Skip to main content

About API credentials

Veracode accounts use Veracode API credentials to access the Veracode APIs and several integrations. Authenticating users with API credentials provides improved security and session management for API access.

You can generate Veracode API credentials for use with both user accounts and API service accounts. The credentials are comprised of an API ID and API key pair.

Using Veracode API credentials ensures the most secure communication between your client and Veracode when using the Veracode APIs. Security features include HMAC signatures to ensure the identity of the requester, a nonce to prevent replay attacks, and the ability to revoke credentials that may have become compromised.

After generating Veracode API credentials, you use these for logging in to the Veracode APIs and integrations without using a separate API service account. You can also use these credentials for single sign-on with SAML. You can only have one API ID and key pair at a time per Veracode user. If you generate new credentials, Veracode automatically revokes the previous credentials. An administrator can revoke user credentials at any time.

Veracode sends an email notifying you when your Veracode API credentials are expiring one week before the expiration date and another one the day before the expiration date.

To use Veracode API credentials, Veracode recommends you use the Veracode API wrappers, HTTPie with the appropriate Veracode authentication library, or one of the Veracode IDE integrations.


Veracode does not support using cURL from the command line to access Veracode APIs.