Magento 2 API Authentication Types

API Authentication

As we have already explained in one of our previous articles, API (Application Programming Interface) is a set of protocols and tools for building software applications. But, the main focus of this article will be on the types of Magento 2 API authentication.

Thanks to Magento 2 API framework, developers can create new Web services with Magento 2 stores. It supports the following web services: REST (Representational State Transfer) and SOAP (Simple Object Access Protocol).

Magento 2 currently has 3 types of authentication:

  1. Token-Based Authentication
  2. OAuth-Based Authentication
  3. Session-Based Authentication

Now, let’s explore each of them individually.

Token-Based Authentication

So, how can you make a web API call from a client such as a mobile application? By providing an access token. It is a unique key that lets you access the API.

Magento 2 has got 3 types of access tokens:

  1. Integration token
  2. Admin token
  3. Customer token

Integration Token

Why is the integration token important? Well, it allows merchants to customize which part of Magento 2 can be accessed with it. Note that the default lifetime for the integration token is indefinite. However, it can last until you revoke it manually.

How can you generate an integration key in Magento? Go to the Admin Panel and follow the path System > Extensions > Integrations.

Integrations Magneto 2 Admin panel

Magento generates a consumer key, consumer secret, access token, and access token secret. The token in OAuth-Based Authentication uses all of these. On the other hand, our type of authentication requires only an access token.

When you click the “Add New Integration” button, Magento shows the New Integration page. Then, you have to enter a unique name and admin password. Lastly, you need to open the API tab from the left sidebar and select All or Custom resources.

New Integration Magento 2 admin panel

Once you have successfully created a new integration, it is time to get the access token by clicking on the Activate link. Finally, click the “Allow” button and activate this integration.

Admin and Customer Token

Magento has embedded token web services for administrators and customers. When you forward username and password, the service returns a unique access token. By default, the admin access token is valid for 4 hours, while a customer token is valid for 1 hour.

Default values can be changed from the admin panel by selecting Stores > Settings > Configuration > Services > OAuth > Access Token Expiration.
In order to get the Authentication token, use one of the following API calls:

Request Rest Soap

OAuth-Based Authentication

OAuth-Based Authentication is an open standard for secure API authentication based on OAuth 1.0a. It is an external application that has access to internal data without storing any user IDs or passwords. This is why it represents a very useful token-passing mechanism. In the diagram below, you can see the process of OAuth authentication:

External Application and Magento

1 – Create an Integration: We have described the Magento integration process within the previous section.

2 – Activate the Integration: Magento generates a consumer key, consumer secret, access token, and access token secret. Then, the integration process can start.

3 – Process Activation Information: First, the activation information needs to be stored in the integrator. Then it can be used to ask for tokens.

4 – Call the Application’s Login Page: Identity Link field in Admin calls the defined page.

5 – Merchant Logs into the External Application: Provided that the login is successful, the application will return to the location specified in the call. As for the login page, it will be dismissed.

6 – Ask for a Request Token: The application uses POST rest API call OAuth/token/request. You have to include these request parameters in the Authorization header in the call:

Parameter Description

7 – Send the Request Token: Magento returns a request token and request token secret.

8 – Ask for an Access Token: The application uses POST rest API call OAuth/token/access. You must include these request parameters in the Authorization header in the call:

Parameter Description Token Access

Step 9 – Magento Sends the Access Token: Magento returns an access token and access token secret.

Step 10 – The Application Can Access Magento Resources: All requests must use the full set of request parameters in the Authorization header.

Session-Based Authentication

As a customer, you can log in with your customer credentials. You will gain access to resources configured with anonymous or self permission in the webapi.xml configuration file as a result.

If you are an admin, you can log in to the Magento Admin by entering your admin credentials. You will gain access to the Magento Admin profile.

Magento web API framework uses your logged-in session information to verify your identity and authorize access.

For security reasons, this type of authentication is restricted to AJAX calls. So, this basically means that you cannot access it directly via the browser. But, you can create a custom storefront widget! It can issue requests without any additional authentication steps.

Wrap Up

Hopefully, you are now more clear on the types of Magento 2 API authentication types and their use. Needless to say, you are more than welcome to contact us at [email protected] in relation to Magento 2 Development.


4.8 4 votes
Article Rating
Notify of
Inline Feedbacks
View all comments