Requesting Authorization

In this article

    The Veeam Backup for AWS REST API accepts the following grant types to authenticate a Veeam Backup for AWS user:

    You can configure single sign-on (SSO) settings in Veeam Backup for AWS and retrieve user identities from your identity provider. To authenticate a user retrieved from the identity provider, the Veeam Backup for AWS REST API uses single sign-on authorization. For more information on configuring SSO settings, see Identity Provider or the Veeam Backup for AWS User Guide, section Configuring SSO Settings.

    Using Password Grant Type

    To obtain authorization tokens, a user sends the HTTP POST request to the api/v1/token endpoint.

    The request body must contain the grant_type parameter with the specified password value and the credentials of a user created in Veeam Backup for AWS. For more information on how to create users, see User Accounts or the Veeam Backup for AWS User Guide, section Adding User Accounts.

    A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for AWS returns an access token, its expiration time (in seconds) and a refresh token. The user inserts the access token in headers of further requests to the Veeam Backup for AWS REST API. The refresh token must be saved locally.

    To learn how to authorize your access using the Password grant type, see Example [Password]. Alternatively, you can use the Swagger UI.

    Using MFA Grant Type

    Note

    MFA is disabled by default. To learn how to enable MFA, see Multi-Factor Authentication or the Veeam Backup for AWS User Guide, section Configuring Multi-Factor Authentication.

    If multi-factor authentication (MFA) is enabled for a user, the user must first obtain an mfa token, and then get authorization tokens.

    1. To obtain an mfa token, the user sends the HTTP POST request to the api/v1/token endpoint. The request body must contain the grant_type parameter with the specified password value and the credentials of the user.

    A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for AWS returns an mfa token.

    1. To obtain an access token and a refresh token, the user must send another HTTP POST request to the api/v1/token endpoint. The request body must contain the grant_type parameter with the specified mfa value, the mfa token previously received from the authorization server, and the verification code generated by the authentication application running on the trusted device.

    A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for AWS returns an access token, its expiration time (in seconds) and a refresh token. The user inserts the access token in headers of further requests to the Veeam Backup for AWS REST API. The refresh token must be saved locally.

    To learn how to authorize your access using the MFA grant type, see Example [MFA]. Alternatively, you can use the Swagger UI.

    Using Authorization Code Grant Type

    To get authorization using the Authorization Code grant type, a user must first obtain an authorization code, and then get authorization tokens.

    1. To obtain the authorization code, an authorized user sends the HTTP POST request to the api/v1/token/authorization_code endpoint.

    A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for AWS returns an authorization code, which can be used by another user or client application to get authorization in the Veeam Backup for AWS REST API.

    Note

    By default, the Veeam Backup for AWS authorization code expires in 60 seconds. To change the authorization code lifetime, see Configuring Security Settings.

    1. To obtain an access token and a refresh token, a user or client application sends the HTTP POST request to the api/v1/token endpoint. The request body must contain the grant_type parameter with the specified authorization_code value and the authorization code previously issued by the authorization server.

    A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for AWS returns an access token, its expiration time (in seconds) and a refresh token. The user inserts the access token in headers of further requests to the Veeam Backup for AWS REST API. The refresh token must be saved locally.

    To learn how to authorize your access using the Authorization Code grant type, see Example [Authorization Code]. Alternatively, you can use the Swagger UI.

    Using Single Sign-On

    To get authorization using single sign-on, a user must first obtain a SSO URL that will be used to log in to the identity provider portal, and then get authorization tokens.

    1. To obtain the SSO URL, a user sends the HTTP GET request to the api/v1/identityProvider/signOnUrl endpoint. The userName query parameter must be sent as part of the URL. Use the question mark (?) to separate the parameter from the endpoint.

    A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for AWS returns the SSO URL, which must be used to authenticate the user on the identity provider portal and obtain a SAML response from the identity provider.

    1. To obtain a SAML response, the user sends HTTP POST requests to the SSO URL obtained from the Veeam Backup for AWS authorization server. The request body must contain the credentials of the user in the format accepted by the identity provider.

    A successfully completed operation returns the SAML response that must be passed to the Veeam Backup for AWS REST API.

    1. To obtain an access token and a refresh token, a user sends the HTTP POST request to the api/v1/identityProvider/token endpoint. The request body must contain the SamlResponse parameter with the specified SAML response value previously issued by the identity provider server.

