API authentication

For secure communication between your client and the Veracode APIs, you can configure Open Authorization (OAuth) Client authentication or Hash-based Message Authentication Code (HMAC) signing using your Veracode API credentials. This security measure provides protection against man-in-the-middle and session replay attacks when using the APIs from a command line or in code.

Prerequisites

To set up API authentication, you must have API credentials. For HMAC authentication, we recommend storing your HMAC credentials in an API credentials file.

Using the API wrappers

For HMAC authentication, the API wrappers are preconfigured with HMAC signing enabled. After creating and storing your HMAC credentials, you can use the Java or C# wrappers from the command line or in your code.

Using the REST APIs

For HMAC authentication:

• Perform the external signing step on the command line using either the Java or Python tool or the Veracode API wrappers.
• Use one of the Community-provided HMAC implementations.
• Install a Veracode authentication library and configure your code or development tools to use your API credentials to apply HMAC signing to API requests.

For OAuth authentication, see set up API authentication.

Using the XML APIs

For HMAC authentication:

• Use HTTPie to set up the Python authentication library.
• Use one of the Community-provided HMAC implementations.

Troubleshooting

The following are some common issues that can prevent authentication to Veracode APIs from working correctly:

• Incorrect credentials. The most common problem after setting up authentication is incorrect API ID and key pairs. For example, you might have multiple accounts and associate the wrong set of credentials with the account you are setting up.
  • Ensure credential sets are current and secure.
  • Try revoking the existing credentials, creating new credentials, and retrying.
• Incorrect account type or roles. A role or account error can sometimes be misunderstood as a larger problem with authentication.
• Problems connecting to the Veracode Platform. To test your access, send a request to the APIs. You should get a quick response.
• Inaccurate system time. Although infrequent, authentication fails if the system time of the client and server are substantially out-of-sync. To ensure your system time is close to actual time, compare your system time with actual time at time.is.

For help with HMAC or OAuth authentication, contact Veracode Technical Support at [email protected].