Manage API credentials

Veracode accounts use Veracode API credentials to access the Veracode APIs and several integrations. Authenticating users with API credentials improves security and enables better session management for API access.

You can generate Veracode API credentials for use with both user accounts and API service accounts. The credentials consist of an API ID and API key pair.

note

As an alternative to API credentials, we recommend using Single-Sign On (SSO) with Just-in-Time (JIT) provisioning for human user accounts, particularly when onboarding new users. With SSO, your development teams can securely sign in to Veracode using OAuth from within their IDEs and the Veracode CLI, without needing to create and maintain an API credentials file. For automated integrations, such as scripts, CI/CD plugins, or APIs that don't require human interaction, the best practice is to use non-human API service accounts with API credentials.

Using Veracode API credentials ensures secure communication between your client and Veracode. Built-in security features include HMAC signatures to verify the requester's identity, a nonce to prevent replay attacks, and the ability to revoke compromised credentials.

After generating your credentials, use them to sign in to Veracode APIs and integrations without requiring a separate API service account. These credentials also support single sign-on with SAML. Each Veracode user can have only one active API ID and key pair at a time. When you generate new credentials, Veracode automatically revokes the previous ones. Administrators can revoke credentials at any time.

Veracode sends expiration reminders one week before the credentials expire and again the day before expiration.

To use Veracode API credentials, we recommend using Veracode API wrappers, HTTPie with the appropriate Veracode authentication library, one of the Veracode IDE integrations, or the Veracode CLI.

Generate API credentials

You must generate API credentials before using the Veracode APIs or certain integrations.

If you use SSO with JIT provisioning, users can sign in to Veracode using their IDEs or the Veracode CLI instead of using API credentials. To access the APIs using SSO, you can use the ID and key credentials without needing a separate API service account.

You can also generate Veracode API credentials using the Identity API.

To complete this task:

1. Sign in to the Veracode Platform.
2. From the user account dropdown, select API Credentials.
3. Select Generate API Credentials.
4. Copy the ID and secret key to a secure place. Veracode recommends storing your credentials in an API credentials file.

You can view these credentials only once. You have the choice of setting them as environment variables or putting them in a credentials file. After you leave the page, you cannot view your current credentials again. The creation of new credentials revokes any old credentials after 24 hours. You can always revoke API credentials, if necessary. The credentials expire in one calendar year. If you want to extend the credentials beyond the expiration date, contact Veracode Technical Support at [email protected].

After you create Veracode API credentials, you can use these credentials to automatically log in to Veracode APIs and plugins without using a separate API service account to be able to access the APIs.

Revoke API credentials

You can always revoke API credentials, if necessary. By default, the Veracode API credentials expire after one calendar year, unless a Veracode administrator resets the expiration date.

The credentials expire immediately after you revoke them.

You can also revoke API credentials with the Identity API.

To complete this task:

1. Sign in to the Veracode Platform.
2. From the user account dropdown, select API Credentials.
3. Then, select Revoke API Credentials.

About the API credentials file

Some Veracode products, such as the IDE plugins, require you to store your API credentials in a credentials file.

You can create the Veracode API credentials file on Windows, macOS, Linux, or UNIX. Place the file in a specific directory on the system where you run APIs or integrations. The integration, API wrapper, or command-line tool reads the file from this directory to access your credentials.

For macOS, Linux, and UNIX, you can alternatively store your credentials as environment variables. Use either the Veracode API credentials file or environment variables, but not both.

Create an API credentials file on Windows

You can create a Veracode API credentials file on Windows and optionally encrypt the file for added security.

Before you begin:

• You have generated API credentials.
• You have added your Veracode API credentials to the [default] application profile. If a [greenlight] profile exists, delete or rename it to [default].

To complete this task:

1. In File Explorer, go to C:\Users\{username}, where username is your Windows user profile folder.

2. Create a new folder named .veracode. (with a final period). This tells File Explorer to create a folder that begins with a period. The second period disappears after creation.

3. Open a text editor, such as Notepad, and add your API credentials to a new file in this format:

   [default]
   veracode_api_key_id = {your_api_key_id}
   veracode_api_key_secret = {your_api_secret_key}

   The spaces around the equals sign (=) are optional.

4. Select File > Save As, enter "credentials" as the file name (including quotes), and select Save. The quotation marks prevent Notepad from adding a file extension.

5. If a file extension is added, open the file properties and remove the extension manually.

6. Optionally, enable the Encrypt contents to secure data attribute in the Advanced Attributes window to restrict access to the file.

Configure API credentials on macOS or Linux

To use your API credentials on macOS or Linux, use one of the following methods, but do not use both methods on the same system.

Create an API credentials file

You can create a credentials file on macOS or Linux and optionally restrict its access.

Before you begin:

• You have generated API credentials.
• You have added your Veracode API credentials to the [default] application profile. If a [greenlight] profile exists, delete or rename it to [default].

To complete this task:

1. On the command line, navigate to the folder for your username. For example, $HOME.

2. Run this command to create the .veracode folder: $ mkdir .veracode

3. Navigate to the .veracode folder. For example: $ cd .veracode

   note

   On macOS, the .veracode folder is hidden by default because its name starts with a period.

4. Run this touch command to create the credentials file: $ touch credentials

5. Open the Finder to .veracode.

6. Open the credentials file in a text editor.

7. Copy this text and paste it into the credentials file:

   [default]
   veracode_api_key_id = Your API ID
   veracode_api_key_secret = Your API key                

   The spaces around the equals sign (=) are optional.

8. Replace the values with your Veracode API credentials.

9. Save the credentials file.

10. Optionally, to restrict access to the credentials file, run the following command: chmod 600 ~/.veracode/credentials

Configure API credentials as environment variables

You can store your API credentials as environment variables on macOS, Linux, or UNIX. Use either an API credentials file or environment variables, but not both.

Before you begin:

• You have generated Veracode API credentials.
• You have added your API credentials to the [default] application profile. If an existing [greenlight] profile exists, delete or rename it to [default].

To complete this task:

At a command prompt, run the following commands, replacing the values with your API ID and key:

$ export VERACODE_API_KEY_ID={your_api_key_id}

$ export VERACODE_API_KEY_SECRET={your_api_secret_key}