    A successfully completed operation returns the 200 response code. In the response body, Veeam Backup for AWS returns an access token, its expiration time (in seconds) and a refresh token. The user inserts the access token in headers of further requests to the Veeam Backup for AWS REST API. The refresh token must be saved locally.

    To learn how to authorize your access using single sign-on, see Example [Single Sign-On]. Alternatively, you can use the Swagger UI.

    Requesting AuthorizationExample [Password]

    To obtain an access token and a refresh token, a user sends the HTTP POST request to the api/v1/token endpoint. In the x-api-version header, the user specifies the current revision of the Veeam Backup for AWS REST API.

    In the request body, the user specifies the following parameters:

    • grant_type — the password value must be specified for this parameter.
    • username and password — credentials used to access the server; in this example, administrator and Password1 are used.

    Request:

    POST https://127.0.0.1:11005/api/v1/token

     

    Request Header:

    x-api-version:1.2-rev0

     

    Request Body:

    grant_type=password&username=administrator&password=Password1

    The server sends a response in the following format.

    Response:

    200

    Response Body:

    {

     "access_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjQ2MDU0QjExNTE3Njk0QzAxN0IyRTE2MTQyNURCRDM1QkNGNzY3NkQiLCJ0eXAiOiJKV1QifQ.eyJ1bmlxdWVfbmFtZSI6InVzZXIiLCJuYmYiOjE1ODYyNTUzNzksImV4cCI6MTU4NjI1NjI3OSwiaWF0IjoxNTg2MjU1Mzc5LCJhdWQiOiJhY2Nlc3MifQ.kOCwrbf6BErst5X-ZOK5zSVH9htMN5GJpPkE1MScDM08iHrF4vPZaGGlHGZzvLu6eJmzyM-GA9zG5QAoPQcQCxzhUf4btj6JvUd1thz3BgfSfCvDh_nQUG-WQ5dAkeOL8M7sze6nlHRDJDg1b7D2Ev7BsFg41ip24drWl2wyebZVZXBOwpIsD7rbX1fJW3FHfvEMyes7h8gWruHtqc-6uJnMuA7YJc706rlXHf6wgpLJAaW2qRAwtBUpE6kib9odU58Hc2aS5QqQBwwKX6hTI3ZbBDg_B5KW6xL7rRIMbtTgdEhbDn41WMPhINS9yAFf7sKvdsofStPX31H0Mt1eOg",

     "token_type": "bearer",

     "refresh_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjQ2MDU0QjExNTE3Njk0QzAxN0IyRTE2MTQyNURCRDM1QkNGNzY3NkQiLCJ0eXAiOiJKV1QifQ.eyJ1bmlxdWVfbmFtZSI6InVzZXIiLCJ0b2tlbl9pZCI6ImQ5ZDhiN2RlLWIwYjUtNDc1Yi04ZTE4LTU4ZGMzMzVmOWIzNSIsInNob3J0X3Rlcm1fZXhwaXJhdGlvbiI6IkZhbHNlIiwibmJmIjoxNTg2MjU1Mzc5LCJleHAiOjE1ODc0NjQ5NzksImlhdCI6MTU4NjI1NTM3OSwiYXVkIjoicmVmcmVzaCJ9.1R2vkCTmAx28mBg21vq61SYTzZN-wCLyG8SjL3iMofuhUKeZ2oRMNlOSTqZ7v-FxvMTXMIVXBw9WRDIjxMzr182K9E26UcblcUa0Gp8o0fNeCKF_pN0WwYx77Ewzedl9bUmY5rlseOjTU-dQNp-G51mGfn4dU4pEaCxFkX9NCGuJqr4Q9NedoyGXNW6PuAm8gwQnOQjLPWmCzkpaBGZMda41osPyq1bKIL6Be7cen1StTKjiU86OzM1sjIOgG3-hZnfKW5ZyO_fLb-nLeRrOuR65f9peJE3WgVFrmWm0MAtxvPCAq99Nutek2ssI2byNzxc1-hOeD-oZrwm-725G8g",

     "expires_in": 3600,

     ".issued": "2020-06-12T10:29:39",

     ".expires": "2020-06-12T10:44:39",

     "username": "administrator"

    }

    Requesting AuthorizationExample [MFA]

    To access the REST API when MFA is enabled, a user must do the following:

    1. To obtain an mfa token, the user sends the HTTP POST request to the api/v1/token endpoint. In the x-api-version header, the user specifies the current revision of the Veeam Backup for AWS REST API.

