How to authentication with vSphere APIs using Python?

VMware Cloud Foundation (VCF) 9 introduces a Unified VCF Software Development Kit (SDK) for Python and Java. The key highlight of this release was the unification of all the major components into a single deliverable package to deliver simple, extensible, and consistent automation experience across the stack. Currently, the following VCF components are included as a part of the unified VCF SDK and rest of the components will be made available very soon-

VMware vSphere
VMware vSAN
VMware vSAN Data Protection
VMware SDDC Manager

If you are reading the term Unified VCF SDK for the first time, do not worry about it. You can visit some of the existing content such as the announcement blog post or visit the VMware Explore Las Vegas 2025 session to get yourself up to speed with all the enhancements introduced with VCF APIs and the VCF SDK.

In this blog post I will focus on a small yet very effective enhancement to our vSphere API authentication and explain its usage across the vSphere and vSAN APIs.

Authentication dilemma with vSphere APIs

For context, VMware vSphere exposes two major categories of APIs: vSphere Web Services APIs and vSphere Automation APIs. The primary difference between the two lies in their underlying communication protocol.

vSphere Web Services APIs use the Simple Object Access Protocol (SOAP) protocol.
vSphere Automation APIs use Representational State Transfer (REST).

If you have ever explored the Managed Object Browser (MOB) from the vSphere Client, you were interacting with the Web Services (SOAP) APIs. In contrast, the API Explorer in the Developer Center exposes the vSphere Automation (REST) APIs.

For building complete solutions, developers often need to work with both sets of APIs. Historically, this created an inconsistent experience because each API type required separate authentication with their own set of authentication API, which was inconsistent and cumbersome for anyone building workflows that spanned across vSphere Web Services, vSphere Automation, and even vSAN APIs.

The unified authentication

Starting with vSphere 8 Update 3, we have significantly improved the developer experience by introducing unified authentication across vSphere and vSAN API types. This enhancement is implemented in pyvmomi (the vSphere SDK for Python), where the vSAN SDK is now also merged.

With this update-

You can authenticate once using the vSphere Web Services APIs (SOAP) and reuse the same session ID with the vSphere Automation APIs (REST) and vSAN APIs.
The workflow also works in reverse—authenticate using Automation APIs, and reuse that session seamlessly with Web Services and vSAN APIs.

This unification eliminates the need for multiple login flows, delivering a far more consistent and simplified developer experience.

Even better, this improvement is not limited to the raw APIs. It is now also available across our SDKs, including the Unified VCF SDK 9.0 for Python and Java, giving developers a single, coherent authentication model across vSphere and vSAN APIs.

Sample Code

import ssl
import sys
import urllib3
import requests

from pyVmomi import vim
from pyVim.connect import SmartConnect, Disconnect
from vmware.vapi.vsphere.client import create_vsphere_client


def main():
    # --- Basic Config ---
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

    VC_HOST = "your_vcenter_server"
    VC_USER = "username"
    VC_PASS = "password"
    VC_PORT = 443
    IGNORE_SSL = True   # Set to False if you use valid certificates

    # --- Connect to vCenter using Web Services (SOAP) ---
    context = None
    if IGNORE_SSL:
        context = ssl._create_unverified_context()

    try:
        print(f"Connecting to {VC_HOST} via Web Services (SOAP)...")
        si = SmartConnect(
            host=VC_HOST,
            user=VC_USER,
            pwd=VC_PASS,
            port=VC_PORT,
            sslContext=context
        )
    except vim.fault.InvalidLogin:
        print("Error: Invalid login credentials.")
        sys.exit(1)
    except Exception as e:
        print(f"Error: Could not connect to vCenter. Reason: {e}")
        sys.exit(1)

    print("Connected successfully!\n")

    # --- Use Web Services API: Print vCenter 'About' Info ---
    content = si.RetrieveContent()
    about = content.about

    print("--- vCenter Info via Web Services (SOAP) ---")
    print(f"Product: {about.fullName}")
    print(f"Version: {about.version}")
    print(f"Build:   {about.build}")
    print()

