You can access system objects in Orchestrator at the URLs of the Inventory and the Catalog services of the REST API.

When you access system objects in Orchestrator, you pass your principal holder-of-key token in the Authorization header of HTTP requests that you make to the Inventory or the Catalog service.

For example, to retrieve all system objects of type Workflow you make a GET request at https://vcoHost:port/api/catalog/System/Workflow/. To authenticate against Orchestrator, you need to pass your principal holder-of-key token in the Authorization header of the request.

To perform operations in third-party systems that are registered with the vCenter Single Sign On Server through the Orchestrator REST API, you must authenticate against Orchestrator and the third-party system. You include two headers in the HTTP calls that you make through the Orchestrator REST API.

For example, to run a workflow that uses a virtual machine through the Orchestrator REST API, you access resources both in Orchestrator and in vCenter Server. To authenticate against Orchestrator and vCenter Server, you must pass your principal holder-of-key token in the Authorization header of the request that you make, and the delegate token in the VCOAuthorization header. In this way, you authenticate against Orchestrator with your principal token and Orchestrator authenticates on your behalf against vCenter Server with the delegate token.

The vCenter Single Sign On Server treats Orchestrator as a solution, and every solution is registered with a unique user name with the vCenter Single Sign On Server. You request a delegate token for Orchestrator by passing the solution user name of Orchestrator and a principal holder-of-key token to the vCenter Single Sign On Server. The token that the vCenter Single Sign On Server issues is a delegate holder-of-key token for Orchestrator to authenticate on your behalf against third-party systems.