Mutual Certificate Authentication

Number of APIs: 4

Mutual TLS (MTLS) authentication ensures both the API callers and Qualtrics Public API servers encrypt and secure traffic in both directions. This adds an additional layer of security on top of the standard API authentication mechanisms (such as API Token or OAuth). Once enabled, all requests must present the correct client certificate for requests to succeed. If a caller makes a request using an invalid or missing client certificate, Qualtrics will block the request.

Each certificate has an expiry time of 1 year and you should rotate the certificate before this time elapses. If the provided certificate expires within 60 days, you will find an extra “notice” field under the response “meta” object indicating you should regenerate the certificate. Up to 10 active certificates can be in use at any one time. Qualtrics will deny requests for more than ten certificates until old certificates are revoked/deleted. You must manually revoke/delete certificates, because expiry will not remove them from counting against your certificate limit.

Here are the Steps (with screenshots for how to enable this):

  1. Generate a Client Certificate Request (CSR) for “{dc}.qualtrics.com” with your organization’s details, e.g.: openssl req -new -keyout myPrivateKey.pem -out myCSR.csr
  2. Call the Create Client Certificate endpoint with your CSR in the body, eg: { "certificateRequest": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----\n" }
  3. Save the Client Certificate and ID you receive from the response for later use with your API calls
  4. Have your Qualtrics representative enable the Use Client Certificate Authentication for your brand.
  5. Provide your cert on all future API calls.

Client Certificates Immediately Required

After your Qualtrics representative enables the Use Client Certificate Authentication setting, your API usage will immediately require the use of a client certificate. Be prepared for this change. Discuss the best way to coordinate this cutover with your Qualtrics representative.

Contact Support: Name: Qualtrics Support Email: support@qualtrics.com

  1. organizations/{organizationId}/clientcertificates-{certificateId} - Delete Client Certificate DELETE {{baseUrl}}/organizations/:organizationId/clientcertificates/:certificateId

  2. organizations/{organizationId}/clientcertificates-{certificateId} - Get Client Certificate GET {{baseUrl}}/organizations/:organizationId/clientcertificates/:certificateId

  3. organizations/{organizationId}/clientcertificates - Create Client Certificate POST {{baseUrl}}/organizations/:organizationId/clientcertificates

  4. organizations/{organizationId}/clientcertificates - List Client Certificates GET {{baseUrl}}/organizations/:organizationId/clientcertificates