TotalAppSec Release 2.9 | Web Application Scanning Release 1.29 API

July 05, 2026

Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For these API Release Notes, <qualys_base_url> is mentioned in the sample API requests.

External Identity Provider Authentication Support for WAS V4 APIs

We are introducing support for External Identity Provider (IdP) authentication for WAS V4 Public APIs (/qps/rest/webapp/4.0 and related endpoints). You can now authenticate WAS API requests using Bearer JWT tokens issued by third-party OIDC-compliant identity providers such as Microsoft Azure AD and Okta.

This enhancement enables a unified authentication experience across Qualys modules, eliminating the need for separate credential management for WAS APIs.

Previously, WAS APIs accepted only Qualys Basic Authentication and Qualys-native OIDC (Qualys as IdP). External IdP tokens were rejected with Error U0003 (Unauthorized), even when the same tokens worked with other Qualys modules such as VMDR.

WAS APIs now validate External IdP tokens through Qualys Authentication Services (QAS), resolving this inconsistency across modules.

Supported Authentication Methods

The following table summarizes the authentication methods supported across V3 and V4 APIs:

Authentication Method Token Level Endpoint Used V3 APIs  V4 APIs 
Qualys Basic Authentication N/A N/A Supported Supported
External IdP OIDC (Azure Active Directory (AD), Okta) User-level  Customer IdP token URL Supported  Supported 
Qualys Managed OIDC User-level POST/auth/oidc Supported Supported 
Qualys Managed OAuth Subscription-level POST/auth/oauth Not supported Not supported

WAS and TAS APIs require user-level context for permission enforcement and audit logging. Therefore, subscription-level OAuth tokens (/auth/oauth) are not supported for any WAS and TAS API endpoint. This applies to both methods -  External IdP OIDC and Qualys Managed OIDC. 

External IdP must be configured in Qualys Authentication Services (QAS) before using this feature. For setup details, refer to the Qualys Token-based Authentication Technical Brief.

New V4 APIs for TotalAppSec and Web Application Scanning

Over the past several releases, we have continued to enhance the TotalAppSec API framework to provide broader functionality, improved consistency, and expanded integration capabilities. 

This update brings together these existing capabilities into a unified and clearly documented API set, making it easier for users to discover, understand, and adopt them. The APIs included here reflect ongoing improvements across key areas such as application management, scan operations, findings workflow, reporting, configuration, and third‑party integrations.

Why Upgrade to the V4 API

The V4 API delivers the following benefits to help you build better integrations:

  • Stronger, Simpler Security – JWT Bearer token authentication with Azure AD/Okta support (starting TotalAppSec 2.9 | Web Application Scanning 1.29) removes the need to pass credentials with every request, offering a more secure and easily revocable access model.
  • Faster at Any Scale – On-demand field selection cuts response sizes by 60–70%, while cursor-based pagination keeps performance consistent even with large datasets.
  • Faster, More Reliable Search – A unified Qualys Query Language (QQL) delivers consistent, high-performance search across all endpoints.
  • Simpler Integration – A fully RESTful, JSON-only design with consistent patterns, sub-resource endpoints, and partial updates reduces complexity and shortens the learning curve.
  • Uninterrupted Service – Independent scaling and isolated failure handling keep integrations running smoothly without impacting portal performance.

