The API is exposed over HTTPS. Client code must use the x-zerto-session HTTP authorization header when ending a session.