Verkada API requests abide to the same high-level of security standards as all Verkada devices. By utilizing HTTPS security protocols, connections from client devices to our cloud servers are always encrypted and secure from man in the middle (MITM) attacks. Depending on the client device being used to initiate the API request, the connection will either be encrypted via TLS 1.2 or TLS 1.3. TLS (Transport Layer Security) is an important security protocol which has 3 core purposes:
- Encryption - all data is encrypted using AES 128.
- Data Integrity - ensures that the data has not been tampered with or forged.
- Identity Verification - verifies the identity of both parties involved in the TLS connection.
Users must have a valid API key in order to make any API request. Only org admins have the ability to create API keys within the Command admin page. Users with the proper permissions will be able to create either “Read Only” keys or “Read/Write” keys. "Read-only" keys only give access to retrieve data from Command while "Read/Write" keys allow users to post data to Command (i.e. create Helix events, create Person of Interest profiles,...). Additionally, all API keys are valid for a predetermined amount of time, configured upon the initial creation process. API requests that are made using an expired key will result in a 401 - Unauthorized response code.