Policy Audit Release 1.11 API
May 11, 2026
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
We have implemented versioning for APIs. For more information on API versioning, refer to the Updates on API Versioning Standards & Deprecation Timelines blog.
Get Policy List API: View Tag Information for Policy
| New or Updated API | Updated |
| API Endpoint | /pcrs/1.0/posture/policy/list |
| EOS Timeline: November 2026 | |
| EOL Timeline: May 2027 | |
| API Endpoint (New Version) |
/pcrs/2.0/posture/policy/list |
| Method | GET |
With this release, a new input parameter, requireTagInfo, is introduced to display tag information for a policy. When enabled, the response includes the following sections under requireTagInfo:
includeTags- List of included tag objects containing the tag ID and name.excludeTags- List of excluded tag objects containing the tag ID and name.includeTagsScope- Scope for included tags (ALL or ANY)excludeTagsScope- Scope for excluded tags (ALL or ANY)
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| requireTagInfo={1|0} | Optional | Boolean | Specify '1' to retrieve tag information details for a policy, else specify '0'. |
Sample - Display tag information for a specific policy IDSample - Display tag information for a specific policy ID
API Request
curl --location '<gateway_base_url>/pcrs/2.0/posture/policy/list?lastEvaluationDate=2021-09-30T07%3A25%3A58Z&requireTagInfo=1' \
--header 'Authorization: Bearer <Bearer Token>'
JSON Response
{
"subscriptionId": 4427355,
"policyList": [
{
"id": 6367495,
"title": "AssetTagPolicy-1",
"createdBy": "neaxmn",
"createdDate": "2026-04-01T05:55:37Z",
"modifiedBy": "neaxmn",
"modifiedDate": "2026-04-01T06:16:05Z",
"lastEvaluatedDate": "2026-04-01T06:16:19Z",
"tagsetId": "7d5fccf2-dee3-4783-80ac-a2cd5ee493ed",
"status": "active",
"locked": 0,
"includeAgentIp": null,
"tagInfo": {
"includeTags": [
{
"id": 152244404,
"name": "pyscand_1.1.1.1_ag"
},
{
"id": 152245230,
"name": "OCA"
},
{
"id": 154079256,
"name": "CaponeAG"
}
],
"excludeTags": [
{
"id": 153227435,
"name": "StaleDataAssestGroupWindows12andCentos7"
},
{
"id": 156570542,
"name": "dtest"
}
],
"includeTagsScope": "ANY",
"excludeTagsScope": "ALL"
}
}
]
}
Added Active Directory Support to VMware NSX Authentication
| New or Updated API | Updated |
| API Endpoint | /api/2.0/fo/auth/nsx |
| EOS Timeline: November 2026 | |
| EOL Timeline: May 2027 | |
| API Endpoint (New Version) |
/api/3.0/fo/auth/nsx |
| Method | GET, POST |
| DTD or XSD changes | Yes |
You can now use Active Directory (AD) support with HashiCorp Vault when you create, update, list, and delete VMware NSX authentication records, This enables you to securely retrieve AD credentials from Vault.
Input ParametersInput Parameters
| Parameter Name | Required / Optional | Data Type | Description |
| use_ad_hashicorp={0|1} | Required | Boolean | Specify 1 to enable the Active Directory when the HashiCorp Vault is selected. |
Sample - Create VMware NSX authentication record with AD enabledSample - Create VMware NSX authentication record with AD enabled
API Request
curl --location '<qualys_base_url>/api/3.0/fo/auth/nsx/index.php' \
--header 'X-Requested-With: curl demo2' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer<JWT Token>' \
--data-urlencode 'action=create' \
--data-urlencode 'title=API NSX1211' \
--data-urlencode 'username=nsxuser' \
--data-urlencode 'ips=10.xxx.xxx.xxx' \
--data-urlencode 'port=443' \
--data-urlencode 'ssl_verify_with_host=1' \
--data-urlencode 'hosts=aa.aa' \
--data-urlencode 'login_type=vault' \
--data-urlencode 'vault_type=HashiCorp' \
--data-urlencode 'vault_id=4980801' \
