Authorization and Security
Communication between the client and Veeam Backup & Replication REST API is established over HTTPS. To ensure data privacy, unencrypted HTTP is not supported. The client verifies the REST API identity with a server TLS certificate. For details on managing certificates, see TLS Certificate.
Authorization in REST API
Authorization process of the REST API is based on the OAuth 2.0 Authorization Framework and involves obtaining an access token and a refresh token.
- Access token is a string that represents authorization issued to the client. It must be specified in all requests during the current logon session.
- Refresh token is a string that represents authorization granted to the client. It is used to obtain a new access token if the current access token expires or becomes lost.
The authorization process involves the following procedures:
The Veeam Backup & Replication REST API has the following default security settings:
- Access token lifetime is 15 minutes.
- Refresh token lifetime is 14 days.
- Authorization code lifetime is 5 minutes.