When using the list-attached-tags-on-objects action for the tag-association API, the type parameter within the request body is not strictly validated.

API Endpoint:
POST https://{host}/api/cis/tagging/tag-association?action=list-attached-tags-on-objects

Request Body:

JSON
{
    "object_ids": [
        {
            "type": "string",
            "id": "string"
        }
    ]
}

• Providing a valid type and id returns the expected, correct output.
• Providing an incorrect or completely invalid type (e.g., "1234" or "abcd") does not trigger a validation error. Instead, the API returns a 200 OK status with an empty response payload.

VMware vCenter Server 8.x

This behavior is by design to ensure API flexibility and backward compatibility.

Bulk Processing Logic: The API is designed to accept multiple objects in a single input array. Rather than failing the entire request if a single entry is invalid, the API filters out and ignores invalid entries. For example, if 10 objects are passed and only 5 are valid, the API will successfully process and return data for those 5 valid entries.

No Partial Failure States: The API endpoint must return either a total success or a total failure, rather than partial results or mixed status codes. Filtering out invalid inputs silently allows the valid portions of the query to succeed.

This behavior will not be changed in a patch or update. Altering the validation logic on this widely-used public API risks breaking existing customer automation scripts and workflows. Because this behavior does not negatively impact vCenter performance or security, maintaining public API stability remains the priority.

Workaround
If strict validation is required for your implementation, validation logic must be implemented on the client side within your custom code or script before dispatching the payload to the vCenter API.