The Qualys API enforces limits on the API calls a customer can make based on their subscription settings. The limits apply to the use of all Qualys APIs except “auth” API (JWT Token Generation API). Default API control settings are provided by the service. Note these settings may be customized per subscription by Qualys Support.
The rate count and period are calculated dynamically each time an API call is received. The rate period represents a rolling window when API calls are counted.
When an API call is received, Qualys checks the rate limit defined for the API endpoint. If the rate limit has been exceeded the API call is blocked and an error is returned.
For each API we’ve defined the following settings:
X-RateLimit-Remaining: This indicates the total API calls remaining in the current rate limit window.
X-RateLimit-ToWait-Sec: This time indicates the wait time for the rate limit to be reset. The customer needs to wait for that time to execute the next API calls.
X-RateLimit-Window-Sec: This value indicates the total time window assigned for the APIs to be executed.
X-RateLimit-Limit: This indicates the maximum number of API calls that can be executed in that particular rate limit window.
Sample request
curl -X GET
'<qualys_base_url>/sem/v1/assetList?action=list&truncation_limit=1in
cludeFields=operatingSystem,hardware' -H 'Authorization: Bearer <ACTUAL_TOKEN>
Provide "-i" in the curl request as shown in the example returns the response headers which includes the rate limit related parameters.
After executing a curl request, check the following parameters in response headers to check the rate-limit status:
X-ConcurrencyLimit-Limit: 2
X-RateLimit-Limit: 300
X-RateLimit-Window-Sec: 3600
Example: A subscription for Standard API Service has the default API control settings. Consider that the API rate limit set for a customer is 300 API calls for a time window of 3600 seconds. If 300 API calls are received in a 5 minute period and none are blocked by any API limiting rules, then you need to wait 55 minutes before making the next call to the API. During the wait period API calls will be blocked by the rate limiting rule.
Name :X-Content-Type : application/xml
Enable the 'VMDR Mobile API Access' permission to default 'VMDR Mobile User' role i.e. the users with VMDR Mobile User role will have access to VMDR Mobile APIs.
The existing superuser and the manager user have permission to access VMDR Mobile APIs.