Authentication
Click here to see this page in full context

Authentication to Qualys Account

Authentication to your Qualys account with valid Qualys credentials is required for making Qualys API requests to the Qualys API servers.

Basic AuthenticationBasic Authentication

Using this method, Qualys account credentials are transmitted using the “Basic Authentication Scheme” over HTTPS for each API call. For information, see the “Basic Authentication Scheme” section of RFC #2617:

http://www.faqs.org/rfcs/rfc2617.html

The exact method of implementing authentication will vary according to which programming language is used.

Sample Request

curl -H "X-Requested-With: Curl Sample" -u "acme_ab12:passwd" "https://qualys_base_url/api/2.0/fo/asset/host/?action=list"

The "X-Requested-With" header parameter must be included in all API v2 calls using basic HTTP authentication and session based authentication. Specifying the required “X-Requested-With” parameter helps to protect Qualys API users from cross-site request forgery (CSRF) attacks.

Session Based AuthenticationSession Based Authentication

Using this method, the user makes a sequence of API requests. APIs with request URL containing /2.0/ support session based authentication.

Step 1 - Make session login request

Use the Qualys API session resource to make a login request. Upon success, the request returns a session ID in the Set-Cookie HTTP header. The exact method of implementing authentication will vary according to which programming language is used.

Sample Request

curl -H "X-Requested-With: Curl Sample" -D headers -d "action=login&username=acme_ab12&password=passwd" "https://qualys_base_url/api/2.0/fo/session/"

Step 2 - Make resource requests

Use the API resources to make API requests (2.0 must be in request URL), as described in this user guide, and include the session ID in the cookie header for each request. You’ll notice the session cookie (QualysSession) was extracted from the “headers” file contents returned from the session login API call (Step 1 above).

Sample Resource Request

curl -H "X-Requested-With: Curl Sample" -b "QualysSession=71e6cda2a35d2cd404cddaf305ea0208; path=/api; secure" -d "action=list" "https://qualys_base_url/api/2.0/fo/report/"

Step 3 - Make session logout request

Once logged in to Qualys you can make multiple API requests. Use the Qualys API session resource to logout of the current session. Logging out of the session closes the open session and ensures secure, ongoing access to your account. Access may be denied if a user makes too many session login requests without closing sessions properly:

Sample Logout Request

curl -H "X-Requested-With: Curl Sample" -b "QualysSession=10b8eb6d4553b4d1ecb860c2b3c247d4; path=/api; secure" -d "action=logout" "https://qualys_base_url/api/2.0/fo/session/"

Session Request URLSession Request URL

URL component

Description

qualysapi.qualys.com:443

FQDN of the Qualys API server and option port (443 if specified).

api

Qualys Application component name.

2.0

Qualys API version number.

fo

Qualys interface component name.

{API resource}

Qualys API resource name as provided in Qualys API documentation. In the sample session login URL above, the resource “session” is specified. For a reporting request, the resource “report” is used, for a scan request "scan" is used.. Multiple resources are supported.

action={value}

Qualys API resource-specific action. In the sample session login URL above, the action is “login”.