Skip to main content

OAuth Client Credentials

Create and manage Veracode API credentials using Open Authorization (OAuth) Client Credentials. OAuth Client Credentials exchange a Client ID and Client Secret with Veracode's authorization server to retrieve a short-lived access token.

Use the credentials and token to authenticate with the Veracode REST APIs. The XML APIs aren't supported.

Create credentials

Create OAuth Client Credentials using the Veracode Platform or the Identity API. Alternatively, create them by cloning existing credentials.

Important

After generating your Client ID and Client Secret pair, if you lose your secret, you must generate a new one. Ensure you store your credentials in a secure location. You can also set them as environment variables.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. Select Create API Credentials.
  4. Select OAuth Client.
  5. For Name, enter a name that will help you identify these credentials later.
  6. For Expiration Type, select the time-to-live (TTL) for the credentials, which specifies when they expire. You can enter the number of days until the credentials expire, or select a specific expiration date. The default TTL is the maximum value set for your organization, which is typically 365 days. To change the maximum number of days, your Administrator must contact Veracode Support at [email protected].
  7. For Description, enter a description that will help you identify how you are using these credentials.
  8. For Available Roles, select the roles to apply to these credentials. These roles define the scope. You can clear a role to remove permissions (down-scope), but you can only apply roles that are assigned to this user.
  9. Select Generate.
  10. To confirm performing this action, select Create.
  11. Copy the Client ID and Client Secret to a secure location. You can view the Client Secret only once. After you leave this page, you can view your Client ID, but you can no longer view your Client Secret.

Clone credentials

Clone existing credentials and generate a unique Client ID and Client Secret for the clone. The cloned credentials have the same time-to-live (TTL), selected roles (scope), and selected scan types as the original credentials.

You can clone credentials using the Veracode Platform or the Identity API.

Important

After generating your Client ID and Client Secret pair, if you lose your secret, you must generate a new one. Ensure you store your credentials in a secure location. You can also set them as environment variables.

Before you begin:

  • Ensure you have created OAuth Client Credentials that you can clone.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. In the credentials table, locate the OAuth Client Credentials you want to clone.
  4. In the Actions column, select Clone.
  5. For Name, enter a name that will help you identify these credentials later.
  6. For Description, enter a description that will help you identify how you are using these credentials.
  7. Select Clone.
  8. Copy the strings under Client ID and Client Secret and save them to a secure location. You can view the Client Secret only once. After you leave this page, you can view your Client ID, but you can no longer view your Client Secret.

View credentials details

View detailed information about OAuth Client Credentials, such as the Client ID, status, and selected roles (scope). You can also revoke the Client Secret.

You can view credentials using the Veracode Platform or the Identity API.

Before you begin:

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. In the credentials table, locate the OAuth Client Credentials you want to view.
  4. In the Actions column, select View. The View Credential Details window opens with information about the selected credentials.

Rotate credentials

Rotate existing credentials to generate a new Client Secret. The existing credentials retain the Client ID, time-to-live (TTL), selected roles (scope), and scan types. You typically rotate credentials that are about to expire.

You can rotate credentials using the Veracode Platform or the Identity API.

Caution

Rotating credentials revokes the current Client Secret. To ensure that your pipelines and integrations continue using the current secret, you can delay the expiration of the current secret by setting an expiration for up to 99 hours from now. Delaying the expiration gives your team time to apply the new secret without disrupting development.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. In the credentials table, locate the OAuth Client Credentials you want to rotate.
  4. In the Actions column, select Rotate. The Rotate Credentials window opens.
  5. For Revoke active secret, select whether to revoke the current Client Secret immediately or select the number of hours (1-99) from now when the current Client Secret expires.
  6. For Create a new secret that will expire in, because the new Client Secret inherits the current expiration (TTL), you can't change this option.
  7. Select Rotate.
  8. Copy the strings under Client ID and Client Secret and save them to a secure location. You can view the Client Secret only once. After you leave this page, you can view your Client ID, but you can no longer view your Client Secret.

Revoke credentials

Revoke credentials that have expired or that you no longer need. You can revoke credentials using the Veracode Platform or the Identity API.

Caution

Credentials expire immediately after you revoke them. Any Veracode integrations, such as scanning in build pipelines or IDE plugins, that use revoked credentials will no longer be able to authenticate with Veracode, and these integrations will stop working.

Before you begin:

  • You must have a Veracode account with the Administrator role.
  • Ensure you have updated any integrations that use the credentials you want to revoke.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown, select API Credentials.
  3. In the credentials table, locate the OAuth Client Credentials you want to revoke.
  4. In the Actions column, select Revoke.
  5. To confirm performing this action, select Revoke. The credentials are now expired and no longer appear in the credentials table.

Set credentials as environment variables

Set your OAuth Client Credentials as environment variables and reference them in your development tools.

Before you begin:

To complete this task:

At a command prompt, run the following commands, replacing the values with your Client ID and Client Secret.

Important

Ensure there are no spaces around the equals signs (=). If your account is not in the Commercial region, you must replace veracode.com in the Token URL with veracode.eu or veracode.us.

$env:VERACODE_CLIENT_ID='<your OAuth Client ID>'
$env:VERACODE_CLIENT_SECRET='<your OAuth Client Secret>'
$env:VERACODE_TOKEN_URL='https://api.veracode.com/api/authn/v2/oauth2/token'
Last updated on