{"id":6295,"library":"veracode-api-signing","title":"Veracode API Signing Library","description":"The `veracode-api-signing` library provides an easy way to sign HTTP requests destined for the Veracode API Gateway using Hash-based Message Authentication Code (HMAC). This is a crucial security measure for authenticating with Veracode's REST and XML APIs. The current version is 26.4.0, and new releases are typically published every few months.","status":"active","version":"26.4.0","language":"en","source_language":"en","source_url":"https://github.com/veracode","tags":["security","api","signing","veracode","hmac","authentication"],"install":[{"cmd":"pip install veracode-api-signing","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Commonly used with `RequestsAuthPluginVeracodeHMAC` for making HTTP requests.","package":"requests","optional":false}],"imports":[{"note":"The authentication plugin is located within the `plugin_requests` submodule, not directly under the top-level package.","wrong":"from veracode_api_signing import RequestsAuthPluginVeracodeHMAC","symbol":"RequestsAuthPluginVeracodeHMAC","correct":"from veracode_api_signing.plugin_requests import RequestsAuthPluginVeracodeHMAC"}],"quickstart":{"code":"import requests\nimport os\nfrom veracode_api_signing.plugin_requests import RequestsAuthPluginVeracodeHMAC\n\n# Veracode API credentials can be loaded from ~/.veracode/credentials or environment variables.\n# For quickstart, using environment variables for demonstration. In production, prefer file.\napi_id = os.environ.get('VERACODE_API_KEY_ID', '')\napi_key_secret = os.environ.get('VERACODE_API_KEY_SECRET', '')\n\nif not api_id or not api_key_secret:\n    print(\"WARNING: VERACODE_API_KEY_ID and VERACODE_API_KEY_SECRET environment variables are not set.\")\n    print(\"Please set them or configure ~/.veracode/credentials file for successful authentication.\")\n    # Exit or provide mock values for a non-failing example\n    api_id = 'YOUR_MOCK_API_ID'\n    api_key_secret = 'YOUR_MOCK_API_SECRET'\n\n# The base URL for Veracode REST APIs. For US Commercial Region.\n# Adjust for other regions if necessary (e.g., https://api.veracode.eu/appsec/v1)\napi_base = \"https://api.veracode.com/appsec/v1\"\n\ntry:\n    # Make a GET request to an API endpoint, e.g., /applications\n    # The RequestsAuthPluginVeracodeHMAC automatically handles signing the request.\n    response = requests.get(api_base + \"/applications\", auth=RequestsAuthPluginVeracodeHMAC(api_key_id=api_id, api_key_secret=api_key_secret))\n    response.raise_for_status() # Raise an HTTPError for bad responses (4xx or 5xx)\n    print(\"Successfully fetched applications:\")\n    print(response.json())\nexcept requests.exceptions.HTTPError as e:\n    print(f\"HTTP Error: {e.response.status_code} - {e.response.text}\")\nexcept requests.exceptions.RequestException as e:\n    print(f\"An error occurred: {e}\")\n","lang":"python","description":"This quickstart demonstrates how to make an authenticated GET request to the Veracode REST API's `/applications` endpoint using the `veracode-api-signing` library with the popular `requests` library. API credentials are expected to be available as environment variables `VERACODE_API_KEY_ID` and `VERACODE_API_KEY_SECRET`, or alternatively, loaded from a `~/.veracode/credentials` file. The `RequestsAuthPluginVeracodeHMAC` automatically signs the request with the provided or discovered credentials."},"warnings":[{"fix":"Generate Veracode API credentials (API ID and Key) and update your code to use HMAC signing via this library or an equivalent method. Ensure your API ID and Key are set as environment variables or in a `~/.veracode/credentials` file.","message":"As of September 2019, Veracode API authentication transitioned from username/password (basic authentication) to API ID and Key (HMAC signing) for XML APIs, and REST APIs have always required HMAC. Any code still using basic authentication will fail.","severity":"breaking","affected_versions":"< 19.9.0 (for XML APIs), all versions for REST APIs without HMAC"},{"fix":"Choose one method for providing credentials (either the file or environment variables) and stick to it. The library will attempt to load from the file first, then environment variables. For programmatic control over multiple accounts, passing `api_key_id` and `api_key_secret` directly to the `RequestsAuthPluginVeracodeHMAC` constructor is an option.","message":"Veracode API credentials should be stored in either a `~/.veracode/credentials` file or as environment variables, but not both simultaneously for the same configuration profile, as this can lead to unpredictable behavior.","severity":"gotcha","affected_versions":"All"},{"fix":"Migrate any automation using the XML Admin API to the Identity REST APIs. Familiarize yourself with the REST API documentation for the relevant endpoints.","message":"The Veracode XML Admin API was deprecated in June 2022 in favor of the Identity REST APIs, with support ending on June 30, 2023. While `veracode-api-signing` can still sign requests for XML APIs, new integrations should exclusively target the more modern REST APIs.","severity":"deprecated","affected_versions":"All versions when used with XML Admin API"}],"env_vars":null,"last_verified":"2026-04-14T00:00:00.000Z","next_check":"2026-07-13T00:00:00.000Z","problems":[]}