Verkada API requests abide to the same high-level of security standards as all Verkada devices. By utilizing HTTPS security protocols, connections from client devices to our cloud servers are always encrypted and secure from man in the middle (MITM) attacks. Depending on the client device being used to initiate the API request, the connection will either be encrypted via TLS 1.2 or TLS 1.3. TLS (Transport Layer Security) is an important security protocol which has 3 core purposes:
- Encryption - all data is encrypted using AES 128.
- Data Integrity - ensures that the data has not been tampered with or forged.
- Identity Verification - verifies the identity of both parties involved in the TLS connection.
Users must have a valid API Key and API Token in order to make any Verkada API request. Only org admins have the ability to create API Keys within the Command admin page. All API keys are valid for a predetermined amount of time, configured upon the initial creation process. API requests that are made using an expired key will result in a 401 - Unauthorized response code.
Although Verkada’s API Keys can have a maximum duration of 20 years, it is recommended to create keys that are valid for no longer than 1 year. Rotating keys every year increases the security of your overall system and reduces security risks.