Authorization and Security
Communication between the client and Veeam Backup & Replication REST API is established over HTTPS. To ensure data privacy, unencrypted HTTP is not supported. The client verifies the REST API identity with a server TLS certificate. For details on managing certificates, see TLS Certificate.
Authorization in REST API
Authorization process of the REST API is based on the OAuth 2.0 Authorization Framework and involves obtaining an access token and a refresh token.
- Access token is a string that represents authorization issued to the client. It must be specified in all requests during the current logon session.
- Refresh token is a string that represents authorization granted to the client. It is used to obtain a new access token if the current access token expires or becomes lost.
The authorization process involves the following procedures:
Credentials Lifetime
The access token, refresh token and authorization code have their default lifetime after which they expire. The lifetime starts from the time the authorization response was generated.
Credential | Lifetime |
|---|---|
Access token | 60 minutes |
Refresh token | 14 days |
Authorization code | 5 minutes |