vCloud Air implements Basic HTTP authentication, as defined by RFC 2617, which enables a client to authenticate by including an Authorization header in the request. The Authorization header sends a user name and password as basic credentials in MIME Base64 encoding:

Authorization: Basic UserName@domain.com:password

The vCloud Air Identity Management Service authenticates the user credentials for Virtual Private Cloud OnDemand and returns an OAuth 2.0 Access token that is signed and formatted using Base64 encoded JSON.

Response:

201 Created
vchs-authorization:vchs-OAuth-token

The returned OAuth token contains the necessary user attributes, such as user name, user ID, company name, company ID, and user permissions, for API clients to access each functional boundary surfaced by the API and to receive an authorization token from vCloud.

All requests from clients must include the OAuth token the Authorization header:

Authorization: Bearer OAuth_token

After the client authenticates, vCloud Air retrieves a SAML session token (x-vcloud-authorization) and authenticates with the vCloud instance to perform Compute Service operations.

The response codes indicate whether requests succeeded or how they failed. When a request is successful, the server returns HTTP response code 201 Created because logging in to the API requires a POST call. If an Authentication header is missing, the server returns HTTP response code 403. If the credentials supplied in an Authentication header are invalid, or if the token has expired, the server returns HTTP response code 401.