Enabling HMAC for Veracode APIs

Veracode APIs use a Hash-based Message Authentication Code (HMAC) with your API credentials to add an HMAC signature to the HTTP authorization header of each API request. This security measure provides maximum protection against man-in-the-middle and session replay attacks.

HMAC signing provides these added security benefits:

Credentials, which consist of an API ID and key, are not sent in the clear as plain text. The API key is never transmitted, but encrypts the HMAC from the sender-side and decrypts it from the server-side.
The HMAC signature validates that the message was not tampered with or altered in transit. Any change to the message invalidates the HMAC.
The HMAC signature includes a nonce (one-time code) that prevents replay attacks.

To respond to an accidental credentials leak, you can use the Veracode Platform or the REST APIs to quickly revoke and regenerate them.

Prerequisites

You must have API credentials. Veracode highly recommends that you store your API credentials in an API credentials file.

Enable HMAC for the API wrappers

The API wrappers are preconfigured with HMAC signing already enabled. After you generate and store your API credentials, you can use the Java or C# wrappers from the command line or in your code. The API wrappers are also the best way to troubleshoot your Veracode environment.

note

Veracode recommends that you always run the latest version of an API wrapper.

Enable HMAC for using the REST APIs with Java

You can use any of these methods:

Perform the external signing step on the command line using either the Java or Python tool or the Veracode API wrappers.
Use one of the Community-provided HMAC implementations.
Enable HMAC signing within your application.

Enable HMAC for using the XML APIs from the command line

The cURL command-line tool does not support HMAC authentication, therefore Veracode provides support for the HTTPie command-line tool. To use HTTPie and HMAC authentication with the XML APIs:

Download and install the Python programming language. Veracode recommends Python 3.7 or later. If you have a recommended version, you can omit this step. Otherwise, refer to the Python Wiki for advice on choosing a Python download.
Install the Python authentication library.
Download and install the HTTPie command-line tool.

Enable HMAC for Python programs

Complete these tasks:

Install the Python authentication library.
Review the HMAC signing example in Python.

Enable HMAC for Java programs

Complete these tasks:

Install the Java authentication library.
Review the HMAC signing example in Java.

Enable HMAC for C# programs

Review the HMAC signing example in C#.

Prerequisites​

Enable HMAC for the API wrappers​

Enable HMAC for using the REST APIs with Java​

Enable HMAC for using the XML APIs from the command line​

Enable HMAC for Python programs​

Enable HMAC for Java programs​

Enable HMAC for C# programs​

Did you find this helpful?