Skip to main content

OAuth Client credentials

Create and manage Veracode API credentials using OAuth Client credentials. OAuth Client credentials exchange a Client ID and Client Secret with Veracode's authorization server to retrieve a short-lived access token.

Use the credentials and token to authenticate with Veracode using the Veracode REST APIs. The XML APIs aren't supported.

Create credentials

Create OAuth Client credentials using the Veracode Platform or the Identity API. Alternatively, create them by cloning existing credentials.

Important

After generating your Client ID and Client Secret pair, if you lose your secret, you must generate a new one. Ensure you store your credentials in a secure location. You can also set them as environment variables.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. Select Create API Credentials.
  4. Select OAuth Client.
  5. For Name, enter a name that will help you identify these credentials later.
  6. For Expiration Type, select the time-to-live (TTL) for the credentials, which specifies when they expire. You can enter the number of days until the credentials expire, or select a specific expiration date. The default TTL is the maximum value set for your organization, which is typically 365 days. To change the maximum number of days, your Administrator must contact Veracode Support at [email protected].
  7. For Description, enter a description that will help you identify how you are using these credentials.
  8. For Available Roles, select the roles to apply to these credentials. These roles define the scope. You can clear a role to remove permissions (down-scope), but you can only apply roles that are assigned to this user.
  9. Select Generate.
  10. To confirm performing this action, select Create.
  11. Copy the Client ID and Client Secret to a secure location. You can view these credentials only once. After you leave this page, you can view your Client ID, but you can no longer view your Client Secret.

Clone credentials

Clone existing credentials and generate a unique Client ID and Client Secret for the clone. The cloned credentials have the same expiration date (TTL), selected roles (scope), and selected scan types as the original credentials.

You can clone credentials using the Veracode Platform or the Identity API.

Important

After generating your Client ID and Client Secret pair, if you lose your secret, you must generate a new one. Ensure you store your credentials in a secure location. You can also set them as environment variables.

Before you begin:

  • Ensure you have created OAuth Client credentials that you can clone.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. In the credentials table, locate the OAuth Client credentials you want to clone.
  4. In the Actions column, select Clone.
  5. For Name, enter a name that will help you identify these credentials later.
  6. For Description, enter a description that will help you identify how you are using these credentials.
  7. Select Clone.
  8. Copy the strings under Client ID and Client Secret and save them to a secure location. You can view these credentials only once. After you leave this page, you can view your Client ID, but you can no longer view your Client Secret.

View credentials details

View detailed information about OAuth Client credentials, such as status and scope. You can also revoke the Client Secret.

You can view credentials using the Veracode Platform or the Identity API.

Before you begin:

  • To revoke credentials, you must have a Veracode account with the Administrator role.
  • Before revoking credentials, ensure you have updated any integrations that use the credentials you want to revoke.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. In the credentials table, locate the OAuth Client credentials you want to view.
  4. In the Actions column, select View. The View Credential Details window opens.

Rotate credentials

Rotate existing credentials to generate a new Client ID and Client Secret. The credentials retain their time-to-live (TTL), selected roles (scope), and scan types. You typically rotate credentials that are about to expire.

You can rotate credentials using the Veracode Platform or the Identity API.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. In the credentials table, locate the OAuth Client credentials you want to rotate.
  4. In the Actions column, select Rotate.
  5. To confirm performing this action, select Rotate. The Rotate Credentials window opens.
  6. For Revoke active secret, select to revoke the active credentials either immediately after rotation or after a specific number of hours after rotation.
  7. For Create a new secret that will expire in, enter the number of days (TTL) when these credentials expire.
  8. Select Rotate.
  9. Copy the strings under Client ID and Client Secret and save them to a secure place. You can view these credentials only once. After you leave this page, you can view your Client ID, but you can no longer view your Client Secret.

Revoke credentials

Revoke credentials that have expired or that you no longer need. You can revoke credentials using the Veracode Platform or the Identity API.

Caution

Credentials expire immediately after you revoke them. Any Veracode integrations, such as scanning in build pipelines or IDE plugins, that use revoked credentials will no longer be able to authenticate with Veracode, and these integrations will stop working.

Before you begin:

  • You must have a Veracode account with the Administrator role.
  • Ensure you have updated any integrations that use the credentials you want to revoke.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. In the credentials table, locate the OAuth Client credentials you want to revoke.
  4. In the Actions column, select Revoke.
  5. To confirm performing this action, select Revoke. The credentials are now expired and no longer appear in the credentials table.

Set credentials as environment variables

Set your OAuth Client credentials as environment variables and reference them in your development tools.

Before you begin:

  • Ensure you have created OAuth Client credentials.
  • Ensure you have added your API credentials to the [default] application profile. If you have a [greenlight] profile, delete it or rename it to [default].

To complete this task:

At a command prompt, run the following commands, replacing the values with your Client ID and Client Secret.

Important

Ensure there are no spaces around the equals signs (=). If your account is not in the Commercial region, you must replace veracode.com in the Token URL with veracode.eu or veracode.us.

On macOS, Linux, or UNIX, run:

export VERACODE_CLIENT_ID='<your OAuth Client ID>'
export VERACODE_CLIENT_SECRET='<your OAuth Client Secret>'
export VERACODE_TOKEN_URL='https://api.veracode.com/api/authn/v2/oauth2/token'

On Windows, run:

$env:VERACODE_CLIENT_ID='<your OAuth Client ID>'
$env:VERACODE_CLIENT_SECRET='<your OAuth Client Secret>'
$env:VERACODE_TOKEN_URL='https://api.veracode.com/api/authn/v2/oauth2/token'
Last updated on