--data-urlencode 'secret_kv_name=Test' \
--data-urlencode 'use_ad_hashicorp=1'
API Response
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM "<qualys_base_url>/api/3.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2026-04-07T06:09:35Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Created</TEXT>
<ID_SET>
<ID>12426426</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>
Sample - Edit VMware NSX authentication record with AD enabledSample - Edit VMware NSX authentication record with AD enabled
API Request
curl --location '<qualys_base_url>/api/3.0/fo/auth/nsx/index.php' \
--header 'X-Requested-With: curl demo2' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer<JWT Token>' \
--data-urlencode 'action=update' \
--data-urlencode 'login_type=vault' \
--data-urlencode 'vault_type=HashiCorp' \
--data-urlencode 'vault_id=4980801' \
--data-urlencode 'secret_kv_name=Test' \
--data-urlencode 'use_ad_hashicorp=1' \
--data-urlencode 'ids=12427803' \
--data-urlencode 'secret_kv_key=566'
API Response
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM "<qualys_base_url>/api/3.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2026-04-07T10:15:27Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Updated</TEXT>
<ID_SET>
<ID>12427803</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>
Sample - List VMware NSX authentication record with AD is enabledSample - List VMware NSX authentication record with AD is enabled
API Request
curl --location '<qualys_base_url>/api/3.0/fo/auth/nsx/index.php?action=list&ids=12426322' \
--header 'X-Requested-With: curl demo2' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer<JWT Token>' \
--data-urlencode 'action=list
API Response
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE AUTH_NSX_LIST_OUTPUT SYSTEM "<qualys_base_url>/api/3.0/fo/auth/nsx/auth_nsx_list_output.dtd">
<AUTH_NSX_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2026-04-07T06:09:03Z</DATETIME>
<AUTH_NSX_LIST>
<AUTH_NSX>
<ID>12426322</ID>
<TITLE>
<![CDATA[NSX_AD ]]>
</TITLE>
<USERNAME>
<![CDATA[root]]>
</USERNAME>
<IP_SET>
<IP>10.xxx.xxx.xxx</IP>
</IP_SET>
<PORT>
<![CDATA[443]]>
</PORT>
<SSL_VERIFY_WITH_HOST>
<![CDATA[0]]>
</SSL_VERIFY_WITH_HOST>
<LOGIN_TYPE>
<![CDATA[vault]]>
</LOGIN_TYPE>
<DIGITAL_VAULT>
<DIGITAL_VAULT_ID>
<![CDATA[4980801]]>
</DIGITAL_VAULT_ID>
<DIGITAL_VAULT_TYPE>
<![CDATA[HashiCorp]]>
</DIGITAL_VAULT_TYPE>
<DIGITAL_VAULT_TITLE>
<![CDATA[Nutanix_HashiCorp]]>
</DIGITAL_VAULT_TITLE>
<VAULT_SECRET_KV_PATH>
<![CDATA[/tmp]]>
</VAULT_SECRET_KV_PATH>
<VAULT_SECRET_KV_NAME>
<![CDATA[adnsx]]>
</VAULT_SECRET_KV_NAME>
<VAULT_USE_AD_HASHICORP>
<![CDATA[1]]>
</VAULT_USE_AD_HASHICORP>
</DIGITAL_VAULT>
<CREATED>
<DATETIME>2026-04-07T05:25:48Z</DATETIME>
<BY>vmspxtb</BY>
</CREATED>
<LAST_MODIFIED>
<DATETIME>2026-04-07T05:25:48Z</DATETIME>
</LAST_MODIFIED>
</AUTH_NSX>
</AUTH_NSX_LIST>
</RESPONSE>
</AUTH_NSX_LIST_OUTPUT>
Sample - Delete VMware NSX authentication record with AD is enabledSample - Delete VMware NSX authentication record with AD is enabled
API Request
curl --location '<qualys_base_url>/api/3.0/fo/auth/nsx/index.php?action=delete&ids=12426426' \
--header 'X-Requested-With: curl demo2' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer <JWT Token>' \
--data-urlencode 'action=list'
API Response
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM "<qualys_base_url>/api/3.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2026-04-07T06:29:43Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Deleted</TEXT>
<ID_SET>
<ID>12426426</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>
DTD UpdateDTD Update
A DTD for the Authentication API has been added.
