Magento 2 API Authentication Types

API Authentication

As explained in one of our previous articles, API (Application Programming Interface) is a set of protocols and tools for building software applications. The main focus of this article will be on the types of Magento 2 API authentication and their use.

To start with, the Magento 2 API framework allows developers to create new Web services with M2 stores. It supports REST (Representational State Transfer) and SOAP (Simple Object Access Protocol) web services.

Magento 2 currently has 3 types of authentication:

  1. Token-Based Authentication
  2. OAuth-Based Authentication
  3. Session-Based Authentication

So, let’s explore each of them individually.

Token-Based Authentication

How can you make a web API call from a client such as a mobile app? Well, by providing an access token. It is a unique key that lets you access the API.

Magento 2 has got 3 types of access tokens:

  1. Integration token
  2. Admin token
  3. Customer token

Integration Token

Why is the integration token important? Because it allows merchants to customize which part of Magento 2 can be accessed with it. The default lifetime for the integration token is indefinite. However, it lasts until you revoke it manually.

How to generate an integration key in Magento? It’s simple! Go to the Admin Panel and follow the path:

System > Extensions > Integrations.

Integrations Magneto 2 Admin panel

Magento generates a consumer key, consumer secret, access token, and access token secret. The token in OAuth-Based Authentication uses all of these. On the other hand, our type of authentication requires only an access token.

When you click the “Add New Integration” button, Magento shows the New Integration page. Then, you have to enter a unique name and admin password. Lastly, you need to open the API tab from the left sidebar and select All or Custom resources.

New Integration Magento 2 admin panel

Once you have successfully created a new integration, it is time to get the access token by clicking on the Activate link. Finally, click the “Allow” button and activate this integration.

Admin and Customer Token

Magento has embedded token web services for administrators and customers. When you forward username and password, the service returns a unique access token. By default, the admin access token is valid for 4 hours, while a customer token is valid for 1 hour.

Default values can be changed from the admin panel by selecting Stores > Settings > Configuration > Services > OAuth > Access Token Expiration.
In order to get the Authentication token, use one of the following API calls:

Request Rest Soap

OAuth-Based Authentication

OAuth-Based Authentication is an open standard for secure API authentication based on OAuth 1.0a. This external application has access to internal data without storing any user IDs or passwords. Thus, it represents a very useful token-passing mechanism. In the diagram below, you can see the process of OAuth authentication:

External Application and Magento

Create an Integration. We have described the Magento integration process within the previous section.

Activate the Integration. Magento generates a consumer key, consumer secret, access token, and access token secret. Then, the integration process can start.

Process Activation Information. Firstly, the activation information needs to be stored in the integrator. Then it can be used to ask for tokens.

Call the Application’s Login Page. Identity Link field in Admin calls the defined page.

Merchant Logs into the External Application. Provided that the login is successful, the application will return to the location specified in the call. As for the login page, it will be dismissed.

Ask for a Request Token. The application uses POST rest API call OAuth/token/request. You have to include these request parameters in the Authorization header in the call:

Parameter Description

Send the Request Token. Magento returns a request token and request token secret.

Ask for an Access Token. The application uses POST rest API call OAuth/token/access. For this reason, you must include these request parameters in the Authorization header in the call.

Parameter Description Token Access

Magento Sends the Access Token. Magento returns an access token and access token secret.

The Application Can Access Magento Resources. All requests must use the full set of request parameters in the Authorization header.

Session-Based Authentication

As a customer, you can log in with your customer credentials. You will gain access to resources configured with anonymous or self permission in the webapi.xml configuration file as a result.

Provided that you are an admin, you can log in to the Magento Admin. Just enter your admin credentials. As a result, you will gain access to the Magento Admin profile.

Magento Web API framework uses your logged-in session information in order to verify your identity and authorize access.

For security reasons, this type of authentication is restricted to AJAX calls. So, this basically means that you cannot access it directly via the browser. But, you can create a custom storefront widget! Moreover, it can issue requests without any additional authentication steps.

Wrap Up

Hopefully, we have clarified Magento 2 API authentication types and their use. Of course, feel free to contact us at [email protected] in relation to Magento 2 Development.


Magento 2 Development Documentation

4.2 6 votes
Article Rating
Notify of
Inline Feedbacks
View all comments