Skip to main content

Enabling HMAC for Veracode APIs

Veracode APIs use a Hash-based Message Authentication Code (HMAC) with your API credentials to add an HMAC signature to the HTTP authorization header of each API request. This security measure provides maximum protection against man-in-the-middle and session replay attacks.

HMAC signing provides these added security benefits:

  • Credentials, which consist of an API ID and key, are not sent in the clear as plain text. The API key is never transmitted, but encrypts the HMAC from the sender-side and decrypts it from the server-side.
  • The HMAC signature validates that the message was not tampered with or altered in transit. Any change to the message invalidates the HMAC.
  • The HMAC signature includes a nonce (one-time code) that prevents replay attacks.

To respond to an accidental credentials leak, you can use the Veracode Platform or the REST APIs to quickly revoke and regenerate them.

Prerequisites

You must have API credentials. Veracode highly recommends that you store your API credentials in an API credentials file.

Enable HMAC for the API Wrappers

The API wrappers are preconfigured with HMAC signing already enabled. After you generate and store your API credentials, you can use the Java or C# wrappers from the command line or in your code. The API wrappers are also the best way to troubleshoot your Veracode environment.

note

Veracode recommends that you always run the latest version of an API wrapper.

Enable HMAC for Using the REST APIs with Java

You can use any of these methods:

Enable HMAC for Using the XML APIs from the Command Line

The cURL command-line tool does not support HMAC authentication, therefore Veracode provides support for the HTTPie command-line tool. To use HTTPie and HMAC authentication with the XML APIs:

Enable HMAC for Python Programs

Complete these tasks:

  1. Install the Python Authentication Library.
  2. Review the HMAC Signing Example in Python.

Enable HMAC for Java Programs

Complete these tasks:

  1. Install the Java Authentication Library.
  2. Review the HMAC Signing Example in Java.

Enable HMAC for C# Programs

Review the HMAC Signing Example in C#.