<platform API server>/api/3.0/fo/auth/nsx/auth_nsx_list_output.dtd>
DTD output for the Authentication API is as follows:
DTD Output
<!-- QUALYS AUTH_NSX_LIST_OUTPUT DTD -->
<!ELEMENT AUTH_NSX_LIST_OUTPUT (REQUEST?, RESPONSE)>
<!ELEMENT REQUEST (DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?)>
<!ELEMENT DATETIME (#PCDATA)>
<!ELEMENT USER_LOGIN (#PCDATA)>
<!ELEMENT RESOURCE (#PCDATA)>
<!ELEMENT PARAM_LIST (PARAM+)>
<!ELEMENT PARAM (KEY, VALUE)>
<!ELEMENT KEY (#PCDATA)>
<!ELEMENT VALUE (#PCDATA)>
<!-- if returned, POST_DATA will be urlencoded -->
<!ELEMENT POST_DATA (#PCDATA)>
<!ELEMENT RESPONSE (DATETIME, (AUTH_NSX_LIST|ID_SET)?, WARNING_LIST?, GLOSSARY?)>
<!ELEMENT AUTH_NSX_LIST (AUTH_NSX+)>
<!ELEMENT AUTH_NSX (ID,TITLE,USERNAME?,IP_SET?,TAGS?,PORT?,SSL_VERIFY_WITH_HOST?,HOSTS?,LOGIN_TYPE?,DIGITAL_VAULT?,NETWORK_ID?,CREATED,LAST_MODIFIED,COMMENTS?)>
<!ELEMENT ID (#PCDATA)>
<!ELEMENT TITLE (#PCDATA)>
<!ELEMENT USERNAME (#PCDATA)>
<!ELEMENT IP_SET (IP|IP_RANGE)+>
<!ELEMENT IP (#PCDATA)>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ELEMENT TAGS (TAG_TYPE, TAGS_INCLUDE, TAGS_EXCLUDE?)>
<!ELEMENT TAG_TYPE (#PCDATA)>
<!ELEMENT TAGS_INCLUDE (SELECTOR, TAG+)>
<!ELEMENT SELECTOR (#PCDATA)>
<!ELEMENT TAG (ID, NAME)>
<!ELEMENT NAME (#PCDATA)>
<!ELEMENT TAGS_EXCLUDE (SELECTOR, TAG+)>
<!ELEMENT PORT (#PCDATA)>
<!ELEMENT HOSTS (#PCDATA)>
<!ELEMENT SSL_VERIFY_WITH_HOST (#PCDATA)>
<!ELEMENT LOGIN_TYPE (#PCDATA)>
<!ELEMENT DIGITAL_VAULT (DIGITAL_VAULT_ID, DIGITAL_VAULT_TYPE, DIGITAL_VAULT_TITLE, VAULT_USERNAME?, VAULT_FOLDER?, VAULT_FILE?, VAULT_SECRET_NAME?, VAULT_SYSTEM_NAME?, VAULT_NS_TYPE?, VAULT_NS_NAME?, VAULT_SECRET_KV_PATH?, VAULT_SECRET_KV_NAME?, VAULT_SECRET_KV_KEY?, VAULT_SERVICE_TYPE?, VAULT_USE_AD_HASHICORP?)>
<!ELEMENT DIGITAL_VAULT_ID (#PCDATA)>
<!ELEMENT DIGITAL_VAULT_TYPE (#PCDATA)>
<!ELEMENT DIGITAL_VAULT_TITLE (#PCDATA)>
<!ELEMENT VAULT_USERNAME (#PCDATA)>
<!ELEMENT VAULT_FOLDER (#PCDATA)>
<!ELEMENT VAULT_FILE (#PCDATA)>
<!ELEMENT VAULT_SECRET_NAME (#PCDATA)>
<!ELEMENT VAULT_SYSTEM_NAME (#PCDATA)>
<!ELEMENT VAULT_NS_TYPE (#PCDATA)>
<!ELEMENT VAULT_NS_NAME (#PCDATA)>
<!ELEMENT VAULT_SECRET_KV_PATH (#PCDATA)>
<!ELEMENT VAULT_SECRET_KV_NAME (#PCDATA)>
<!ELEMENT VAULT_SECRET_KV_KEY (#PCDATA)>
<!ELEMENT VAULT_SERVICE_TYPE (#PCDATA)>
<!ELEMENT VAULT_USE_AD_HASHICORP (#PCDATA)>
<!ELEMENT NETWORK_ID (#PCDATA)>
<!ELEMENT CREATED (DATETIME, BY)>
<!ELEMENT BY (#PCDATA)>
<!ELEMENT LAST_MODIFIED (DATETIME)>
<!ELEMENT COMMENTS (#PCDATA)>
<!ELEMENT WARNING_LIST (WARNING+)>
<!ELEMENT WARNING (CODE?, TEXT, URL?, ID_SET?)>
<!ELEMENT CODE (#PCDATA)>
<!ELEMENT TEXT (#PCDATA)>
<!ELEMENT URL (#PCDATA)>
<!ELEMENT ID_SET (ID|ID_RANGE)+>
<!ELEMENT ID_RANGE (#PCDATA)>
<!ELEMENT GLOSSARY (USER_LIST?)>
<!ELEMENT USER_LIST (USER+)>
<!ELEMENT USER (USER_LOGIN, FIRST_NAME, LAST_NAME)>
<!ELEMENT FIRST_NAME (#PCDATA)>
<!ELEMENT LAST_NAME (#PCDATA)>
<!-- EOF -->
Scans API: Support for Google Cloud Platform Instance-Based Scans for IPv4
| New or Updated API | Updated |
| API Endpoint | /api/2.0/fo/scan/cloud/internal/job/ |
| EOS Timeline: November 2026 | |
| EOL Timeline: May 2027 | |
| API Endpoint (New Version) |
/api/3.0/fo/scan/cloud/internal/job/ |
| Method | POST |
| DTD or XSD changes | No |
We have now provided support to Google Cloud Platform instance based scans. You can now create and update internal scans for Assets in GCP Cloud. Earlier, GCP supported only perimeter scans, while AWS EC2 and Azure supported both internal and perimeter scans. With this enhancement , you can now perform internal scans on GCP instances to enable deeper vulnerability visibility and improved security coverage for GCP environments or assets.