For TotalAppSec V4 API documentation, refer to TotalAppSec APIs

New APIs in TAS 2.9 Release

Method Endpoint Description
POST /rest/api/1.0/schedule Schedule API scan
POST /rest/webapp/4.0/schedule Schedule web application scan
GET /rest/authRecord/4.0/download/
selenium/{authRecordId}
Download authentication record (Selenium)
POST /rest/schedule/report/1.0 Create scheduled report
GET /rest/schedule/report/1.0/{id} Get scheduled report
PUT /rest/schedule/report/1.0/{id} Update scheduled report
DELETE /rest/schedule/report/1.0/{id} Delete scheduled report
POST /rest/schedule/report/1.0/search Search scheduled reports
POST /rest/schedule/report/1.0/count Count scheduled reports
POST /rest/schedule/report/1.0/launch/now/{id} Launch scheduled report now
POST /rest/schedule/report/1.0/activate Activate scheduled report
POST /rest/schedule/report/1.0/deActivate Deactivate scheduled report
POST /rest/schedule/report/1.0/delete Delete scheduled report (bulk)
GET /rest/misc/1.0/entityList/webapp Get web application entity list
GET /rest/misc/1.0/entityList/api Get API entity list
GET /rest/misc/1.0/entityList/optionProfile Get option profile entity list
GET /rest/misc/1.0/entityList/authRecord Get authentication record entity list

New API Reference  

The following APIs are available for different operations in TotalAppSec and Web Application Scanning.

Web Application

The following endpoints enable you to create, update, manage, and search web application assets within TotalAppSec.

Method Endpoint Description and Reference
POST /rest/webapp/4.0 Create a web application
GET /rest/webapp/4.0/{id} Get a web application
PUT /rest/webapp/4.0/{id} Update a web application
DELETE /rest/webapp/4.0/{id} Delete a web application
POST /rest/webapp/4.0/search Search web applications
POST /rest/webapp/4.0/count Count web applications
POST /rest/webapp/4.0/purge Purge a web application
GET /rest/webapp/4.0/download/selenium/
{webAppId}/{seleniumScriptId}
Download a Selenium script
POST /rest/webapp/4.0/tag/add Add a tag to a web application
POST /rest/webapp/4.0/tag/remove Remove a tag from a web application
POST /rest/webapp/4.0/delete Delete web applications using a filter

API

Method Endpoint Description and Reference
POST /rest/api/1.0 Create Api
GET /rest/api/1.0/{id} Get Api
PUT /rest/api/1.0/{id} Update Api
DELETE /rest/api/1.0/{id} Delete Api
POST /rest/api/1.0/search Search Api
POST /rest/api/1.0/count Count Api
POST /rest/api/1.0/purge Purge API
POST /rest/api/1.0/tag/add Add Tag to Api
POST /rest/api/1.0/tag/remove Remove Tag from Api
POST /rest/api/1.0/delete Delete API using Filter

Scans

The following endpoints enable you to launch, monitor, manage, and search application scans.

Method Endpoint Description and Reference
POST /rest/scan/4.0/launch Launch a scan
GET /rest/scan/4.0/status/{id} Get the status of a scan
GET /rest/scan/4.0/result/{id} Get the scan result report
GET /rest/scan/4.0/{id} Get a scan
DELETE /rest/scan/4.0/{id} Delete a scan
POST /rest/scan/4.0/cancel Cancel a scan
POST /rest/scan/4.0/relaunch Relaunch a scan
POST /rest/scan/4.0/search Search scans
POST /rest/scan/4.0/count Count scans
POST /rest/scan/4.0/delete Delete scans using a filter

Findings

The following endpoints enable you to retrieve, search, and manage findings, including performing actions such as retesting, updating severity, and adding comments.

Method Endpoint Description and Reference
GET /rest/finding/4.0/{uuid} Get a finding
POST /rest/finding/4.0/search Search findings
POST /rest/finding/4.0/count Count findings
POST /rest/finding/4.0/history/{uuid} Get the history of a finding
POST /rest/finding/4.0/purge Purge a finding
POST /rest/finding/4.0/retest Retest a finding
POST /rest/finding/4.0/cancel/retest Cancel a retest
POST /rest/finding/4.0/ignore Ignore a finding
POST /rest/finding/4.0/activate Activate a finding
POST /rest/finding/4.0/severity/edit Edit the severity of a finding
POST /rest/finding/4.0/severity/restore Restore the severity of a finding
POST /rest/finding/4.0/comment Add a comment to a finding

Reports

The following endpoints enable you to create, manage, search, and download scan reports and report templates.

