Manage API credentials

Veracode accounts use Veracode API credentials to access the Veracode APIs and several integrations. Authenticating users with API credentials provides improved security and session management for API access.

You can generate Veracode API credentials for use with both user accounts and API service accounts. The credentials are comprised of an API ID and API key pair.

Using Veracode API credentials ensures the most secure communication between your client and Veracode when using the Veracode APIs. Security features include HMAC signatures to ensure the identity of the requester, a nonce to prevent replay attacks, and the ability to revoke credentials that may have become compromised.

After generating Veracode API credentials, you use these for logging in to the Veracode APIs and integrations without using a separate API service account. You can also use these credentials for single sign-on with SAML. You can only have one API ID and key pair at a time per Veracode user. If you generate new credentials, Veracode automatically revokes the previous credentials. An administrator can revoke user credentials at any time.

Veracode sends an email notifying you when your Veracode API credentials are expiring one week before the expiration date and another one the day before the expiration date.

To use Veracode API credentials, Veracode recommends you use the Veracode API wrappers, HTTPie with the appropriate Veracode authentication library, or one of the Veracode IDE integrations.

note

Veracode does not support using cURL from the command line to access Veracode APIs.

Generate API credentials

You must generate API credentials before you can use the APIs and some integrations.

If you use single sign-on with SAML, you can use the ID and key credentials instead of having to use a separate Veracode Platform API service account to access the APIs.

You can also generate Veracode API credentials with the Identity API.

To complete this task:

1. Sign in to the Veracode Platform.
2. From the user account dropdown, select API Credentials.
3. Select Generate API Credentials.
4. Copy the ID and secret key to a secure place. Veracode recommends storing your credentials in an API credentials file.

You can only see these credentials this one time. You have the choice of setting them as environment variables or putting them in a credentials file. When you leave this page you cannot review your current credentials. The creation of new credentials revokes any old credentials after 24 hours. You can always revoke API credentials, if necessary. The credentials expire in one calendar year. If you want to extend the credentials beyond the expiration date, contact Veracode Technical Support at [email protected].

After you create Veracode API credentials, you can use these credentials to automatically log in to Veracode APIs and plugins without using a separate API service account to be able to access the APIs.

Revoke API credentials

You can always revoke API credentials, if necessary. By default, the Veracode API credentials expire after one calendar year, unless a Veracode administrator resets the expiration date.

The credentials expire immediately after you revoke them.

You can also revoke API credentials with the Identity API.

To complete this task:

1. Sign in to the Veracode Platform.
2. From the user account dropdown, select API Credentials.
3. Select Revoke API Credentials.

About the API credentials file

Some Veracode products, such as the IDE plugins, require that you store your API credentials in an API credentials file.

You can create the Veracode API credentials file on Windows, macOS, Linux, or UNIX. You add the file to a specific directory on the system on which you run APIs or integrations. The integration, API wrapper, or command-line tool reads the file from this directory to access your credentials.

For macOS, Linux, and UNIX, you can alternately store your credentials as environment variables. You can use either the Veracode API credentials file or environment variables, but not both.

Create an API credentials file on Windows

You can create a Veracode API credentials file on Windows and, optionally, use encryption to secure the file.

Before you begin:

• You have generated API credentials.
• Depending on your Veracode integration, you have added your Veracode API credentials to the [default] application profile. If you have an existing [greenlight] profile, delete it or rename it to [default].

To complete this task:

1. In File Explorer, go to C:\Users\{username}, where username is the folder for your user profile.

2. Add a new folder to your user folder named .veracode., adding a final period to the name. The extra period at the end of the folder name specifies to File Explorer that you want to create a folder that starts with a period. The second period disappears after you create the folder.

3. Open a text editor, such as Notepad, and add your API credentials to a new file in this format:

   [default]
   veracode_api_key_id = {your_api_key_id}
   veracode_api_key_secret = {your_api_secret_key}

   The spaces around the equals sign (=) are not required.

4. Select File > Save As and enter "credentials" in the File name field. The quotation marks ensure that Notepad does not add a file extension. If you create the file with a file extension, open the file properties, then remove the file extension in the Properties window.

5. Select Save.

6. Optionally, you can use the Advanced Attributes window in Windows to enable the Encrypt contents to secure data option on the credentials file. Enabling this option restricts user access to the file.

Configure API credentials on macOS or Linux

To use your API credentials on macOS or Linux, use one of the following options, but do not use both options on the same system.

Create an API credentials file

You can create an API credentials file on macOS or Linux and, optionally, run a command to restrict access to the file.

Before you begin:

• You have generated API credentials.
• Depending on your Veracode integration, you have added your Veracode API credentials to the [default] application profile. If you have an existing [greenlight] profile, delete it or rename it to [default].

To complete this task:

1. On the command line, navigate to the folder for your username. For example, $HOME.

2. Run this command to create the .veracode folder: $ mkdir .veracode

3. Navigate to the .veracode folder. For example: $ cd .veracode

   note

   macOS immediately hides the .veracode folder because the folder name begins with a period.

4. Run this touch command to create the credentials file: $ touch credentials

5. Open the Finder to .veracode.

6. Open the credentials file in a text editor.

7. Copy this text and paste it into the credentials file:

   [default]
   veracode_api_key_id = Your API ID
   veracode_api_key_secret = Your API key                

   The spaces around the equals sign (=) are not required.

8. Replace the values with your Veracode API credentials.

9. Save the credentials file.

10. Optionally, you can run the following command to restrict access to the credentials file: chmod 600 ~/.veracode/credentials

Configure API credentials as environment variables

You can store your API credentials as environment variables on macOS, Linux, or UNIX. You can use either an API credentials file or environment variables, but not both.

Before you begin:

• You have generated Veracode API credentials.
• Depending on your Veracode integration, you have added your API credentials to the [default] application profile. If you have an existing [greenlight] profile, delete it or rename it to [default].

To complete this task:

At a command prompt, run the following commands, replacing the values with your API ID and key:

$ export VERACODE_API_KEY_ID={your_api_key_id}

$ export VERACODE_API_KEY_SECRET={your_api_secret_key}