    In the request body, the user specifies the following parameters:

    • grant_type — the password value must be specified for this parameter.
    • username and password — credentials used to access the server; in this example, administrator and Password1 are used.

    Request:

    POST https://127.0.0.1:11005/api/v1/token

     

    Request Header:

    x-api-version:1.2-rev0

     

    Request Body:

    grant_type=password&username=administrator&password=Password1

    The server sends a response in the following format.

    Response:

    200

    Response Body:

    {

     "username": "administrator",

     "mfa_enabled": true,

     "mfa_token": "NkZFMzc4RjA4NzJCQzk1QjU3NTY1Mzc2RTU1MjVCODkzOThDQjdGODMzNDVDMEY0QUZGRTIzMjZFQTNDQ0QxRg=="

    }

    1. To obtain an access token and a refresh token, the user sends the HTTP POST request to the api/v1/token endpoint. In the x-api-version header, the user specifies the current revision of the Veeam Backup for AWS REST API.

    In the request body, the user specifies the following parameters:

    • grant_type — the mfa value must be specified for this parameter.
    • mfa_token — the mfa token previously received from the authorization server.
    • mfa_code — the six-digit verification code generated by the authentication application running on the trusted device.

    Request:

    POST https://127.0.0.1:11005/api/v1/token

     

    Request Header:

    x-api-version:1.2-rev0

     

    Request Body:

    grant_type=mfa&mfa_token=NkZFMzc4RjA4NzJCQzk1QjU3NTY1Mzc2RTU1MjVCODkzOThDQjdGODMzNDVDMEY0QUZGRTIzMjZFQTNDQ0QxRg==&mfa_code=346816

    The server sends a response in the following format.

    Response:

    200

    Response Body:

    {

     "access_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjQ2MDU0QjExNTE3Njk0QzAxN0IyRTE2MTQyNURCRDM1QkNGNzY3NkQiLCJ0eXAiOiJKV1QifQ.eyJ1bmlxdWVfbmFtZSI6InVzZXIiLCJuYmYiOjE1ODYyNTUzNzksImV4cCI6MTU4NjI1NjI3OSwiaWF0IjoxNTg2MjU1Mzc5LCJhdWQiOiJhY2Nlc3MifQ.kOCwrbf6BErst5X-ZOK5zSVH9htMN5GJpPkE1MScDM08iHrF4vPZaGGlHGZzvLu6eJmzyM-GA9zG5QAoPQcQCxzhUf4btj6JvUd1thz3BgfSfCvDh_nQUG-WQ5dAkeOL8M7sze6nlHRDJDg1b7D2Ev7BsFg41ip24drWl2wyebZVZXBOwpIsD7rbX1fJW3FHfvEMyes7h8gWruHtqc-6uJnMuA7YJc706rlXHf6wgpLJAaW2qRAwtBUpE6kib9odU58Hc2aS5QqQBwwKX6hTI3ZbBDg_B5KW6xL7rRIMbtTgdEhbDn41WMPhINS9yAFf7sKvdsofStPX31H0Mt1eOg",

     "token_type": "bearer",

     "refresh_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjQ2MDU0QjExNTE3Njk0QzAxN0IyRTE2MTQyNURCRDM1QkNGNzY3NkQiLCJ0eXAiOiJKV1QifQ.eyJ1bmlxdWVfbmFtZSI6InVzZXIiLCJ0b2tlbl9pZCI6ImQ5ZDhiN2RlLWIwYjUtNDc1Yi04ZTE4LTU4ZGMzMzVmOWIzNSIsInNob3J0X3Rlcm1fZXhwaXJhdGlvbiI6IkZhbHNlIiwibmJmIjoxNTg2MjU1Mzc5LCJleHAiOjE1ODc0NjQ5NzksImlhdCI6MTU4NjI1NTM3OSwiYXVkIjoicmVmcmVzaCJ9.1R2vkCTmAx28mBg21vq61SYTzZN-wCLyG8SjL3iMofuhUKeZ2oRMNlOSTqZ7v-FxvMTXMIVXBw9WRDIjxMzr182K9E26UcblcUa0Gp8o0fNeCKF_pN0WwYx77Ewzedl9bUmY5rlseOjTU-dQNp-G51mGfn4dU4pEaCxFkX9NCGuJqr4Q9NedoyGXNW6PuAm8gwQnOQjLPWmCzkpaBGZMda41osPyq1bKIL6Be7cen1StTKjiU86OzM1sjIOgG3-hZnfKW5ZyO_fLb-nLeRrOuR65f9peJE3WgVFrmWm0MAtxvPCAq99Nutek2ssI2byNzxc1-hOeD-oZrwm-725G8g",

