Starting in November 2024, Verkada has adopted a more rigorous API architecture which uses API Keys and API Tokens to reinforce data security. This new API model allows users to generate API Keys that have unique permission sets, broken down by Product and “Critical Endpoints”. These new granular API Keys however cannot directly interact with Verkada’s public APIs. Users need to generate short-lived API Tokens, valid for 30 minutes, that allow them to authenticate at the endpoint level.

However, we understand that users might have built complex applications using Verkada’s legacy API model. To ensure continued support, Legacy Verkada API Keys will still be valid until their existing expiration date. This means that users can still use these keys to interact with Vekrada’s Public API endpoints.

API Architecture Migration

Although Verkada will keep supporting Legacy API Keys, we highly recommend that customers migrate their existing API applications to the new and improved API model. This will ensure an added layer of security through the use of scoped API Keys as well as a short-lived token to authenticate to individual endpoints.

The following steps will help users navigate through the new API model to transition their application to the improved authentication structure:

Generate a new API Key using the granular permissions model.
Using the new API key, to call the following endpoint to obtain an API Token: https://api.verkada.com/token

curl --request POST \
     --url https://api.verkada.com/token \
     --header 'x-api-key: XYZ

The API response will return an API Token in the following format, valid for 30 minutes.

{"token":"v2_api_token"}

Using this API Token, users will now be able to authenticate to Verkada API endpoints to push or retrieve data from Command. When making calls to Verkada API endpoints, users will need to pass the API Token in the following method. Note - The API Token header will need to be “x-verkada-auth”

curl --request GET \
     --url https://api.verkada.com/cameras/v1/alerts \
     --header 'accept: application/json' \ 
     --header 'x-verkada-auth: v2_api_token'

Verkada does not enforce a maximum number of concurrent valid API Tokens, however, we strongly recommend that users reuse existing API Tokens when available instead of generating a new token for each API call.