Method Endpoint Description and Reference
POST /rest/report/4.0 Create a report
GET /rest/report/4.0/{id} Get a report
DELETE /rest/report/4.0/{id} Delete a report
POST /rest/report/4.0/search Search reports
POST /rest/report/4.0/count Count reports
GET /rest/report/4.0/status/{id} Get the status of a report
GET /rest/report/4.0/download/{id} Download a report
POST /rest/report/4.0/tag/add Add a tag to a report
POST /rest/report/4.0/tag/remove Remove a tag from a report
POST /rest/report/4.0/delete Delete reports using a filter
POST /rest/report/template/4.0 Create a report template
GET /rest/report/template/4.0/{id} Get a report template
PUT /rest/report/template/4.0/{id} Update a report template
DELETE /rest/report/template/4.0/{id} Delete a report template
POST /rest/report/template/4.0/search Search report templates
POST /rest/report/template/4.0/count Count report templates
POST /rest/report/template/4.0/tag/add Add a tag to a report template
POST /rest/report/template/4.0/tag/remove Remove a tag from a report template
POST /rest/report/template/4.0/delete Delete report templates using a filter

Configuration - Option Profile

The following endpoints enable you to create, update, manage, and search option profiles that define scan configuration settings.

Method Endpoint Description and Reference
POST /rest/optionProfile/4.0 Create an option profile
GET /rest/optionProfile/4.0/{id} Get an option profile
PUT /rest/optionProfile/4.0/{id} Update an option profile
DELETE /rest/optionProfile/4.0/{id} Delete an option profile
POST /rest/optionProfile/4.0/search Search option profiles
POST /rest/optionProfile/4.0/count Count option profiles
POST /rest/optionProfile/4.0/tag/add Add a tag to an option profile
POST /rest/optionProfile/4.0/tag/remove Remove a tag from an option profile
POST /rest/optionProfile/4.0/delete Delete option profiles using a filter

Configuration - DNS Override

The following endpoints enable you to create, update, manage, and search DNS override configurations used during application scanning.

Method Endpoint Description and Reference
POST /rest/dnsOverride/4.0 Create a DNS override
GET /rest/dnsOverride/4.0/{id} Get a DNS override
PUT /rest/dnsOverride/4.0/{id} Update a DNS override
DELETE /rest/dnsOverride/4.0/{id} Delete a DNS override
POST /rest/dnsOverride/4.0/search Search DNS overrides
POST /rest/dnsOverride/4.0/count Count DNS overrides
POST /rest/dnsOverride/4.0/tag/add Add a tag to a DNS override
POST /rest/dnsOverride/4.0/tag/remove Remove a tag from a DNS override
POST /rest/dnsOverride/4.0/delete Delete DNS overrides using a filter

Configuration - Proxy

The following endpoints enable you to manage proxy configurations used during application scanning, including creating, updating, retrieving, and deleting proxy settings.

Method Endpoint Description and Reference
POST /rest/proxy/1.0 Create Proxy
GET /rest/proxy/1.0/{id} Get Proxy
PUT /rest/proxy/1.0/{id} Update Proxy
DELETE /rest/proxy/1.0/{id} Delete Proxy
POST /rest/proxy/1.0/search Search Proxy
POST /rest/proxy/1.0/count Count Proxy
POST /rest/proxy/1.0/tag/add Add Tag to Proxy
POST /rest/proxy/1.0/tag/remove Remove Tag from Proxy
POST /rest/proxy/1.0/delete Delete Proxy using Filter

Configuration - Bruteforce List

The following endpoints allow you to manage bruteforce lists, which define username and password combinations used to test authentication mechanisms during scans.