     "expires_in": 3600,

     ".issued": "2020-06-12T10:29:39",

     ".expires": "2020-06-12T10:44:39"

    }

    Requesting AuthorizationExample [Authorization Code]

    To access the REST API using an authorization code, a user must do the following:

    1. To obtain an authorization code, an authorized user sends the HTTP POST request to the api/v1/token/authorization_code endpoint. In the x-api-version header, the user specifies the current revision of the Veeam Backup for AWS REST API, in the Authorization header — currently valid access token in the Bearer <access_token> format.

    Request:

    POST https://127.0.0.1:11005/api/v1/token/authorization_code

     

    Request Header:

    x-api-version:1.2-rev0

    Authorization:Bearer eyJhbGciOiJSUzUxMiIsImtpZCI6IjQ2MDU0QjExNTE3Njk0QzAxN0IyRTE2MTQyNURCRDM1QkNGNzY3NkQi-LCJ0eXAiOiJKV1QifQ.eyJ1bmlxdWVfbmFtZSI6InVzZXIiLCJuYmYiOjE1ODYyNTUzNzksImV4cCI6MTU4NjI1NjI3OSwiaWF0IjoxNTg2MjU1Mzc5LCJhdWQiOiJhY2Nlc3MifQ.kOCwrbf6BErst5X-ZOK5zSVH9htMN5GJpPkE1MScDM08iHrF4vPZaGGlHGZzvLu6eJmzyM-GA9zG5QAoPQcQCxzhUf4btj6JvUd1thz3BgfSfCvDh_nQUG-WQ5dAkeOL8M7sze6nlHRDJDg1b7D2Ev7BsFg41ip24drWl2wyebZVZXBOwpIsD7rbX1fJW3FHfvEMyes7h8gWruHtqc-6uJnMuA7YJc706rlXHf6wgpLJAaW2qRAwtBUpE6kib9odU58Hc2aS5QqQBwwKX6hTI3ZbBDg_B5KW6xL7rRIMbtTgdEhbDn41WMPhINS9yAFf7sKvdsofStPX31H0Mt1eOg

    The server sends a response in the following format.

    Response:

    200

    Response Body:

    {

     "code": "AAEAAJO1R+DANfH7JDlyUzDVYGDw+77dyaa0mFu8nozvbOreW31Uu1X+mejLUilSp6nBrhcmv9/LTjAjMz3P+grbg1OATjZN7kZ5XbhenJG7DrVUtvpA6h5aDmma8INsMv6xW7+TmcOUNlK65n2J2/rQCjg80rMOSjlpnkQkX2s+tXOxkX+h/GTRSdxCulLhn69Rj+8Qvmh3+h8c3g+RVnhfSWwfxVR1+sFtViNQwQzI3hBRvxivb9IZo9WSYgtDJc8816OrUrIn26h71jYm6WfYn3ZiMp/VkABHqvqAsIMuKD1Xat9lnQyxARc1ZU9suM7Ivd5I7Ew51vMMPhXMetchrGkIAAAAWccK8uTa1wg="

    }

    1. To obtain an access token and a refresh token, the user sends the HTTP POST request to the api/v1/token endpoint. In the x-api-version header, the current revision of the Veeam Backup for AWS REST API must be specified.

    In the request body, the user specifies the following parameters:

    • grant_type — the authorization_code value must be specified for this parameter.
    • code — the authorization code previously issued by the authorization server.

    Request:

    POST https://127.0.0.1:11005/api/v1/token

     

    Request Header:

    x-api-version:1.2-rev0

     

    Request Body:

    grant_type=authorization_code&code=AAEAAJO1R+DANfH7JDlyUzDVYGDw+77dyaa0mFu8nozvbOreW31Uu1X+mejLUilSp6nBrhcmv9/LTjAjMz3P+grbg1OATjZN7kZ5XbhenJG7DrVUtvpA6h5aDmma8INsMv6xW7+TmcOUNlK65n2J2/rQCjg80rMOSjlpnkQkX2s+tXOxkX+h/GTRSdxCulLhn69Rj+8Qvmh3+h8c3g+RVnhfSWwfxVR1+sFtViNQwQzI3hBRvxivb9IZo9WSYgtDJc8816OrUrIn26h71jYm6WfYn3ZiMp/VkABHqvqAsIMuKD1Xat9lnQyxARc1ZU9suM7Ivd5I7Ew51vMMPhXMetchrGkIAAAAWccK8uTa1wg=

    The server sends a response in the following format.

