HTTP communications between vCloud Air clients and servers are secured with SSL. In addition to SSL encryption, vCloud Air implements authentication and authorization for secure API access.

vCloud Air implements Basic HTTP authentication, as defined by RFC 2617, which enables a client to authenticate by including an Authorization header in the request. The Authorization header sends a user name and password as basic credentials in MIME Base64 encoding:

Authorization: Basic

The vCloud Air Identity Management Service authenticates the user credentials for Virtual Private Cloud OnDemand and returns an OAuth 2.0 Access token that is signed and formatted using Base64 encoded JSON.


201 Created

Before you can receive an OAuth token in a response, you must log in to Virtual Private Cloud OnDemand using the Web UI and accept the Terms of Service.

The returned OAuth token contains the necessary user attributes, such as user name, user ID, company name, company ID, and user permissions, for API clients to access each functional boundary surfaced by the API and to receive an authorization token from vCloud.

All requests from clients must include the OAuth token the Authorization header:

Authorization: Bearer OAuth_token

After the client authenticates, vCloud Air retrieves a SAML session token (x-vcloud-authorization) and authenticates with the vCloud instance to perform Compute Service operations.

The response codes indicate whether requests succeeded or how they failed. When a request is successful, the server returns HTTP response code 201 Created because logging in to the API requires a POST call. If an Authentication header is missing, the server returns HTTP response code 403. If the credentials supplied in an Authentication header are invalid, or if the token has expired, the server returns HTTP response code 401.


OAuth tokens expire 15 minutes after their issue times (even when API clients are active). You cannot revoke OAuth tokens. If an API client's session terminates and the OAuth token has expired, the client must re-authenticate with a user name and password.