Veracode API credentials

Veracode API credentials help ensure secure communication between your client and Veracode. Authenticating users (human users or non-human API service accounts) with API credentials improves security and session management when accessing the APIs.

Veracode accounts use Veracode API credentials to access the Veracode APIs and several integrations, including the IDE plugins and extensions and the Veracode CLI.

For integrations that require user interaction, such as the IDE plugins and extensions, we recommend using single-sign on (SSO) with just-in-time (JIT) provisioning for human user accounts, particularly when onboarding new users. With SSO, your development teams can securely sign in to Veracode using OAuth from within their IDEs and the Veracode CLI, without needing to create and maintain an API credentials file.

For automated integrations, such as scripts, CI/CD plugins, or APIs that don't require human interaction, the best practice is to use non-human API service accounts with API credentials.

Access API credentials

You can access and manage Veracode API credentials for human user accounts and API service accounts on the API Credentials page in the Veracode Platform, or by using the Identity API.

Before you begin:

• You must have a Veracode user account.

To complete this task:

1. Sign in to the Veracode Platform.
2. From the user account dropdown, select API Credentials. The API Credentials page opens with all credentials listed in a table.
3. To create OAuth Client credentials or HMAC credentials, select Create API Credentials.
4. To filter the list of credentials by type or status, select Filter.
5. To hide or show columns in the table, select Set Columns.
6. To view and manage the credentials, select an option in the Actions column.

Credential types

Create API credentials using the following credential types. These credentials support both human user accounts and API service accounts.

• Open Authentication (OAuth) Client credentials
• Hash-based Message Authentication (HMAC) credentials: you can add these credentials to a Veracode API credentials file.

Before December 2025, Veracode only supported HMAC authentication, so many integrations require HMAC credentials. For example, you use HMAC credentials with the Veracode API wrappers, HTTPie with the appropriate Veracode authentication library, Veracode IDE integrations, and the Veracode CLI.

Compared to HMAC authentication, OAuth Client authentication is more widely adopted throughout the software industry and provides the following benefits.

• Set the credential’s time-to-live (TTL) to an earlier expiration date
• Reduce (down-scope) the credential’s permissions to a subset of the user’s permissions
• Create more than one set of credentials for a user
• Maintain more than one Secret ID for each Client ID, which makes it easier to rotate credentials before they expire

Expiration notifications

Veracode sends two credentials expiration reminders: one week before the credentials expire and the day before expiration.