |
|
|
/rest/report/4.0/tag/remove | Remove a tag from a report |
|
|
/rest/report/4.0/delete | Delete reports using a filter |
|
|
/rest/report/template/4.0 | Create a report template |
|
|
/rest/report/template/4.0/{id} | Get a report template |
|
|
/rest/report/template/4.0/{id} | Update a report template |
|
|
/rest/report/template/4.0/{id} | Delete a report template |
|
|
/rest/report/template/4.0/search | Search report templates |
|
|
/rest/report/template/4.0/count | Count report templates |
|
|
/rest/report/template/4.0/tag/add | Add a tag to a report template |
|
|
/rest/report/template/4.0/tag/remove | Remove a tag from a report template |
|
|
/rest/report/template/4.0/delete | Delete report templates using a filter |
Configuration - Option Profile
The following endpoints enable you to create, update, manage, and search option profiles that define scan configuration settings.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/optionProfile/4.0 | Create an option profile |
|
|
/rest/optionProfile/4.0/{id} | Get an option profile |
|
|
/rest/optionProfile/4.0/{id} | Update an option profile |
|
|
/rest/optionProfile/4.0/{id} | Delete an option profile |
|
|
/rest/optionProfile/4.0/search | Search option profiles |
|
|
/rest/optionProfile/4.0/count | Count option profiles |
|
|
/rest/optionProfile/4.0/tag/add | Add a tag to an option profile |
|
|
/rest/optionProfile/4.0/tag/remove | Remove a tag from an option profile |
|
|
/rest/optionProfile/4.0/delete | Delete option profiles using a filter |
Configuration - DNS Override
The following endpoints enable you to create, update, manage, and search DNS override configurations used during application scanning.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/dnsOverride/4.0 | Create a DNS override |
|
|
/rest/dnsOverride/4.0/{id} | Get a DNS override |
|
|
/rest/dnsOverride/4.0/{id} | Update a DNS override |
|
|
/rest/dnsOverride/4.0/{id} | Delete a DNS override |
|
|
/rest/dnsOverride/4.0/search | Search DNS overrides |
|
|
/rest/dnsOverride/4.0/count | Count DNS overrides |
|
|
/rest/dnsOverride/4.0/tag/add | Add a tag to a DNS override |
|
|
/rest/dnsOverride/4.0/tag/remove | Remove a tag from a DNS override |
|
|
/rest/dnsOverride/4.0/delete | Delete DNS overrides using a filter |
Configuration - Proxy
The following endpoints enable you to manage proxy configurations used during application scanning, including creating, updating, retrieving, and deleting proxy settings.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/proxy/1.0 | Create Proxy |
|
|
/rest/proxy/1.0/{id} | Get Proxy |
|
|
/rest/proxy/1.0/{id} | Update Proxy |
|
|
/rest/proxy/1.0/{id} | Delete Proxy |
|
|
/rest/proxy/1.0/search | Search Proxy |
|
|
/rest/proxy/1.0/count | Count Proxy |
|
|
/rest/proxy/1.0/tag/add | Add Tag to Proxy |
|
|
/rest/proxy/1.0/tag/remove | Remove Tag from Proxy |
|
|
/rest/proxy/1.0/delete | Delete Proxy using Filter |
Configuration - Bruteforce List
The following endpoints allow you to manage bruteforce lists, which define username and password combinations used to test authentication mechanisms during scans.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/bruteforceList/1.0 | Create Bruteforce List |
|
|
/rest/bruteforceList/1.0/{id} | Get Bruteforce List |
|
|
/rest/bruteforceList/1.0/{id} | Update Bruteforce List |
|
|
/rest/bruteforceList/1.0/{id} | Delete Bruteforce List |
|
|
/rest/bruteforceList/1.0/search | Search Bruteforce List |
|
|
/rest/bruteforceList/1.0/count | Count Bruteforce List |
|
|
/rest/bruteforceList/1.0/tag/add | Add Tag to Bruteforce List |
|
|
/rest/bruteforceList/1.0/tag/remove | Remove Tag from Bruteforce List |
|
|
/rest/bruteforceList/1.0/delete | Delete Bruteforce List using Filter |
Configuration - Parameter Set
The following endpoints allow you to create and manage parameter sets used to define input parameters and behavior for scanning and testing operations.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/paramset/1.0 | Create Parameter Set |
|
|
/rest/paramset/1.0/{id} | Get Parameter Set |
|
|
/rest/paramset/1.0/{id} | Update Parameter Set |
|
|
/rest/paramset/1.0/{id} | Delete Parameter Set |
|
|
/rest/paramset/1.0/search | Search Parameter Set |
|
|
/rest/paramset/1.0/count | Count Parameter Set |
|
|
/rest/paramset/1.0/tag/add | Add Tag to Parameter Set |
|
|
/rest/paramset/1.0/tag/remove | Remove Tag from Parameter Set |
|
|
/rest/paramset/1.0/delete | Delete Parameter Sets using Filter |
Configuration - Search List
The following endpoints enable management of search lists that define inclusion and exclusion rules for crawling and scanning web applications.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/searchlist/1.0 | Create Search List |
|
|
/rest/searchlist/1.0/{id} | Get Search List |
|
|
/rest/searchlist/1.0/{id} | Update Search List |
|
|
/rest/searchlist/1.0/{id} | Delete Search List |
|
|
/rest/searchlist/1.0/search | Search Search List |
|
|
/rest/searchlist/1.0/count | Count Search List |
|
|
/rest/searchlist/1.0/tag/add | Add Tag to Search List |
|
|
/rest/searchlist/1.0/tag/remove | Remove Tag from Search List |
|
|
/rest/searchlist/1.0/delete | Delete Search List using Filter |
Configuration - Global Settings
The following endpoints provide access to global settings that control default behaviors and system-wide configuration for TotalAppSec.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/globalSetting/1.0 | Get Global Setting |
|
|
/rest/globalSetting/1.0 | Update Global Setting |
Burp
The following endpoints enable you to import, search, manage, and download Burp scan reports within TotalAppSec.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/burp/4.0/import | Import Burp report |
|
|
/rest/burp/4.0/search | Search Burp reports |
|
|
/rest/burp/4.0/count | Count Burp reports |
|
|
/rest/burp/4.0/{id} | Delete a Burp report |
|
|
/rest/burp/4.0/tag/add | Add a tag to a Burp report |
|
|
/rest/burp/4.0/tag/remove | Remove a tag from a Burp report |
|
|
/rest/burp/4.0/download/{id} | Download a Burp report |
|
|
/rest/burp/4.0/delete | Delete Burp reports using a filter |
Bugcrowd
The following endpoints enable you to import, search, manage, and download Bugcrowd reports within TotalAppSec.
| Method | Endpoint | Description and Reference |
|---|---|---|
|
|
/rest/bugcrowd/4.0/import | Import Bugcrowd report |
|
|
/rest/bugcrowd/4.0/search | Search Bugcrowd reports |
|
|
/rest/bugcrowd/4.0/count | Count Bugcrowd reports |
|
|
/rest/bugcrowd/4.0/{id} | Delete a Bugcrowd report |
|
|
/rest/bugcrowd/4.0/tag/add | Add a tag to a Bugcrowd report |
|
|
/rest/bugcrowd/4.0/tag/remove | Remove a tag from a Bugcrowd report |
|
|
/rest/bugcrowd/4.0/download/{id} | Download a Bugcrowd report |
|
|
/rest/bugcrowd/4.0/delete | Delete Bugcrowd reports using a filter |