Method Endpoint Description and Reference
POST /rest/bruteforceList/1.0 Create Bruteforce List
GET /rest/bruteforceList/1.0/{id} Get Bruteforce List
PUT /rest/bruteforceList/1.0/{id} Update Bruteforce List
DELETE /rest/bruteforceList/1.0/{id} Delete Bruteforce List
POST /rest/bruteforceList/1.0/search Search Bruteforce List
POST /rest/bruteforceList/1.0/count Count Bruteforce List
POST /rest/bruteforceList/1.0/tag/add Add Tag to Bruteforce List
POST /rest/bruteforceList/1.0/tag/remove Remove Tag from Bruteforce List
POST /rest/bruteforceList/1.0/delete Delete Bruteforce List using Filter

Configuration - Parameter Set

The following endpoints allow you to create and manage parameter sets used to define input parameters and behavior for scanning and testing operations.

Method Endpoint Description and Reference
POST /rest/paramset/1.0 Create Parameter Set
GET /rest/paramset/1.0/{id} Get Parameter Set
PUT /rest/paramset/1.0/{id} Update Parameter Set
DELETE /rest/paramset/1.0/{id} Delete Parameter Set
POST /rest/paramset/1.0/search Search Parameter Set
POST /rest/paramset/1.0/count Count Parameter Set
POST /rest/paramset/1.0/tag/add Add Tag to Parameter Set
POST /rest/paramset/1.0/tag/remove Remove Tag from Parameter Set
POST /rest/paramset/1.0/delete Delete Parameter Sets using Filter

Configuration - Search List

The following endpoints enable management of search lists that define inclusion and exclusion rules for crawling and scanning web applications. 

Method Endpoint Description and Reference
POST /rest/searchlist/1.0 Create Search List
GET /rest/searchlist/1.0/{id} Get Search List
PUT /rest/searchlist/1.0/{id} Update Search List
DELETE /rest/searchlist/1.0/{id} Delete Search List
POST /rest/searchlist/1.0/search Search Search List
POST /rest/searchlist/1.0/count Count Search List
POST /rest/searchlist/1.0/tag/add Add Tag to Search List
POST /rest/searchlist/1.0/tag/remove Remove Tag from Search List
POST /rest/searchlist/1.0/delete Delete Search List using Filter

Configuration - Global Settings

The following endpoints provide access to global settings that control default behaviors and system-wide configuration for TotalAppSec.

Method Endpoint Description and Reference
GET /rest/globalSetting/1.0 Get Global Setting
PUT /rest/globalSetting/1.0 Update Global Setting

Burp

The following endpoints enable you to import, search, manage, and download Burp scan reports within TotalAppSec.

Method Endpoint Description and Reference
POST /rest/burp/4.0/import Import Burp report
POST /rest/burp/4.0/search Search Burp reports
POST /rest/burp/4.0/count Count Burp reports
DELETE /rest/burp/4.0/{id} Delete a Burp report
POST /rest/burp/4.0/tag/add Add a tag to a Burp report
POST /rest/burp/4.0/tag/remove Remove a tag from a Burp report
GET /rest/burp/4.0/download/{id} Download a Burp report
POST /rest/burp/4.0/delete Delete Burp reports using a filter

Bugcrowd

The following endpoints enable you to import, search, manage, and download Bugcrowd reports within TotalAppSec.

Method Endpoint Description and Reference
POST /rest/bugcrowd/4.0/import Import Bugcrowd report
POST /rest/bugcrowd/4.0/search Search Bugcrowd reports
POST /rest/bugcrowd/4.0/count Count Bugcrowd reports
DELETE /rest/bugcrowd/4.0/{id} Delete a Bugcrowd report
POST /rest/bugcrowd/4.0/tag/add Add a tag to a Bugcrowd report
POST /rest/bugcrowd/4.0/tag/remove Remove a tag from a Bugcrowd report
GET /rest/bugcrowd/4.0/download/{id} Download a Bugcrowd report
POST /rest/bugcrowd/4.0/delete Delete Bugcrowd reports using a filter