Most method calls must carry a session ID to authenticate with the server at the time of the call. The session ID is a temporary substitute for username and password, thereby limiting risk to the principal's credentials.

To acquire a session ID, you have these options:
  • Invoke the SessionManager.Login method with username and password, exchanging the principal's credentials for a session ID token.
  • Request a SAML token from the vCenter Single-Sign-On server, and use the token to invoke the SessionManager.LoginByToken method, receiving a session ID token in exchange.
After a successful authentication operation with vCenter Server, you extract the session ID token from the HTTP header of the response message. Include the same header in subsequent API request messages.
For example, the response headers might contain lines similar to the following:
content-type: application/json
date: Tue, 14 Aug 2007 13:30:00 GMT
vmware-api-session-id: 0123498765fabdec5263748596071829304100ab
x-envoy-upstream-service-time: 45
The value  0123498765fabdec5263748596071829304100ab is the session ID token. Use it in the headers of your API requests, like this:
content-type: application/json
vmware-api-session-id: 0123498765fabdec5263748596071829304100ab