Only Manager, Unit Manager, and Scanner role users have permission to launch GCP internal scans.
Input Parameters - Creating and Updating a GCP Cloud Internal ScanInput Parameters - Creating and Updating a GCP Cloud Internal Scan
| Parameter Name | Required / Optional | Data Type | Description |
| action={create|update} | Required | String | Specify create to configure a new internal GCP schedule scan job. Specify update to make changes to an existing scan job. |
| scan_title={value} | Required | String | The scan title to create. |
| connector_name={value} | Required | String | The name of the connector to be used. We check if the specified connector_name exists for your Qualys subscription. If the specified connector name does not exists in your Qualys subscription, then the API request returns an error message - Invalid connector_name provided. One of these parameters must be specified in the request: conector_name or connector_uuid. These are mutually exclusive and cannot be specified in the same request. |
| connector_uuid={value} | Required | Integer | The ID of the connector to be used. We check if the specified connector_uuid exists for your Qualys subscription. If the specified connector name does not exists in your Qualys subscription, then the API request returns an error message - Invalid connector_uuid provided One of these parameters must be specified in the request: conector_name or connector_uuid. These are mutually exclusive and cannot be specified in the same request. |
| active={0|1} | required if the request action is create | Boolean | Specify 1 to create an active schedule. Specify 0 to create an inactive schedule. |
| option_title={value} | Required | String | The title of the option profile to be used.
One of these parameters must be specified in the request: option_title or option_id. These are mutually exclusive and cannot be specified in the same request. |
| option_id={value} | Required | Integer | The ID of the option profile to be used.
One of these parameters must be specified in the request: option_title or option_id. These are mutually exclusive and cannot be specified in the same request. |
| id={value} | Required | Integer | Only applicable for Update requests. The ID of the scan schedule you want to update. |
| module={cm} | Required if the request action is create | String | Currently enabled for Policy Audit. |
| schedule={now|recurring} | Required if the request action is create | String | Specify now to schedule the scan job for now. Specify recurring to schedule the scan job to start at a later time or on a recurring basis. See Scheduling Parameters. |
| cloud_provider={gcp} | Required | String | Supports GCP. |
| cloud_service={compute_engine} | Required | String | Currently providing only the compute engine cloud service. |
| priority={value} | Optional | Integer | Specify a value of 0 - 9 to set a processing priority level for the scan. When not specified, a value of 0 (no priority) is used. Valid values are: 0 = No Priority (the default) 1 = Emergency 2 = Ultimate 3 = Critical 4 = Major 5 = High 6 = Standard 7 = Medium 8 = Minor 9 = Low |
| iscanner_id={value} | Required | Integer | The IDs of the scanner appliances to be used. Multiple entries are comma-separated.
iscanner_id and iscanner_name cannot be specified in the same request. |
| iscanner_name={value} | Required | String | The friendly names of the scanner appliances to be used.
