Veracode API credentials

Veracode API credentials help ensure secure communication between your client and Veracode. Authenticating users (human UI users or non-human API users) with API credentials improves security and session management when accessing the APIs.

Veracode user accounts use Veracode API credentials to access the Veracode APIs and several integrations, including the IDE plugins and extensions and the Veracode CLI.

For integrations that require user interaction, such as the IDE plugins and extensions, we recommend using single sign-on (SSO) with just-in-time (JIT) provisioning for UI users, particularly when onboarding new users. With SSO, your development teams can securely sign in to Veracode using OAuth authentication from within their IDEs and the Veracode CLI, without needing to create and maintain an API credentials file.

For automated integrations, such as scripts, CI/CD plugins, or APIs that don't require human interaction, the best practice is to use API user accounts with API credentials.

note

To respond to an accidental credentials leak, you can use the Veracode Platform or the REST APIs to quickly revoke and regenerate these credentials.

Manage API credentials

You can manage Veracode API credentials for UI users and API users on the API Credentials page in the Veracode Platform, or by using the Identity API.

Before you begin:

• You must have a Veracode user account.

To complete this task:

1. Sign in to the Veracode Platform.
2. From the user account dropdown, select API Credentials. The API Credentials page opens with all credentials listed in a table.
3. To create OAuth Client Credentials or HMAC credentials, select Create API Credentials.
4. To filter the list of credentials by type or status, select Filter.
5. To hide or show columns in the table, select Set Columns.
6. To view and manage the credentials, select an option in the Actions column.

Credential types

Create API credentials using the following credential types. These credentials support both UI user and API user accounts.

Before December 2025, Veracode only supported HMAC authentication, so many integrations require HMAC credentials. For example, you use HMAC credentials with the Veracode API wrappers, HTTPie with the appropriate Veracode authentication library, Veracode IDE integrations, and the Veracode CLI.

Compared to HMAC authentication, OAuth authentication is more widely adopted throughout the software industry.

OAuth Client Credentials

Open Authentication (OAuth) Client Credentials consist of a Client ID (public identifier), Client Secret (private key), and token. OAuth authentication generates a secure token for each API request and provides the following security benefits.

• Set the credential’s time-to-live (TTL) to an earlier expiration date.
• Reduce (down-scope) the credential’s permissions to a subset of the user’s permissions.
• Create more than one set of credentials for a user.
• Maintain more than one Secret Key for each Client ID, which makes it easier to rotate credentials before they expire.

HMAC credentials

Hash-based Message Authentication (HMAC) credentials consist of an API ID (public identifier) and API Key (private key) pair. HMAC authentication adds an HMAC signature to each API call and provides the following security benefits.

• Credentials are not sent in the clear as plain text. The API key is never transmitted. Instead, the sender uses the API key to generate the HMAC signature, and the server validates it.
• The HMAC signature validates that the message was not tampered with or altered in transit. Any change to the message invalidates the HMAC.
• The HMAC signature includes a unique one-time value that prevents replay attacks.
• Credentials are supported by the Veracode API credentials file.

Expiration notifications

Veracode sends two credentials expiration reminders: one week before the credentials expire and the day before expiration.