Authenticating a JSON Client with the Session Manager
Last Updated December 16, 2024

Most method calls must carry a session ID to authenticate with the server at the time of the call. The session ID is a temporary substitute for username and password, thereby limiting risk to the principal's credentials.
To acquire a session ID, you have these options:
  • Invoke the
    SessionManager.
    Login
    method with username and password, exchanging the principal's credentials for a session ID token.
  • Request a SAML token from the vCenter Single-Sign-On server, and use the token to invoke the
    SessionManager.
    LoginByToken
    method, receiving a session ID token in exchange.
After a successful authentication operation with vCenter Server, you extract the session ID token from the HTTP header of the response message. Include the same header in subsequent API request messages.
For example, the response headers might contain lines similar to the following:
content-type: application/json
date: Tue, 14 Aug 2007 13:30:00 GMT
vmware-api-session-id: 0123498765fabdec5263748596071829304100ab
x-envoy-upstream-service-time: 45
The value 
0123498765fabdec5263748596071829304100ab
is the session ID token. Use it in the headers of your API requests, like this:
content-type: application/json
vmware-api-session-id: 0123498765fabdec5263748596071829304100ab