    Response:

    200

    Response Body:

    {

     "access_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjQ2MDU0QjExNTE3Njk0QzAxN0IyRTE2MTQyNURCRDM1QkNGNzY3NkQiLCJ0eXAiOiJKV1QifQ.eyJ1bmlxdWVfbmFtZSI6InVzZXIiLCJuYmYiOjE1ODYyNjQxNjAsImV4cCI6MTU4NjI2NTA2MCwiaWF0IjoxNTg2MjY0MTYwLCJhdWQiOiJhY2Nlc3MifQ.TbUBFfPcZ1qYARjCindWw3GK-aVtScd5Aej-AuaYGf833EPZtQYj0wI5VI6Nk2vl8ekaUKcAKE-RgAgi3qPjlscBoIXaptgJOVMCZgbVaacLEkiPANvsHh9ZZYtQnIzA9NrAXnnBlGxvxWae2n_YlySTiywYIyy-PSscHg7v4K-QOlYYKcUBSub3wnKSHcAlFN_JsU20YmDh0fOUsgpzFQZBLf9uNBdubgCpejywGrMYLHoTDZpDvERelwLw_y-hsrWoHTbVfnExkHBzpV0zX3Hc_I-hHiikykRrafx2UWfdD3RNqb7Qx6XnwKJz7TfkWS9XnWv5zDAK23V1KjWp0g",

     "token_type": "bearer",

     "refresh_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjQ2MDU0QjExNTE3Njk0QzAxN0IyRTE2MTQyNURCRDM1QkNGNzY3NkQiLCJ0eXAiOiJKV1QifQ.eyJ1bmlxdWVfbmFtZSI6InVzZXIiLCJ0b2tlbl9pZCI6IjQwZTA4ZmJmLTIwYjYtNGM2NS05YjQ4LWQzZTM4NTk5OTBmMCIsInNob3J0X3Rlcm1fZXhwaXJhdGlvbiI6IkZhbHNlIiwibmJmIjoxNTg2MjY0MTYwLCJleHAiOjE1ODc0NzM3NjAsImlhdCI6MTU4NjI2NDE2MCwiYXVkIjoicmVmcmVzaCJ9.ilRxFQN9NGxbBlIuJGseZf3Y_5L_wTAJIv13LdJ0-neP9jmWB5_ar9tvlcOxCafVA1xpZgZLRjwqyOklTEAt6YgxFXzzT4Sjgl347x3YuYLneQfs-yTdbs3ifGGnLWFArxcXqkDRf4jDItULIfBSSk47hZ9xYVIniDQw7wxZ_nBoQbx4Grrxb1BRFCtcMBXBVN6AfDK3-57a0_m8UyeeJMop9m946hznU6pvIl8d1ZJdgPVo6ZJzW36qHdMxr-Gq086CS5BT4NOMrRiYw1tS8rxA9q58eMDHvK1HlzkqBxEusqdPDNx3riB2FRJOn9fQGY_l7DACD2c-Y0pTGI2NCA",

     "expires_in": 3600,

     ".issued": "2020-04-12T12:56:00",

     ".expires": "2020-04-12T13:11:00"

    }

    Requesting AuthorizationExample [Single Sign-On]

    To access the REST API using SSO, a user must do the following:

    1. To obtain SSO URL, a user sends the HTTP GET request to the api/v1/identityProvider/signOnUrl endpoint. In the x-api-version header, the user specifies the current revision of the Veeam Backup for AWS REST API. The name of the user must be specified as a value of the userName query parameter.

    Request:

    POST https://127.0.0.1:11005/api/v1/identityProvider/signOnUrl?userName=sara_baker@companymail.com

     

    Request Header:

    x-api-version:1.2-rev0

    The server sends a response in the following format.

