Authorization and Security
Communication between the client and Veeam Backup & Replication REST API is established over HTTPS. To ensure data privacy, unencrypted HTTP is not supported. The client verifies the REST API identity with a server TLS certificate. For details on managing certificates, see TLS Certificate.
Authorization in REST API
Veeam Backup & Replication REST API authorization process is based on the OAuth 2.0 Authorization Framework and involves obtaining an access token and a refresh token.
- Access token is a string that represents authorization issued to the client. It must be specified in all requests during the current logon session.
- Refresh token is a string that represents authorization granted to the client. It is used to obtain a new access token if the current access token expires or becomes lost.
The authorization process involves the following procedures:
The Veeam Backup & Replication REST API has the following default security settings:
- Access token lifetime is 15 minutes.
- Refresh token lifetime is 14 days.
- Authorization code lifetime is 5 minutes.