VMware Cloud Services Platform Authorization using API Token

VMware Cloud Services Platform (CSP) Provides a rich set of APIs for identity and access management.


To complete this task, you need to have access to the CSP console. In order to generate the CSP authorization token, you need to first obtain the refresh token for your organization from the CSP console. If you already have an API token, skip to Step 2

Step 1 - Generate an API Token

  1. Login to the CSP console at https://console.cloud.vmware.com
  2. On the VMware Cloud Services toolbar, click your user name and select My Account > API Tokens.
  3. Click ‘Generate a new API Token’ (Refer label 2)
    <<Image to be inserted>>
  4. In the ‘Generate a New API Token’ that opens, enter the follwoing:
  • Token Name: A user defined name for the new API Token.
  • Token TTL: The token validity duration (Time to Live), after which the token expires.
  • Define Scope: Define scopes for the token. Scopes provide a way to implement control over what areas in an organization your token can access - specifically which role in an organization, and what services and the level of permissions.
    If required, you can select All Roles and give your token access to all the organization and service roles.
  1. Click ‘GENERATE’ (Refer label 3).
    <<Image to be inserted>>
    The newly generated CSP Refresh token displays in a pop-window as shown in the figure below.
  2. Save the token credentials to a safe place so you can retrieve them to use later on. You will use it later to generate an access token.
<<Image to be inserted>>

Note: For security reasons, after you generate the token, we only display the name of the token on the API Tokens page and not the token credentials.
This means that you will no longer be able to reuse the token by copying the credentials from this page - it is only displayed once.
If you don’t copy the token credenitals when they are displayed on the screen, you will have to Regenerate the Refresh Token.

Step 2 - Exchange your API Token for an Access Token

Use the following API to to exchange the API Token you generated in Step 1 with an access-token:


POST Get Access Token By API Refresh Token

For example, the access token can be obtained by issuing a POST like this:

curl -X POST "https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize" \
     -H "accept: application/json" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "refresh_token={refresh-token}"

Step 3 - Fetch your Organization ID Using the access token


POST Get Organization Details

Some information about your Organization can be obtained by issuing a GET like this:

curl -s -X GET \
    -H "Content-Type: application/json" \
    -H "csp-auth-token: {csp-auth-token}" \

How to Automate Processes Interacting with CSP APIs

You can use either API tokens or OAuth apps to automate processes that interact with the VMware Cloud Service Platform (CSP) APIs.

API tokens are used to authenticate when users make authorized API connections. API tokens are issued by users in an organization and are associated with the user’s account and the organization from which they generated the API token. An API token authorizes access per organization and incorporates the user account in the access token.

OAuth apps, on the other hand, perform authorization without a user account. Some CSP APIs require a user account to be the authenticated entity while others do not.

When choosing between API tokens and OAuth apps to make an API call, the specific requirements of the module engaged in the interaction must be taken into account.

Click Here to learn more.