    Response:

    200

    Response Body:

    {

    "redirectToUrl": "https://company.companymail.com/adfs/ls/?SAMLRequest=lJExb4MwEIX%2FCvJ%2BGJMAsQWoiVClSG2HJsrQBRnjKLRgpz6jVvn1JTRDhw7tdnr3nt6nu3w9%2BpN51u%2BjRh9sq4LUacNb1iyX0KqMw1K2KXCuOKyOR56lSaR5lpHgoB121hQkDiMSbBFHvTXopfGTFMURMAZxumepiFYiYS8kqKaGzkg%2Fp07en1FQqlUMC2ARAw5ssQrtBfzkg9YOsjNhb5XsqWyPSHukJLi3TukZuSDejZoEn0NvsCCjM8JK7FAYOWgUXond%2BvFBTHTi7Ky3yvakzGdO95eQRNTuykrK%2FaaqD5t6Rk2AZQxYMtHGi1DZ4Tx6DSyUg7xYIz%2FwquX0u6fMd2PzqpX%2FZ2H%2BNG23VYnSybqRb9rd%2FXaXnN58Ob31TNPPf5ZfAAAA%2F%2F8DAA%3D%3D"

    }

    1. To obtain a SAML response from the identity provider, the user sends the HTTP POST request to the SSO URL.

    In the request body, the user specifies user credentials in the format accepted by the identity provider. The Content-Type header value must be specified. By default, the content type value of the authorization request is x-www-form-urlencoded.

    Request:

    POST https://company.companymail.com/adfs/ls/?SAMLRequest=lJExb4MwEIX%2FCvJ%2BGJMAsQWoiVClSG2HJsrQBRnjKLRgpz6jVvn1JTRDhw7tdnr3nt6nu3w9%2BpN51u%2BjRh9sq4LUacNb1iyX0KqMw1K2KXCuOKyOR56lSaR5lpHgoB121hQkDiMSbBFHvTXopfGTFMURMAZxumepiFYiYS8kqKaGzkg%2Fp07en1FQqlUMC2ARAw5ssQrtBfzkg9YOsjNhb5XsqWyPSHukJLi3TukZuSDejZoEn0NvsCCjM8JK7FAYOWgUXond%2BvFBTHTi7Ky3yvakzGdO95eQRNTuykrK%2FaaqD5t6Rk2AZQxYMtHGi1DZ4Tx6DSyUg7xYIz%2FwquX0u6fMd2PzqpX%2FZ2H%2BNG23VYnSybqRb9rd%2FXaXnN58Ob31TNPPf5ZfAAAA%2F%2F8DAA%3D%3D

     

    Request Header:

    x-api-version:1.2-rev0

    Content-Type:x-www-form-urlencoded

     

    Request Body:

    {

     "UserName": "sara_baker@oz-test-domain.local",

     "Password": "Admin345Dept01"

    }

    The server sends a response in the following format.

    Response:

    200

    Response Body:

    {

     "name": "SAMLResponse",

     "value": "PHNhbWxwOlJlc3BvbnNlIElEPSJfNDMyNDQ5YTItYjNiMi00M2U4LTk5MmItMTI1MGY0MWJjYjQ5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMC0xMS0yNVQxMTozMjo1OS40NzBaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9lYzItMzUtMTcxLTE1OS0xMjMuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20vYXBpL3YxL3NhbWwyIiBDb25zZW50PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y29uc2VudDp1bnNwZWNpZmllZCIgSW5SZXNwb25zZVRvPSJfMGNiZTg2M2YtNTViYS00ODM0LWEzMTUtY2NkMWFhOTgyYjI1IiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vZWMyLTMtMTAxLTktMTM4Lm96LXRlc3QtZG9tYWluLmxvY2FsL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiIC8+PC9zYW1scDpTdGF0dXM+PEFzc2VydGlvbiBJRD0iXzdiYjNlZjc2LTZiZTgtNDE0OS1iZTg5LTEzNTcwMGM3OGQ5MiIgSXNzdWVJbnN0YW50PSIyMDIwLTExLTI1VDExOjMyOjU5LjQ3MFoiIFZlcnNpb249IjIuMCIgeG1sbnM9InVybjpv="

    }

    1. To obtain an access token and a refresh token, the user sends the HTTP POST request to the api/v1/identityProvider/token endpoint. In the x-api-version header, the current revision of the Veeam Backup for AWS REST API must be specified.

    In the request body, the user specifies the SamlResponse parameter — the SAML response value obtained from the identity provider server.

