Client-side sessions with REST endpoints are tracked with a session token passed in a custom HTTP header named

webClientSessionId

. Server-side sessions with SOAP endpoints are tracked with a cookie-based session ID.

A plug-in developer can choose what form of authentication suits the plug-in server component. A best practice is to authenticate by using the session token that the plug-in user interface can get from the client library.

To use the client-side session token, the plug-in server sends the token to a specific REST endpoint of the vsphere-ui service. The vsphere-ui service verifies the authenticating token, and then returns a session clone ticket. The plug-in server uses the clone ticket with the vSphere Web Services API to obtain a SOAP session. The authentication process is described in more detail in Remote Plug-in Server Components for the vSphere Client.