Skip to main content

HMAC credentials

Create and manage Veracode API credentials using Hash-based Message Authentication Code (HMAC) credentials. HMAC credentials consist of an ID and Secret Key pair. HMAC adds a signature to the HTTP authorization header of each API request. This signature provides maximum protection against man-in-the-middle and session replay attacks.

Use the credentials to authenticate with Veracode using the Veracode APIs and several integrations, including the IDE plugins and extensions and the Veracode CLI.

Each Veracode user can have only one active API ID and Secret Key pair at a time. When you generate new credentials, Veracode automatically revokes the previous ones. Administrators can revoke credentials at any time.

Create credentials

If you use SSO with JIT provisioning, users can sign in to Veracode using their IDEs or the Veracode CLI instead of API credentials. To access the APIs using SSO, you can use the ID and Secret Key credentials without needing a separate API service account.

After you create Veracode API credentials, you can use these credentials to automatically sign in to Veracode APIs and plugins without using a separate API service account to be able to access the APIs.

You can also create Veracode API credentials using the Identity API.

Important

After generating your ID and Secret Key pair, if you lose your secret, you must generate a new one. We recommend storing your credentials in an API credentials file, but you can also set them as environment variables.

You can always revoke API credentials, if necessary. The credentials expire after one calendar year. If you want to extend the credentials beyond the expiration date, contact Veracode Technical Support at [email protected].

Before you begin:

  • If your user account already has one set of HMAC credentials, generating new credentials will revoke your existing HMAC credentials 24 hours after creation.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. Select Create API Credentials.
  4. For Credential Type, select HMAC Credentials.
  5. For Expiration Date, you see the time-to-live (TTL), but you can't change this option for HMAC credentials. The default TTL is the maximum value set for your organization, which is typically 365 days. To change the maximum number of days, your Administrator must contact Veracode Support at [email protected].
  6. Select Generate.
  7. To confirm that you want to proceed, select Create.
  8. Copy the strings under ID and Secret Key and save them to a secure place. You can view these credentials only once. After you leave this page, you can view your ID, but you can no longer view your secret.
  9. To use these credentials, set them as environment variables or store them in a credentials file.

Revoke credentials

You can always revoke API credentials, if necessary. By default, the Veracode API credentials expire after one calendar year, unless a Veracode administrator resets the expiration date.

Caution

Credentials expire immediately after you revoke them. Any Veracode integrations, such as scanning in build pipelines or IDE plugins, that use revoked credentials will no longer be able to authenticate with Veracode, and these integrations will stop working.

You can also revoke API credentials with the Identity API.

Before you begin:

  • You must have a Veracode account with the Administrator role.
  • Ensure you have updated any integrations that use the credentials you want to revoke.
  • Ensure you have created HMAC credentials that you can revoke.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. Select Revoke.

Set credentials as environment variables

Set your API credentials as environment variables and reference them in your development tools.

Important

Store your credentials in either an API credentials file or as environment variables, but not both.

Before you begin:

  • Ensure you have created HMAC credentials.
  • Ensure you have added your API credentials to the [default] application profile. If you have a [greenlight] profile, delete it or rename it to [default].

To complete this task:

At a command prompt, run the following commands, replacing the values with your ID and Secret Key.

note

Ensure there are no spaces around the equals signs (=).

On macOS, Linux, or UNIX, run:

export VERACODE_API_KEY_ID=<your HMAC ID>
export VERACODE_API_KEY_SECRET=<your HMAC Secret Key>

On Windows, run:

$env:VERACODE_API_KEY_ID='<your HMAC ID>'
$env:VERACODE_API_KEY_SECRET='<your HMAC Secret Key>'
Last updated on