# Creating and Managing API Credentials in Veracode

## 1. Introduction

An API ID and Secret Key (HMAC credentials) are required in order to make signed requests to Veracode's REST APIs. This guide walks you through creating a **Veracode** Application Security integration.

## 2. Prerequisites

Before you begin, ensure you have:

- Access to the Veracode Platform
- Administrator privileges


## 3. Configure New API Credentials for Integration

### 1. Create an API User

- Log in to Veracode as an Administrator.
- Click the Settings gear in the top right corner and click on **Admin**.
- On the Users tab, click on the **Add New User** on the right.
- Provide the required user fields with the following scope permissions:
#### Roles Required:
| Role | Purpose |
|  --- | --- |
| **Creator or Security Lead** | Required to access the applications data. |
| **Results API** | Required to access the findings data. |
| **Reviewer or Security Lead** | Required to access the findings data. |
- Save the new user and an email will be sent to the entered email.
- Log out of the administrator account, then log in using the newly created API User account.


### 2. Generate API Credentials

- Find the **Welcome to Veracode** email and click on the **Activate Account** button.
- Set up a new password and MFA devices.
- Once you have completed the setup proccess, you will be taken to the API Credentials view.
- Click on the **Create API Credentials** button.
- You will be provided with two options: **HMAC Credentials** and OAuth Client. Go ahead and pick **HMAC Credentials** and click on **Generate**.
- Two values will now be shown:
  - **ID**
  - **Secret Key**
- Copy and store these values in a secure vault for later user.
  - Note: that these values will only be shown once.
- Veracode credentials expire after a fixed period (rotation is required); record the expiration date so you can rotate before it lapses.


### 3. Configure the Integration

Create your integration by supplying all configuration values.

| Integration Parameter | Description |
|  --- | --- |
| Client ID | The **ID** from Step 1. |
| Client Secret | The **Secret Key** from Step 1. |
| Veracode URL | https://api.veracode.com |


### 4. Important Links in Veracode Documentation

- [HMAC Credentials](https://docs.veracode.com/r/HMAC_credentials)
- [Veracode Roles](https://docs.veracode.com/r/c_role_permissions)