You must authenticate against Orchestrator in the HTTP requests that you make through the Orchestrator REST API. If you use the Orchestrator REST API to access resources on a third-party system, such as vCenter Server or vRealize Automation, you must authenticate against that system as well.
For example, to access all workflows in the Orchestrator inventory, you must authenticate against Orchestrator. However, to run a workflow against vCenter Server, you must authenticate against Orchestrator and vCenter Server.
Depending on whether you configure Orchestrator with vRealize Automation or vSphere as an authentication provider, the authentication scheme for the Orchestrator REST API is different. If Orchestrator uses vCenter Single Sign-On, depending on your configuration, you can authenticate by using a holder-of-key token issued by the vCenter Single Sign-On server. If Orchestrator is configured with vRealize Automation, you can authenticate through an OAuth bearer access token.
If you make HTTP requests at the top-level URL of the Orchestrator REST API, you do not need to authenticate against Orchestrator. The top level URL of the Orchestrator REST API is https://orchestrator_host:port/vco/api/.
A GET request at the top-level URL of the REST API returns URLs to all resources that are accessible through the API. To make HTTP requests at these URLs, you must authenticate against Orchestrator.