Requesting Authorization

To get access to the REST API resources, the client obtains an access token — a string that denotes client's access attributes and that must be specified in all requests to the REST API.

To get an access token, send the HTTP POST request to the /api/oauth2/token path.

In the request body, the following parameters must be specified:

  • Grant type: password or authorization_code
  • Credentials matching the grant type

The Veeam Backup & Replication REST API accepts the following authorization grant types:

  • Password grant type — used to get an access token by providing a user name and password.
  • Authorization code grant type — used to get an access token by providing an authorization code. To get an authorization code, send the HTTP POST request to the /api/oauth2/authorization_code path.

Using Password Grant Type

To obtain authorization tokens, send the HTTP POST request to the /api/oauth2/token path.

The request body must contain the grant_type parameter with the specified password value and the user credentials of an account created in Veeam Backup & Replication.

A successfully completed operation returns the 200 response code. In the response body, Veeam Backup & Replication returns an access token, its expiration time (in seconds) and a refresh token. Specify the access token in headers of further requests to the Veeam Backup & Replication REST API. The refresh token must be saved locally.

Requesting AuthorizationExample

Using Authorization Code Grant Type

You can use the authorization code grant type to delegate data protection operations from Client A to Client B. Authorization code is a temporary code that Client B can exchange for an access token without providing a user name and password. Client B will have the same set of permissions as Client A, which provided the authorization code.

The authorization code expires in 60 seconds.

To get authorization using the Authorization Code grant type, take the following steps:

  1. [Client A] Before you request an authorization code, make sure you have a valid access token. For details, see Using Password Grant Type or Using Refresh Token.
  2. [Client A] To obtain an authorization code, send the HTTP POST request to the /api/oauth2/authorization_code path.

A successfully completed operation returns the 200 response code. In the response body, the REST API returns an authorization code, which can be used by Client B for authorization.

  1. [Client B] To obtain an access token and refresh token, send the HTTP POST request to the /api/oauth2/token path. The request body must contain the grant_type parameter with the specified authorization_code value and the authorization code itself.

A successfully completed operation returns the 200 response code. In the response body, REST API returns an access token, its expiration time (in seconds) and a refresh token. You must specify the access token in headers of further requests to the REST API. To use the refresh token for obtaining another access token, save it locally. For more information, see Using Refresh Token.

Requesting AuthorizationExample

Page updated 3/11/2024

Page content applies to build 12.3.1.1139