iscanner_id and iscanner_name cannot be specified in the same request. |
| region_code={value} | Optional | String |
The GCP region code. For example, values are: ap-northeast-1, ap-southeast-1, ap-southeast-2, ap-east-1, eu-west-1, eu-north-1, asa-east-1, us-east-1, us-west-1, uswest-2, me-south-1, eu-south-1, and af-south-1 |
| virtual_network_id={value} | Optional | Integer |
Provide the Id of the GCP virtual network. |
| tag_include_selector={all|any} | Optional | String | Select any (the default) to include hosts that match at least one of the selected tags. Select all to include hosts that match all of the selected tags. |
| tag_exclude_selector={all|any} | Optional | String | Select any (the default) to exclude hosts that match at least one of the selected tags. Select all to exclude hosts that match all of the selected tags. |
| tag_set_by={id|name} | Optional | String | Specify id (the default) to select a tag set by providing tag IDs. Specify name to select a tag set by providing tag names. We will check if the tag ids or tag names are valid. |
| tag_set_include={value} | Optional | String | Specify a tag set to include. Hosts that match these tags will be included. You identify the tag set by providing tag name or IDs. Multiple entries are comma-separated. |
| tag_set_exclude={value} | Optional | String | Specify a tag set to exclude. Hosts that match these tags will be excluded. You identify the tag set by providing tag name or IDs. Multiple entries are comma separated. |
| cloud_resource_ids={remove|any VM ID} | Optional | String | Only applicable for Update request. Specific IDs on which scan needs to be launched (IDs are comma separated). Specify remove to delete the existing IDs. Specify any ID to replace the existing IDs. |
Refer to the following Scan Schedule parameters:
Input Parameters - Scan Schedule OccurrenceInput Parameters - Scan Schedule Occurrence
| Parameter Name | Required / Optional | Data Type | Description |
| occurrence=daily | Required | String | Required for a daily scan. |
| frequency_days={value} | Required | Integer | Required for daily scan. The scan will run every N number of days. Value is an integer from 1 to 365. |
| occurrence=weekly | Required | String | Required for a weekly scan. |
| frequency_weeks={value} | Required | Integer | Required for a weekly scan. The scan will run every N number of weeks. Value is an integer from 1 to 52. |
| weekdays={value} | Required | String | Required for a weekly scan. The scan will run on one or more weekdays. Value is one or more days: Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday. Multiple days are comma-separated. |
| occurrence=monthly | Required | String | Required for a monthly scan. |
| frequency_months={value} | Required | Integer | Required for monthly scan. The scan will run every N number of months. Value is an integer from 1 to 12. |
| day_of_month={value} | Required | Integer | Required for a monthly scan - Nth day of the month. The scan will run on the Nth day of the month. Value is an integer from 1 to 31. |
| day_of_week={value} | Required | Integer | Required for a monthly scan - day in Nth week. The scan will run on this day of the week. Value is and integer from 0 to 6, where 0 is Sunday and 2 is Tuesday. |
| week_of_month={value} | Required | String | Required for a monthly scan - day in Nth week. The scan will run on this week of the month. Value is one of: first, second, third, fourth, last. |
Input Parameters - Scan Schedule Start TimeInput Parameters - Scan Schedule Start Time
| Parameter Name | Required / Optional | Data Type | Description |
| start_date={mm/dd/yyyy} | Optional | Integer | By default the start date is the date when the schedule is created. You can define another start date in mm/dd/yyyy format. |
| start_hour={hour} | Required | Integer | The hour when a scan will start. The hour is an integer from 0 to 23, where 0 represents 12 AM, 7 represents 7 AM, and 22 represents 10 PM. |
| start_minute={minute} | Required | Integer | The minute when a scan will start. A valid value is an integer from 0 to 59. |
| time_zone_code={value} | Required | String | The time zone code for starting a scan, in upper case. For example, the time zone code for US California is US-CA. Valid codes are returned by the Time Zone Code API (/msp/time_zone_code_list.php). |
| observe_dst={yes|no} | Optional | String | Specify yes to observe Daylight Saving Time (DST). This parameter is valid when the time zone code specified in time_zone_code supports DST. |
