API Authentication in Magento
Introduction
Authentication in Magento plays a crucial role in securing customer data, preventing unauthorized access, and building user trust. Since Magento powers thousands of online stores, understanding authentication techniques is essential for developers, merchants, and businesses. In this guide, we explain available authentication methods, the relationship between ACL and Web API permissions, and best practices for securing API access.
Authentication in Magento
Magento uses webapi.xml to define API resources and permissions. Before making an API call, each user must authenticate. Permissions determine which API endpoints a caller can access.
Accessible Resources Based on User Type
| User Type | Accessible Resources |
|---|---|
| Administrator / Integration | Any resources assigned to them in ACL. Example: Magento_Customer::group allows executing GET /V1/customerGroups/:id |
| Customer | Resources with anonymous or self permissions |
| Guest | Resources with anonymous permission |
Relationship Between acl.xml and webapi.xml
The acl.xml file defines ACL permissions across all Magento modules. Magento builds an ACL tree from these files to determine admin role permissions and Integration API access. The webapi.xml file references these ACL permissions to regulate API access.
Sample: customerGroups webapi.xml Route
<route url="/V1/customerGroups/:id" method="GET">
<service class="Magento\Customer\Api\GroupRepositoryInterface" method="getById"/>
<resources>
<resource ref="Magento_Customer::group"/>
</resources>
</route>
Sample: Customer Create Route (Anonymous Allowed)
<route url="/V1/customers" method="POST">
<service class="Magento\Customer\Api\AccountManagementInterface" method="createAccount"/>
<resources>
<resource ref="anonymous"/>
</resources>
</route>
Web API Clients & Authentication Methods
Mobile Application — Token-Based Authentication
Registered users request a token using their username and password.
POST /V1/integration/customer/token
Body:
{
"username": "email@example.com",
"password": "password123"
}
The returned token is sent with API requests:
Authorization: Bearer <token>
Third-Party Apps — OAuth Authentication
Used for integrations requiring OAuth 1.0a. Magento provides: consumer key, consumer secret, access token, access token secret.
JavaScript Widget / Storefront / Admin — Session-Based Authentication
A session is maintained via cookies. Customers and admin users authenticate by logging in, and Magento checks their session to allow or deny API access.
Token-Based Authentication (Bearer Token)
Used for both Admin and Customer API access.
Example: Admin Token Usage
curl -X GET
"http://example.com/rest/V1/customers/1"
-H "Authorization: Bearer 9xvitupdkju0cabq2i3dxyg6bblqmg5h"
Integration (Bearer Authentication)
When creating an integration in Magento Admin, a consumer key, secret, and access tokens are generated.
Integration (OAuth)
Used for third-party systems that support OAuth 1.0a. These systems authenticate using the integration keys without calling OAuth exchange endpoints.
Conclusion
Authentication is one of the most critical components of Magento’s security model. By implementing secure authentication methods—such as token-based authentication, OAuth, and strong ACL rules—merchants can protect customer data and maintain trust. As threats evolve, staying updated with Magento’s security practices is essential for a safe and seamless shopping experience.