    # --- Use Web Services API: List VMs ---
    print("--- Virtual Machines via Web Services (SOAP) ---")
    vm_view = content.viewManager.CreateContainerView(
        content.rootFolder, &#91;vim.VirtualMachine], True
    )
    for vm in vm_view.view:
        print(f"VM Name: {vm.name}, Power State: {vm.runtime.powerState}")
    vm_view.Destroy()
    print()

    # --- Reuse Same Session with vSphere Automation (REST / vAPI) ---
    # Get session ID from the Web Services connection
    session_id = si._GetStub().GetSessionId()
    print(f"Session ID (reused for REST): {session_id}\n")

    # Prepare a requests session for vAPI
    session = requests.session()
    session.verify = False  # For lab/demo only. Use proper SSL in production.

    # Create vSphere Automation client using the same session ID
    vsphere_client = create_vsphere_client(
        server=VC_HOST,
        session=session,
        session_id=session_id,
    )

    # --- vAPI Example: List VMs via REST ---
    print("--- Virtual Machines via vSphere Automation (REST / vAPI) ---")
    vms = vsphere_client.vcenter.VM.list()
    for vm in vms:
        print(f"VM Name: {vm.name}, VM ID: {vm.vm}")

    # --- Cleanup ---
    Disconnect(si)
    print("\nDisconnected from vCenter.")


if __name__ == "__main__":
    main()

import ssl

import sys

import urllib3

import requests

from pyVmomi import vim

from pyVim.connect import SmartConnect, Disconnect

from vmware.vapi.vsphere.client import create_vsphere_client

def main():

# --- Basic Config ---

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

VC_HOST = "your_vcenter_server"

VC_USER = "username"

VC_PASS = "password"

VC_PORT = 443

IGNORE_SSL = True # Set to False if you use valid certificates

# --- Connect to vCenter using Web Services (SOAP) ---

context = None

if IGNORE_SSL:

context = ssl._create_unverified_context()

try:

print(f"Connecting to {VC_HOST} via Web Services (SOAP)...")

si = SmartConnect(

host=VC_HOST,

user=VC_USER,

pwd=VC_PASS,

port=VC_PORT,

sslContext=context

)

except vim.fault.InvalidLogin:

print("Error: Invalid login credentials.")

sys.exit(1)

except Exception as e:

print(f"Error: Could not connect to vCenter. Reason: {e}")

sys.exit(1)

print("Connected successfully!\n")

# --- Use Web Services API: Print vCenter 'About' Info ---

content = si.RetrieveContent()

about = content.about

print("--- vCenter Info via Web Services (SOAP) ---")

print(f"Product: {about.fullName}")

print(f"Version: {about.version}")

print(f"Build: {about.build}")

print()

# --- Use Web Services API: List VMs ---

print("--- Virtual Machines via Web Services (SOAP) ---")

vm_view = content.viewManager.CreateContainerView(

content.rootFolder, [vim.VirtualMachine], True

)

for vm in vm_view.view:

print(f"VM Name: {vm.name}, Power State: {vm.runtime.powerState}")

vm_view.Destroy()

print()

# --- Reuse Same Session with vSphere Automation (REST / vAPI) ---

# Get session ID from the Web Services connection

session_id = si._GetStub().GetSessionId()

print(f"Session ID (reused for REST): {session_id}\n")

# Prepare a requests session for vAPI

session = requests.session()

session.verify = False # For lab/demo only. Use proper SSL in production.

# Create vSphere Automation client using the same session ID

vsphere_client = create_vsphere_client(

server=VC_HOST,

session=session,

session_id=session_id,

)

# --- vAPI Example: List VMs via REST ---

print("--- Virtual Machines via vSphere Automation (REST / vAPI) ---")

vms = vsphere_client.vcenter.VM.list()

for vm in vms:

print(f"VM Name: {vm.name}, VM ID: {vm.vm}")

# --- Cleanup ---

Disconnect(si)

print("\nDisconnected from vCenter.")

if __name__ == "__main__":

main()

This example shows how unified authentication works between the vSphere Web Services APIs (SOAP) and the vSphere Automation APIs (REST / vAPI) using pyvmomi and the vSphere Automation Python SDK.