| recurrence={value} | Optional | Integer | The number of times the scan will be run before it is deactivated. For example, if you set recurrence=2, the scan schedule will be deactivated after it runs 2 times. By default, no value is set. A valid value is an integer from 1 to 99. |
| end_after={value} | Optional | Integer | End a scan after some number of hours. A valid value is from 0 to 119. |
| end_after_mins={value} | Optional | Integer | Akllows monthly scan - Nth day of the month. The scan will run on the Nth day of the month. Value is an integer from 1 to 31. Must be specified with end_after. For example, to end the scan after 2 hours and 30 minutes, you would specify end_after=2 and end_after_mins=30. When end_after is set to 0, the minimum value for end_after_mins is 15. |
| pause_after_hours={value} | Optional | Integer | Pause a scan after some number of hours if the scan has not finished by then. A valid value is an integer from 0 to 119. |
| pause_after_mins={value} | Optional | Integer | Pause a scan after some number of minutes if the scan has not finished by then. A valid value is an integer from 0-59. Must be specified with pause_after_hours. For example, to pause the scan after 2 hours and 30 minutes, you would specify pause_after_hours=2 and pause_after_mins=30. When pause_after_hours is set to 0, the minimum value for pause_after_mins is 15. |
| resume_in_days={value} | Optional | Integer | Resume a paused scan in some number of days. A valid value is an integer from 0 to 9 or Manually. |
| resume_in_hours={value} | Optional | Integer | Resume a paused scan in some number of hours. A valid value is an integer from 0-23. Must be specified with pause_after_hours and resume_in_days. For example, to resume your scan in 5 hours, specify resume_in_days=0 and resume_in_hours=5. To resume your scan in 1 day and 12 hours, specify resume_in_days=1 and resume_in_hours=12. The value you set for pause will determine the minimum value for resume. For example, if you set the scan to pause after 1 hour then you can set it to resume in 2 or more hours. If you set the scan to pause between 1-2 hours (from 1hr, 1min to 1 hr, 59min) then you can set it to resume in 3 hours or more. |
| set_start_time={0|1} | Required | Integer | (Optional for Update only) Specify set_start_time=1 to update any of the start time parameters. Must be specified with all start time parameters together: start_date, start_hour, start_minute, time_zone_code, observe_dst |
Input Parameters - Scan Schedule NotificationsInput Parameters - Scan Schedule Notifications
| Parameter Name | Required / Optional | Data Type | Description |
| before_notify={0|1} | Optional | Integer | Specify before_notify=1 to send a notification before the scan starts. When not specified during a create request no notification is sent. When not specified during an update request we keep the previous setting. |
| before_notify_unit={value} | Optional | String | Specify the time unit for when to send the before scan notification. Possible values are: days, hours, minutes. This parameter is required when before_notify=1. Not valid when before_notify=0. |
| before_notify_time={value} | Optional | Integer | Indicates the number of days, hours, or minutes before the scan starts the notification will be sent. For days, enter a value of 1-31. For hours, enter a value of 1-24. For minutes, enter a value of 5-120. This parameter is required when before_notify=1. Not valid when before_notify=0. |
| before_notify_message= {value} | Optional | String | Specify a custom message to add to the before scan notification. The notification will always include certain details like the scan title, owner, option profile and start time. Include up to 4000 characters, no HTML tags. For update requests: - When not specified we keep the previous setting. - Specify an empty string to delete the last saved message. This parameter is only valid when before_notify=1 |
| after_notify={0|1} | Optional | Integer | Specify after_notify=1 to send a notification after the scan is finished. When not specified during a create request no notification is sent. When not specified during an update request we keep the previous setting. |
