VMware Cloud Foundation Operations API

VMware Cloud Foundation Operations API

Officially supported API(s)

These are the REST APIs exposed by VCF Operations for programmatic access to inventory, monitoring, configuration and administration capabilities. All endpoints accept and return JSON unless explicitly documented otherwise. Resource-oriented URLs and standard HTTP verbs (GET, POST, PUT, PATCH, DELETE) are used throughout.

Public endpoints are exposed under /api/... and require an authenticated user with the appropriate privileges (except a few endpoints which are by design unauthenticated, e.g. POST /api/auth/token/acquire for retrieving a token).

Authentication:

Every request must include an Authorization header. The most common supported schemes are:

  • OpsToken — Authorization: OpsToken <token>. Session token issued by POST /api/auth/token/acquire.
  • Bearer token — Authorization: Bearer <token>. Access token issued by VCF SSO. Note: The access token must be retrieved directly from VCF SSO before making API calls.


Requests missing the Authorization header, or carrying an expired/invalid token, are rejected with 401 Unauthorized. Requests authenticated but lacking the required privilege return 403 Forbidden.