The VMware vCloud API provides support for developers who are building interactive clients of vCloud Director using a RESTful application development style. vCloud API clients and vCloud Director servers communicate over HTTPS, exchanging representations of vCloud objects. Among some VMware vCloud ecosystem applications that leverage vCloud API are vRealize Orchestrator (with vCloud Director plug-in), VMware vSphere PowerCLI™, vCenter Chargeback (vCloud Director Data Collector), vCloud Connector, vRealize Automation, vRealize Operations Manager (with vCloud Management Pack) and vcd-cli¹.

Currently there are multiple versions of vCloud API starting with 0.9 up to 27.0 (as of vCloud Director version 8.20). Supported vCloud API versions can be retrieved at Error! Hyperlink reference not valid. domain>/api/versions. Some versions are deprecated (see vCloud API documentation).

Expose only a limited set of APIs to the Internet. Tenant API calls must be accessible because they are related to the user and organization administrator operations (user scope) and required by ecosystem applications that leverage vCloud APIs. Expose additional API calls related to the provider operations only to vCloud administrators (provider scope). The separation between the user and provider scope can be made based on source IP addresses. Access from the Internet allows only the user scope APIs, while access from a defined group of service provider addresses allows the provider scope APIs.

The Web application firewall (WAF) must be used to filter the URL access based on the scope. It terminates the client SSL session, examines the content, and based on filter rules, allows or rejects the session. If allowed, another load balanced SSL session is created between the WAF and a vCloud Director cell.