| after_notify_message= {value} | Optional | String | Specify a custom message to add to the after scan notification. When not specified during a create request, no notification message is saved. Include up to 4000 characters, no HTML tags. For update requests: - When not specified we keep the previous setting. - Specify an empty string to delete the last saved message. - If both notifications are disabled (before_notify=0 and after_notify=0) we will delete the after notify message. This parameter is only valid when after_notify=1. |
| recipient_group_ids={value} | Optional | Integer | The notification recipients in the form of one or more valid distribution group IDs. When not specified during a create request, only the task owner will be notified. For update requests: - When not specified we keep the previous setting. - Specify an empty string to delete the list of IDs. - If both notifications are disabled (before_notify=0 and after_notify=0) we will delete the list of IDs. This parameter is only valid when before_notify=1 or after_notify=1 is specified in the same request. |
Sample - Create GCP Internal ScanSample - Create GCP Internal Scan
API Request
curl --location --request POST '<qualys_base_url>/api/3.0/fo/scan/cloud/internal/job/index.php?action=create&scan_title=GCP_Test_API3&connector_name=Rohanpod4qwebxrm3&active=1&option_title=Qualys%20Recommended%20Option%20Profile&module=cm&schedule=now&cloud_provider=gcp&iscanner_name=RM_GCP_SCANNER&cloud_service=compute_engine&virtual_network_id=projects%2Fqlys-devqa-qweb%2FvirtualNetworks%2Fvpc-qlys-devqa-qweb' \
--header 'X-Requested-With: xxxx' \
--header 'User-Agent: Apidog/1.0.0 (https://apidog.com)' \
--header 'Accept: */*' \
--header 'Host: <qualys_base_url>' \
--header 'Connection: keep-alive' \
--header 'Authorization: Bearer <JWT Token>'
API Response
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE SIMPLE_RETURN SYSTEM "<qualys_base_url>/api/3.0/simple_return.dtd">
<SIMPLE_RETURN>
<RESPONSE>
<DATETIME>2026-04-10T07:45:30Z</DATETIME>
<TEXT>Scan has been created successfully</TEXT>
<ITEM_LIST>
<ITEM>
<KEY>ID</KEY>
<VALUE>7469466</VALUE>
</ITEM>
</ITEM_LIST>
</RESPONSE>
</SIMPLE_RETURN>
Sample - Update GCP Internal ScanSample - Update GCP Internal Scan
API Request
curl --location --request POST '<qualys_base_url>/api/3.0/fo/scan/cloud/internal/job/index.php?action=update&connector_name=CPSGLOBAL_clvautomationproject&active=1&option_title=Qualys%20Recommended%20Option%20Profile&schedule=now&cloud_provider=gcp&iscanner_name=RM_GCP_SCANNER&cloud_service=compute_engine&cloud_resource_ids=us-central1&virtual_network_id=projects%2Fqlys-devqa-qweb%2FvirtualNetworks%2Fvpc-qlys-devqa-qweb&id=7530283' \
--header 'X-Requested-With: xxxxx' \
--header 'User-Agent: Apidog/1.0.0 (https://apidog.com)' \
--header 'Accept: */*' \
--header 'Host: <qualys_base_url>' \
--header 'Connection: keep-alive' \
--header 'Authorization: Bearer <JWT Token>'
API Response
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE SIMPLE_RETURN SYSTEM "<qualys_base_url>/api/3.0/simple_return.dtd">
<SIMPLE_RETURN>
<RESPONSE>
<DATETIME>2026-04-21T10:23:20Z</DATETIME>
<TEXT>Scan has been updated successfully</TEXT>
<ITEM_LIST>
<ITEM>
<KEY>ID</KEY>
<VALUE>7530283</VALUE>
</ITEM>
</ITEM_LIST>
</RESPONSE>
</SIMPLE_RETURN>
Revised EOS and EOL dates for Posture Streaming APIs
With this release, we have revised the End of Support (EOS) and End of Life (EOL) dates for the following APIs:
- Resolve Host IDs API
- Get Posture Info API
The updated timelines provide additional time for you to transition from the legacy APIs to the recommended newer versions of these APIs.
Resolve Host IDs API
The revised EOS and EOL dates for Resolve Host ID APIs are as follows:
| API Endpoint | EOS | EOL |
| /pcrs/5.0/posture/hostids? | Active | Active |
| /pcrs/4.0/posture/hostids? | Active | Active |
| /pcrs/3.0/posture/hostids? | Active | Active |
| /pcrs/2.0/posture/hostids? | Active | Active |
| /pcrs/1.0/posture/hostids? | November 2026 | May 2027 |
Get Posture Info API
The revised EOS and EOL dates for Get Posture Info APIs are as follows:
| API Endpoint | EOS | EOL |
| /pcrs/5.0/posture/postureInfo? | Active | Active |
| /pcrs/4.0/posture/postureInfo? | Active | Active |
| /pcrs/3.0/posture/postureInfo? | Active | Active |
| /pcrs/2.0/posture/postureInfo? | Active | Active |
| /pcrs/1.0/posture/postureInfo? | November 2026 | May 2027 |
Extended EOL Timelines for API Endpoints
With this release, we have extended the End of Life (EOL) dates from June 2026 to December 2026 for the following list of APIs.
The updated timeline provides additional time for you to transition from the legacy APIs to the recommended newer versions.
