VMDR OT Release 1.2.1 API

June 25, 2025

Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.

VMDR OT API Versioning

We have updated the versioning for our VMDR OT APIs from V1 to version 1.0. As a result, all V1 APIs are scheduled for the End-of-Support (EOS) and End-of-Life (EOL) from this release. We recommend using the new 1.0 endpoints to ensure continued compatibility, support, and access to the latest features and security enhancements.

Impacted APIs

The following table lists the VMDR OT APIs, along with their respective EOS and EOL timeline details:

API EOS Timeline EOL Timeline New Endpoint
List OT Host Assets

Endpoint: /ot/v1/host/list

July 2025 - December 2025 January 2026 /ot/1.0/host/list
List OT Vulnerabilities

Endpoint: /ot/v1/detection/list

July 2025 - December 2025 January 2026 /ot/1.0/detection/list
List Project Files

Endpoint: /ot/v1/projectfile/list

July 2025 - December 2025 January 2026 /ot/1.0/projectfile/list

For more information, refer to VMDR OT API User Guide.

To support your understanding, definitions of key terms such as End-of-Support (EOS) and End-of-life (EOL) are given below, explaining the lifecycle of each endpoint. 

End-of-Support (EOS)End-of-Support (EOS)

End-of-Support for an API version signifies the point at which Qualys will no longer support that specific version. While the API may continue to function, it will not receive new features, performance improvements, or security updates. This phase is intended to provide a grace period for API consumers to migrate to newer versions.

Implications of End-of-Support
  • No New Features: The API version will not receive any further functional enhancements or new capabilities.
  • Limited Bug Fixes: Critical security vulnerabilities may be addressed on a case-by-case basis, but general bug fixes for non-critical issues will stop.
  • No Performance Improvements: Optimization efforts focus solely on newer API versions.
  • Reduced Support Channels: Technical support for issues related to this specific API version may become limited, and users are strongly recommended to upgrade.
  • No Guarantees of Reliability: While the API may remain operational, Qualys offers no guarantees regarding its continued reliability beyond the EOS date.

End-of-Life (EOL)End-of-Life (EOL)

End-of-Life for an API version is the final stage where the API version is officially retired and will be completely decommissioned. After the EOL date, the API will no longer be available, and any calls to it will result in errors. This marks the complete discontinuation of service for that specific API version.

Implications of End-of-Life
  • API Decommissioning: The API endpoint for this version is shut down and will no longer accept requests.
  • Complete Service Stoppage: All functionalities provided by this API version will cease to exist.
  • Error Responses: Any attempt to call the EOL API results in HTTP error codes, such as 404 Not Found or 410 Gone, or similar error messages.
  • No Support: All forms of support, documentation, and resources related to this API version will be discontinued.

JWT Token Generation using Client ID and Secret Key

You can generate the JWT token by providing the client ID and client secret key in the following API request headers for either a user level or subscription level client.

For more information on generating client ID and client secret key, refer to Support for Auth ID Client Management from UI.

JWT Token Request for User Level ClientJWT Token Request for User Level Client

API Request

curl -X POST
'<qualys_base_url>/auth/oidc'
--header 'clientSecret: wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY'
--header 'clientId: 123e4567-e89b-12d3-a456-426614174000'
--data-raw ''

API Response (contains JWT access token)

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJjbGllbnQxMjM0NTYiLCJzYwZXM
iOlsiYXBpLnJlYWQiLCJhcGkud3JpdGUiXSwia
XNzIjoiaHR0cHM6Ly9kdW1teS1hdXRoLmNvbSI
sImV4cCI6MTcwMDAwMDAwMH0.SdXn3I6yTb-
JNk9LPjR8W9xAtH7dN3Mqf3HdJ5WnRfE

JWT Token Request for Subscription Level ClientJWT Token Request for Subscription Level Client

API Request

curl -X POST
'<qualys_base_url>/auth/oauth'
--header 'clientId: 123e4567-e89b-12d3-a456-426614174000'
--header 'clientSecret: wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY'
--data-raw '

API Response (contains JWT access token)

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJjbGllbnQxMjM0NTYiLCJzYwZXM
iOlsiYXBpLnJlYWQiLCJhcGkud3JpdGUiXSwia
XNzIjoiaHR0cHM6Ly9kdW1teS1hdXRoLmNvbSI
sImV4cCI6MTcwMDAwMDAwMH0.SdXn3I6yTb-
JNk9LPjR8W9xAtH7dN3Mqf3HdJ5WnRfE

Once the JWT token is successfully generated, you can use it to authenticate your API requests. Include the token in the Authorization header of an API request. 

The system validates the JWT token and authorizes the request based on the defined scope. See the example below, where a user with API access calls an API to fetch the list of OT assets in your network.

Example API: List OT Host AssetsExample API: List OT Host Assets

API Request

curl -X GET
'<qualys_base_url>/ot/1.0/host/list?filter=asset.assetUuid%3A%22af338503-ce5a-376b-b337-1ed9958abc8f%22'
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6Ik....... '
--header 'Content-Type: application/json'

API Response

{
  "assets": [
      {
          "name": "<asset_name>",
          "address": "<IP_address>",
          "hardware": {
              "category2": <category2>,
              "vendor": "<vendor_name>",
              "model": "<model>",
              "class": "Unknown"
          },
          "interfaces": [
              {
                  "address": "<IP_address>",
                  "firstSeen": "2024-10-04T08:04:20.308Z",
                  "lastSeen": "2024-10-04T08:04:20.308Z"
              }
          ],
          "assetId": <Asset_id>,
          "tags": [
              {
                  "tagId": <tag_id>,
                  "name": "<tag_name>"
              },
          ],
          "lastUpdated": "2024-10-04T08:04:20.308Z",
          "created": "2024-10-04T08:04:20.308Z",
          "firmwareVersion": "<version>",
          "purdueLevel": "Unknown",
          "assetUuid": "<asset_uuid>",
          "serialNumber": "<serial_number>",
          "inventory": {
              "fileHash": "<filehash>",
              "fileName": "<file_name>",
              "source": "Industrial OCA"
          },
          "operatingSystem": "<operating_system>",
          "qAssetId": <qasset_id>
      }
  ]
}