vCommander is a comprehensive GUI application for managing Verkada organizations. It provides an intuitive interface for decommissioning assets, importing users from guest visits, and managing organization resources through both Verkada's public API and internal endpoints.
Caution
The Decommission tool is destructive. It is designed to delete users, devices, sites, and configurations. Once the deletion process begins, it cannot be undone. Always review the inventory carefully before confirming deletion. Do not run this tool in a production environment unless you intend to wipe the organization completely.
- Decommission Tool: Complete asset inventory and deletion workflow
- Add User Tool: Import guest visitors from any Verkada organization as users in your organization
- Commission Tool: (Coming Soon) Add and configure new devices
- Secure Login: Email/password authentication with optional MFA/2FA support
- Session Management: Maintains authenticated session across all tools
- Environment Variable Support: Auto-fill credentials from
.envfile for development
- Hybrid API Architecture: Combines Internal Client (browser emulation) with External Client (Public API) for comprehensive coverage
- Smart Inventory: Automatically deduplicates embedded devices (e.g., cameras in Intercoms)
- Detailed Reporting: Generates formatted reports with export to text files
- Dependency-Aware Deletion: Deletes assets in strict order to prevent API errors
- Selective Deletion: Choose specific assets to delete rather than all-or-nothing
- Cross-Organization Import: Connect to any Verkada organization using API credentials
- Guest Visit Import: Import visitors from Guest sites as organization users
- Date Range Selection: Select specific dates to import visitors from
- Bulk Invitation: Send org admin invitations to multiple users at once
- Live Logging: View application logs in real-time within the GUI
- Progress Tracking: Visual progress indicators for long-running operations
- Status Updates: Current operation displayed during scans and deletions
- Cameras
- Access Controllers
- Environmental Sensors
- Intercoms
- Desk Stations
- Mailroom Sites
- Guest Sites
- Alarm Sites & Alarm Systems
- Alarm Devices
- Users (Admins/Members)
- Python 3.10+
- Network Access: The machine must have access to
*.command.verkada.comandapi.verkada.com - Display: GUI requires a display (Windows, macOS, or Linux with X11/Wayland)
requests>=2.28.0
urllib3>=1.26.0
customtkinter>=5.0.0
python-dotenv>=0.19.0
- Clone the repository:
git clone https://github.com/not-mehul/vCommander
cd vCommander- Set up a Virtual Environment (Recommended):
python -m venv .venv
source .venv/bin/activate # On Windows use: .venv\Scripts\activate- Install Dependencies:
pip install -r requirements.txtCreate a .env file in the project root to auto-fill login credentials:
# Required for login auto-fill
ADMIN_EMAIL=admin@example.com
ADMIN_PASSWORD=your_password
ORG_SHORT_NAME=your-org
SHARD=prod1
# Optional - for Add User tool cross-org import
LEGAL_API_KEY=your_api_key
LEGAL_ORG_SHORT_NAME=source-org| Variable | Required | Description | Default |
|---|---|---|---|
ADMIN_EMAIL |
❌ | Organization admin email (for auto-fill) | - |
ADMIN_PASSWORD |
❌ | Admin password (for auto-fill) | - |
ORG_SHORT_NAME |
❌ | Organization short name/subdomain | - |
SHARD |
❌ | Backend shard | prod1 |
LEGAL_API_KEY |
❌ | API key for Add User tool source org | - |
LEGAL_ORG_SHORT_NAME |
❌ | Source org short name for Add User tool | - |
Note: Environment variables are optional. All credentials can be entered manually in the GUI.
cd gui
python main.py-
Enter your Verkada credentials:
- Email: Your admin email address
- Password: Your password
- Short Name: Organization subdomain (e.g.,
myorgfrommyorg.command.verkada.com) - Shard: Backend shard (usually
prod1)
-
Click Login
-
If MFA is enabled, enter the 6-digit code from your authenticator app
- Scan: Click "Start Scan" to inventory all assets
- Review: Review the discovered assets and category counts
- Select: Click "Select Assets" to choose which items to delete
- Use checkboxes to select individual assets
- Use "Select All" to select everything
- Decommission: Click "Decommission" and confirm
- Monitor: Watch progress as assets are deleted
- Results: View summary of successful and failed deletions
Saving Reports: Click "Save TXT Report" at any time after scanning to export an inventory report.
- Configure: Enter API credentials for the source organization (where guest visits exist)
- Select Site: Choose a site from the list and select a date
- Load: Click "Load" to fetch visitors for that date
- Review: Review the visitor list
- Add Users: Click "Add Users" to invite all visitors as org admins
vCommander/
├── gui/
│ ├── main.py # Application entry point
│ ├── pages/
│ │ ├── login_page.py # Login screen
│ │ ├── two_fa_page.py # MFA verification screen
│ │ └── main_interface.py # Main dashboard with sidebar
│ └── tools/
│ ├── verkada_api_clients.py # API client classes
│ ├── verkada_reporting.py # Report generation
│ ├── verkada_utilities.py # Helper functions
│ ├── decommission.py # Decommission tool UI
│ ├── add_user.py # Add User tool UI
│ └── commission.py # Commission tool (placeholder)
├── requirements.txt
└── README.md
VerkadaInternalAPIClient
- Mimics browser behavior using session cookies and CSRF tokens
- Accesses internal/private APIs for comprehensive device management
- Handles login, MFA verification, and privilege escalation
- Dynamically generates temporary API keys
VerkadaExternalAPIClient
- Uses standard public API endpoints
- Automatic token generation and retry logic
- Used for user management and guest site operations
To prevent dependency errors, the Decommission tool deletes assets in this order:
- Users (Prevents interference)
- Sensors
- Intercoms
- Desk Stations
- Mailroom Sites
- Guest Sites
- Access Controllers
- Cameras
- Alarm Devices
- Alarm Sites (includes Alarm Systems)
- Verify your organization short name is correct (just the subdomain, not the full URL)
- Check that you're using the correct shard (usually
prod1) - If MFA fails, ensure you're entering the code quickly (codes expire)
- Ensure you have Organization Admin privileges
- Check network connectivity to
*.command.verkada.com - Review the console for specific error messages
If you see "Exceeded 10 API Keys Limit":
- Delete old API keys from your Verkada dashboard
- API keys generated by this tool expire after 1 hour automatically
- Credentials are not stored persistently (unless using
.envfile) - API keys are temporary (1-hour expiration)
- MFA is supported and recommended
- The tool requires Organization Admin privileges
- All deletions are permanent and cannot be undone
Special thanks to the following contributors for their work on identifying internal APIs and building initial iterations of these tools:
- Ian Young - Delete Device API Scripts
- Matt Delaney - Org Reset Tool
Important
This software is an unofficial tool and is not supported by Verkada. It uses internal APIs which may change without notice. Use at your own risk. Always test in a non-production environment first. The authors are not responsible for any data loss or damage caused by using this tool.