Extended EOL Timelines for All API EndpointsExtended EOL Timelines for All API Endpoints
| Category | API Name | API Endpoint (Previous Version) | EOL | Recommended API Endpoint (Latest Version)Knowledge Base |
| Knowledge Base | Knowledge Base Vulnerability API |
/api/2.0/fo/knowledge_base/vuln/index.php |
December 2026 | /api/4.0/fo/knowledge_base/vuln/index.php |
| Knowledge Base | Knowledge Base QVS API | /api/2.0/fo/knowledge_base/qvs/index.php | December 2026 | /api/4.0/fo/knowledge_base/qvs/index.php |
| /api/3.0/fo/knowledge_base/qvs/index.php | December 2026 | /api/4.0/fo/knowledge_base/qvs/index.php | ||
| Option Profile | Option Profile API |
/api/2.0/fo/subscription/option_profile/index.php |
December 2026 | /api/6.0/fo/subscription/option_profile/index.php |
| /api/3.0/fo/subscription/option_profile/index.php | December 2026 | /api/6.0/fo/subscription/option_profile/index.php | ||
| /api/4.0/fo/subscription/option_profile/index.php | December 2026 | /api/6.0/fo/subscription/option_profile/index.php | ||
| Option Profile | VM Option Profile API | /api/2.0/fo/subscription/option_profile/vm/index.php | December 2026 | /api/4.0/fo/subscription/option_profile/vm/index.php |
| /api/3.0/fo/subscription/option_profile/vm/index.php | December 2026 | /api/4.0/fo/subscription/option_profile/vm/index.php | ||
| Option Profile | PC Option Profile API | /api/2.0/fo/subscription/option_profile/pc/index.php | December 2026 | /api/5.0/fo/subscription/option_profile/pc/index.php |
| /api/3.0/fo/subscription/option_profile/pc/index.php | December 2026 | /api/5.0/fo/subscription/option_profile/pc/index.php | ||
| /api/4.0/fo/subscription/option_profile/pc/index.php | December 2026 | /api/5.0/fo/subscription/option_profile/pc/index.php | ||
| Report | Report Template Scan API | /api/2.0/fo/report/template/scan/index.php | December 2026 | /api/4.0/fo/report/template/scan/index.php |
| /api/3.0/fo/report/template/scan/index.php | December 2026 | /api/4.0/fo/report/template/scan/index.php | ||
| Report | Report API | /api/2.0/fo/report/index.php | December 2026 | /api/3.0/fo/report/index.php |
| Exception | Compliance Exception | /api/2.0/fo/compliance/exception/index.php | December 2026 | /api/3.0/fo/compliance/exception/index.php |
| Asset | Asset Host API | /api/2.0/fo/asset/host/index.php | December 2026 | /api/5.0/fo/asset/host/index.php |
| /api/3.0/fo/asset/host/index.php | December 2026 | /api/5.0/fo/asset/host/index.php | ||
| /api/4.0/fo/asset/host/index.php | December 2026 | /api/5.0/fo/asset/host/index.php | ||
| Scan | Schedule Scan API | /api/2.0/fo/schedule/scan/index.php | December 2026 | /api/5.0/fo/schedule/scan/index.php |
| /api/3.0/fo/schedule/scan/index.php | December 2026 | /api/5.0/fo/schedule/scan/index.php | ||
| /api/4.0/fo/schedule/scan/index.php | December 2026 | /api/5.0/fo/schedule/scan/index.php | ||
| Scan | Scan API | /api/2.0/fo/scan/index.php | December 2026 | /api/3.0/fo/scan/index.php |
| Scan | Cloud Perimeter Scan API | /api/2.0/fo/scan/cloud/perimeter/job/index.php | December 2026 | /api/4.0/fo/scan/cloud/perimeter/job/index.php |
| /api/3.0/fo/scan/cloud/perimeter/job/index.php | December 2026 | /api/4.0/fo/scan/cloud/perimeter/job/index.php | ||
| Control | Control List | /api/2.0/fo/compliance/control/index.php | December 2026 | /api/4.0/fo/compliance/control/index.php |
| /api/3.0/fo/compliance/control/index.php | December 2026 | /api/4.0/fo/compliance/control/index.php | ||
| Policy | Policy | /api/2.0/fo/compliance/policy/index.php | December 2026 | /api/4.0/fo/compliance/policy/index.php |
| /api/3.0/fo/compliance/policy/index.php | december 2026 | /api/4.0/fo/compliance/policy/index.php | ||
| Authentication | MySQL Authentication | /api/2.0/fo/auth/mysql/index.php | December 2026 | /api/3.0/fo/auth/mysql/index.php |
| Authentication | Sybase Authentication | /api/2.0/fo/auth/sybase/index.php | December 2026 | /api/3.0/fo/auth/sybase/index.php |
| Authentication | Authentication API | /api/2.0/fo/auth/index.php | December 2026 | /api/3.0/fo/auth/index.php |
Issues Addressed
The following reported and notable customer issues are fixed in this release:
| Component/Category | Description |
| PA - PCRS API | When the user retrieved posture data for policies through the Get Posture Info API (pcrs/4.0/posture/postureInfo/), stale assets that were no longer associated with the policy were included in the results. This led to inaccurate reporting and outdated policy associations. Relevant code changes have been made to resolve this issue. |