Launch and manage vulnerability scans, compliance scans and discovery scans (maps).
VM, PC, SCA
Authentication to your Qualys account with valid Qualys credentials is required for making Qualys API requests to the Qualys API servers. Learn more
We recommend you join our Community and subscribe to our API Notifications RSS Feeds for announcements and discussions.
https://community.qualys.com/community/developer/notifications-api
The Qualys API URL you should use for API requests depends on the Qualys platform where your account is located.
Click here to identify your Qualys platform and get the API URL
This documentation uses the API server URL for Qualys US Platform 1 (https://qualysapi.qualys.com) in sample API requests. If you're on another platform, please replace this URL with the appropriate server URL for your account.
Your subscription’s API usage and quota information is exposed in the HTTP response headers generated by Qualys APIs (all APIs except "session" V2 API).
The HTTP status code "OK" (example: "HTTP/1.1 200 OK") is returned in the header for normal (not blocked) API calls. The HTTP status code "Conflict" (example: "HTTP/1.1 409 Conflict") is returned for API calls that were blocked.
|
Header |
Description |
|---|---|
|
X-RateLimit-Limit |
Maximum number of API calls allowed in any given time period of <number-seconds> seconds, where <numberseconds> is the value of X-RateLimit-Window-Sec. |
|
X-RateLimit-Window-Sec |
Time period (in seconds) during which up to <numberlimit> API calls are allowed, where <number-limit> is the value of X-RateLimit-Limit. |
|
X-RateLimit-Remaining |
Number of API calls you can make right now before reaching the rate limit <number-limit> in the last <numberseconds> seconds. |
|
X-RateLimit-ToWait-Sec |
The wait period (in seconds) before you can make the next API call without being blocked by the rate limiting rule. |
|
X-Concurrency-Limit-Limit |
Number of API calls you are allowed to run concurrently. |
|
X-Concurrency-Limit-Running |
Number of API calls that are running right now (including the one identified in the current HTTP response header). |
|
X-Powered-By |
This header is only returned when the X-Powered-By header is enabled for your subscription. It includes a unique ID generated for each subscription and a unique ID generated for each user. Click here to learn more. |
Qualys Cloud Platform enforces limits on the API calls subscription users can make. The limits apply to the use of all APIs, except “session” V2 API (session login/logout).
API controls are applied per subscription based on your subscription’s service level. Default settings are provided and these may be customized per subscription by Qualys Support.
There’s 2 controls defined per subscription:
- Concurrency Limit per Subscription (per API). The maximum number of API calls allowed within the subscription during the configured rate limit period (as per service level).
- Rate Limit per Subscription (per API). The period of time that defines a window when API calls are counted within the subscription for each API. The window starts from the moment each API call is received by the service and extends backwards 1 hour or 1 day. Individual rate and count settings are applied (as per service level).
Click here to learn more about the controls and settings per service level.
How it works - Qualys checks the concurrency limit and rate limit each time an API request is received. In a case where an API call is received and our service determines a limit has been exceeded, the API call is blocked and an error is returned (the concurrency limit error takes precedence).