When you log in to VMware Cloud Director you can use a username and password. But for automation purposes like Terraform, this is not very user-friendly. For this kind of applications, you can use API access tokens.

From https://docs.vmware.com/en/VMware-Cloud-Director/10.4/VMware-Cloud-Director-Tenant-Portal-Guide/GUID-A1B3B2FA-7B2C-4EE1-9D1B-188BE703EEDE.html:

Starting with VMware Cloud Director 10.3.1, you can generate and issue API access tokens. You are authenticated using your respective security best practices, including leveraging two-factor authorization, by using API access tokens, you can grant access for building automation against VMware Cloud Director.

Access tokens are artifacts that client applications use to make API requests on behalf of a user. Applications need access tokens for authentication. When an access token expires, to obtain access tokens, applications can use API tokens. API tokens do not expire.

When using access tokens, applications cannot perform certain tasks.

• Change the user password
• Perform user management tasks
• Create more tokens
• View or revoke other tokens

When accessing VMware Cloud Director by using an API access token, applications have only view rights for the following resources.

• User
• Group
• Roles
• Global roles
• Rights bundles

Applications accessing VMware Cloud Director by using an API access token do not have the following rights.

• Token: Manage
• Token: Manage All

But how do you use an API access token i.e. with Postman?

First, you have to generate a token. How this is done can be found in the previous link. When you have a token save it in a safe place because you cannot retrieve the token again.

Then make a request from Postman with the following attributes

POST https://host_name/oauth/provider/token
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Content-Length: 71

Body
grant_type=refresh_token&refresh_token=Generated_API_Token

The response will include an access token with token_type Bearer. Copy this token and use it in subsequent API calls using the Bearer Token authentication type.

GET https://host_name/api/org
Accept: application/*+xml;version=36.1
Authorization: Bearer Generated_Access_Token