Connect once using Web Services (SOAP)
The script first connects to vCenter using SmartConnect from pyVmomi. This is the traditional Web Services (WSDL/SOAP) connection that many vSphere admins and automation scripts already use.
Do something with the Web Services APIs
After connecting, we retrieve the vCenter “About” information and list all virtual machines using the classic Web Services API (RetrieveContent, CreateContainerView, etc.).
Reuse the same session for REST (vAPI)
Instead of logging in again, we extract the session ID from the Web Services connection:
session_id = si._GetStub().GetSessionId()
Reuse the vSphere Web Service API Session ID in vSphere Automation API
We then pass this session_id into the create_vsphere_client() function. This allows the vSphere Automation (REST) client to reuse the same session that was created by the Web Services login.
Call a vAPI (REST) endpoint
With the vsphere_client created, we call:
vsphere_client.vcenter.VM.list()
This lists VMs using the vSphere Automation APIs (REST), but without performing a second login. The authentication is reused from vSphere Web Service API.

This was just one of the examples of reusing vSphere Web Service API in vSphere Automation API. You can also do vice versa and reuse the vSphere Automation API Session ID in vSphere Web Service API.

What is happening behind the scenes?

#Establish a Session with vSphere Web Service API /vim25
$ curl "https://$VC/sdk/vim25/8.0.2.0/SessionManager/SessionManager/Login" -H 'Content-Type: application/json' -d '{"userName": "Administrator@vsphere.local", "password": "$PSWD"}' -ki 

#Reuse the Session ID in vSphere Automation API /api
$ curl https://$VC/api/vcenter/folder -H "vmware-api-session-id: $VIM_SESSION" -k 

#Reuse the Session ID in vSphere Web Service API /vim25
$ curl https://$VC/sdk/vim25/8.0.2.0/Folder/group-d3/tag -H "vmware-api-session-id: $VIM_SESSION" -k

#Establish a Session with vSphere Web Service API /vim25

$ curl "https://$VC/sdk/vim25/8.0.2.0/SessionManager/SessionManager/Login" -H 'Content-Type: application/json' -d '{"userName": "Administrator@vsphere.local", "password": "$PSWD"}' -ki

#Reuse the Session ID in vSphere Automation API /api

$ curl https://$VC/api/vcenter/folder -H "vmware-api-session-id: $VIM_SESSION" -k

#Reuse the Session ID in vSphere Web Service API /vim25

$ curl https://$VC/sdk/vim25/8.0.2.0/Folder/group-d3/tag -H "vmware-api-session-id: $VIM_SESSION" -k

vmware-api-session-id is a shared key that both vSphere Web Service API (SOAP) and vSphere Automation API (REST) consume. Whichever side creates the session, the other side can use it with the vmware-api-session-id header.

That is all for this blog post. Feel free to refer to additional resources on Unified VCF SDK and learn how we are delivering a simple, extensible, and consistent developer experience by introducing enhancements to our core APIs and SDKs. Stay tuned for more such information in the coming days.

Resources

Release Notes
- API Change Log
Broadcom Developer Portal
VCF Python SDK on PyPI
VCF Java SDK on Maven
Github Repository
Getting Started Pages
- Getting Started with VCF Python SDK
- Getting Started with VCF JAVA SDK Getting Started with VCF OpenAPI Specification

Discover more from VMware Cloud Foundation (VCF) Blog

Subscribe to get the latest posts sent to your email.

Authentication dilemma with vSphere APIs

The unified authentication

Sample Code

What is happening behind the scenes?

Resources

Discover more from VMware Cloud Foundation (VCF) Blog

Related Articles

VMware Cloud Foundation is the Gold Standard for Virtual Desktop Infrastructure

VCF Breakroom Chats Episode 73 - Next-Gen Data Services: The DBaaS Revolution with VCF 9

Unified Authentication in VMware Cloud Foundation SDK 9.0: Seamless authentication across vSphere and vSAN APIs