Set up API authentication
Veracode provides an authentication library for Java and Python that you can use to set up Hash-based Message Authentication Code (HMAC) or Open Authorization (OAuth) Client authentication to the Veracode APIs. Integrate the Veracode authentication library with your code or development tools and provide your Veracode API credentials to the integration.
For additional authentication tools and example code for various languages, go to Veracode Community Projects.
1. Install the Veracode authentication library
Veracode provides an HMAC authentication library for Java and an HMAC and OAuth authentication library for Python.
Veracode doesn't provide an official HMAC authentication library for C#, but you can download an example C# application with HMAC authentication configured and use it as a template for adding HMAC authentication to your application. You can also set up an OAuth Client integration for C# or other languages.
For Java
The Java authentication library adds HMAC authentication to your API requests. Download the Veracode API-signing Java library as a JAR file and store the JAR file in your project directory.
You can also set up an OAuth Client integration for Java or other languages.
For Python
The Python authentication library integrates HTTPie with the Veracode APIs to add HMAC or OAuth authentication when calling the APIs from the command line.
You can also set up an OAuth Client integration for Python or other languages.
a. Install Python and HTTPie
To prepare your machine for the Python authentication library, install Python and HTTPie. We recommend using Python v3.7 or later with the latest version of the pip package manager.
Open a command prompt and run the following commands.
- macOS, Linux, UNIX
- Windows
To install Python and HTTPie using Homebrew, run:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install python
brew install httpie
To install Python and HTTPie on Windows using PowerShell and Chocolatey, run:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
choco install python
choco install httpie
b. Install the authentication library
Install the Python authentication library for your HMAC credentials or OAuth Client Credentials.
You use the library to:
- Load the API credentials
- Generate an HMAC authorization header or OAuth Client token
- Send an HTTP request to a Veracode API with a valid endpoint
- HMAC
- OAuth Client
To install the HMAC authentication library from PyPI, run:
pip install veracode-api-signing
To install the OAuth authentication library, run:
httpie cli plugins install httpie-oauth2-client-credentials-flow
2. Store your API credentials
Use one of the following methods to store your HMAC credentials or OAuth Client Credentials for authenticating to the APIs.
- Veracode API credentials file (HMAC only)
- Environment variables
By default, the Veracode authentication library attempts to access your API credentials from an API credentials file or environment variables. Store your credentials in either an API credentials file or as environment variables, but not both.
Veracode API credentials file
For HMAC authentication, we recommend adding your HMAC credentials to a Veracode API credentials file. You can reference the credentials file in your code and development tools.
OAuth Client Credentials aren't supported.
The Python authentication library supports selecting specific API credentials from a list of profile names in an API credentials file. For example, you can use specific credentials for specific requests.
Environment variables
To set your credentials as environment variables that you can reference in your code and development tools, see the following:
3. Integrate authentication
Optionally, configure your code or development tools to authenticate with the Veracode APIs using your API credentials.
HMAC examples
For additional HMAC examples and tools, go to Veracode Community Projects and search for HMAC.
For Java
Review the HMAC signing example.
For C#
Download a complete example C# application with HMAC authentication configured.
In the example application, HMAC authentication is configured in the following files.
HmacAuthHeader.csProgram.cs
For Python
Download a complete example Python application with HMAC authentication configured.
4. Test your authentication
To verify that your client can authenticate with the Veracode APIs, send an API request.
- HMAC
- OAuth Client
To test HMAC authentication, send one of the following requests.
Using a REST API, send:
http --auth-type=veracode_hmac "https://api.veracode.com/appsec/v1/applications"
Using an XML API, send:
http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/authn/v2/users/self"
To test OAuth authentication, use the following commands to request a token and send a request to a REST API.
Depending on the region of your Veracode user account, in the GET URL, you might need to replace veracode.com with veracode.eu or veracode.us.
On macOS, Linux, or UNIX, run:
http --auth-type=oauth2-client-credentials-flow \
--auth="$VERACODE_CLIENT_ID:$VERACODE_CLIENT_SECRET" \
--token-endpoint="$VERACODE_TOKEN_URL" \
--token-request-type=basic \
GET https://api.veracode.com/appsec/v1/applications
macOS and Linux use the backslash (\) as the line continuation character.
On Windows, run:
http --auth-type=oauth2-client-credentials-flow `
--auth="$($env:VERACODE_CLIENT_ID):$($env:VERACODE_CLIENT_SECRET)" `
--token-endpoint="$($env:VERACODE_TOKEN_URL)" `
--token-request-type=basic `
GET https://api.veracode.com/appsec/v1/applications
PowerShell uses the backtick (`) as the line continuation character.