Authorization and Security

Communication between the client and Veeam Backup & Replication REST API is established over HTTPS. To ensure data privacy, unencrypted HTTP is not supported. The client verifies the REST API identity with a server TLS certificate. For details on managing certificates, see TLS Certificate.

Authorization in REST API

Authorization process of the REST API is based on the OAuth 2.0 Authorization Framework and involves obtaining an access token and a refresh token.

  • Access token is a string that represents authorization issued to the client. It must be specified in all requests during the current logon session.
  • Refresh token is a string that represents authorization granted to the client. It is used to obtain a new access token if the current access token expires or becomes lost.

The authorization process involves the following procedures:

  1. Requesting authorization
  2. Using the refresh token
  3. Performing logout

Credentials Lifetime

The access token, refresh token and authorization code have their default lifetime after which they expire. The lifetime starts from the time the authorization response was generated.



Access token

60 minutes

Refresh token

14 days

Authorization code

5 minutes