    Request:

    POST https://127.0.0.1:11005/api/v1/identityProvider/token

     

    Request Header:

    x-api-version:1.2-rev0

     

    Request Body:

    SamlResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfNDMyNDQ5YTItYjNiMi00M2U4LTk5MmItMTI1MGY0MWJjYjQ5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMC0xMS0yNVQxMTozMjo1OS40NzBaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9lYzItMzUtMTcxLTE1OS0xMjMuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20vYXBpL3YxL3NhbWwyIiBDb25zZW50PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y29uc2VudDp1bnNwZWNpZmllZCIgSW5SZXNwb25zZVRvPSJfMGNiZTg2M2YtNTViYS00ODM0LWEzMTUtY2NkMWFhOTgyYjI1IiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vZWMyLTMtMTAxLTktMTM4Lm96LXRlc3QtZG9tYWluLmxvY2FsL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiIC8+PC9zYW1scDpTdGF0dXM+PEFzc2VydGlvbiBJRD0iXzdiYjNlZjc2LTZiZTgtNDE0OS1iZTg5LTEzNTcwMGM3OGQ5MiIgSXNzdWVJbnN0YW50PSIyMDIwLTExLTI1VDExOjMyOjU5LjQ3MFoiIFZlcnNpb249IjIuMCIgeG1sbnM9InVybjpv=

    The server sends a response in the following format.

    Response:

    200

    Response Body:

    {

     "access_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjQ2MDU0QjExNTE3Njk0QzAxN0IyRTE2MTQyNURCRDM1QkNGNzY3NkQiLCJ0eXAiOiJKV1QifQ.eyJ1bmlxdWVfbmFtZSI6InVzZXIiLCJuYmYiOjE1ODYyNjQxNjAsImV4cCI6MTU4NjI2NTA2MCwiaWF0IjoxNTg2MjY0MTYwLCJhdWQiOiJhY2Nlc3MifQ.TbUBFfPcZ1qYARjCindWw3GK-aVtScd5Aej-AuaYGf833EPZtQYj0wI5VI6Nk2vl8ekaUKcAKE-RgAgi3qPjlscBoIXaptgJOVMCZgbVaacLEkiPANvsHh9ZZYtQnIzA9NrAXnnBlGxvxWae2n_YlySTiywYIyy-PSscHg7v4K-QOlYYKcUBSub3wnKSHcAlFN_JsU20YmDh0fOUsgpzFQZBLf9uNBdubgCpejywGrMYLHoTDZpDvERelwLw_y-hsrWoHTbVfnExkHBzpV0zX3Hc_I-hHiikykRrafx2UWfdD3RNqb7Qx6XnwKJz7TfkWS9XnWv5zDAK23V1KjWp0g",

     "token_type": "bearer",

     "refresh_token": "eyJhbGciOiJSUzUxMiIsImtpZCI6IjQ2MDU0QjExNTE3Njk0QzAxN0IyRTE2MTQyNURCRDM1QkNGNzY3NkQiLCJ0eXAiOiJKV1QifQ.eyJ1bmlxdWVfbmFtZSI6InVzZXIiLCJ0b2tlbl9pZCI6IjQwZTA4ZmJmLTIwYjYtNGM2NS05YjQ4LWQzZTM4NTk5OTBmMCIsInNob3J0X3Rlcm1fZXhwaXJhdGlvbiI6IkZhbHNlIiwibmJmIjoxNTg2MjY0MTYwLCJleHAiOjE1ODc0NzM3NjAsImlhdCI6MTU4NjI2NDE2MCwiYXVkIjoicmVmcmVzaCJ9.ilRxFQN9NGxbBlIuJGseZf3Y_5L_wTAJIv13LdJ0-neP9jmWB5_ar9tvlcOxCafVA1xpZgZLRjwqyOklTEAt6YgxFXzzT4Sjgl347x3YuYLneQfs-yTdbs3ifGGnLWFArxcXqkDRf4jDItULIfBSSk47hZ9xYVIniDQw7wxZ_nBoQbx4Grrxb1BRFCtcMBXBVN6AfDK3-57a0_m8UyeeJMop9m946hznU6pvIl8d1ZJdgPVo6ZJzW36qHdMxr-Gq086CS5BT4NOMrRiYw1tS8rxA9q58eMDHvK1HlzkqBxEusqdPDNx3riB2FRJOn9fQGY_l7DACD2c-Y0pTGI2NCA",

     "expires_in": 3600,

     ".issued": "2020-04-12T12:56:00",

     ".expires": "2020-04-12T13:11:00"

    }