Welcome to our latest blog post in our exploration of the world of Magento 2 authentication methods. In our previous article, we looked at how to simplify Magento 2 OAuth authentication with the help of Postman. While OAuth-based authentication provides secure access to the Magento API, there’s another method we’d like to discuss: Token-based authentication. In this blog post, we will look at the three types of tokens available in Magento. We will learn when and how to use them effectively.
Integration tokens:
Default Lifetime: Indefinite until manually revoked.
Unlike OAuth-based authentication, which involves multiple entities such as consumer key, consumer secret, access token and access token secret, token-based authentication simplifies the process by requiring only the access token. For instructions on creating integration tokens, see our previous post Setting Up Magento 2 OAuth 1.0 Integration with Postman
To set up OAuth access tokens as standalone bearer tokens, follow these steps in your Magento admin panel: navigate to "Stores" → "Configuration" → "Services" → "OAuth" → "Consumer Settings" → "Allow OAuth access tokens to be used as standalone bearer tokens" → "Yes".
The access token will now act as a bearer token. You can now seamlessly access the API in Postman.
Admin access tokens
Default Lifetime: 4 hours
Admin Access Tokens authenticate API requests on behalf of an administrator, granting elevated privileges to perform administrative actions within the Magento admin panel. To obtain an Admin Access Token, please follow the steps below:
Step 1: Make a POST request.
POST /rest/V1/integration/admin/tokenStep 2: Provide Credentials:
| Parameter | Type | Description |
|---|---|---|
username | string | Admin username |
password | string | Admin password |
Step 3: Submit the request. If the credentials provided are valid, Magento will respond with an admin access token.
Once obtained, you can use the above access token to retrieve data from the API.
Customer Access Tokens:
Default Lifetime: 1 hour
Customer Access Tokens authenticate API requests on behalf of a customer, allowing access to customer-specific resources and data. To obtain a Customer Access Token, follow the steps below:
Step 1: Make a POST Request:
POST /rest/V1/integration/customer/tokenStep 2: Provide Credentials:
| Parameter | Type | Description |
|---|---|---|
username | string | Customer username |
password | string | Customer password |
Step 3: Submit the request. If the credentials provided are valid, Magento will respond with a Customer Access Token.
Armed with the access token, you can now retrieve data from the API.
By understanding the nuances of Integration, Admin and Customer tokens, you can harness the power of token-based authentication in Magento and optimise your API interactions.