How to use Magento2 token-based authentication?

Magento2.0 is the next generation open source digital commerce platform and Magento2 token-based authentication is the way to access the REST API. This new release offers unmatched flexibility to bring your commerce vision to life. It features a modular code base that enables easier customization, faster time-to-market, and greater deployment flexibility to public or private cloud environments.

During development on e-commerce mobile application based on Magento2.0, we observe various enhancements and developments made on the latest release e.g. Token-based authentication(new way to authorize mobile user to access REST API), REST APIs etc.

The Magento2.0 has more secure authentication process for client to enable access for Magento REST API in our store‚Äôs admin panel. It uses Token-based Authentication to make a web API call from a mobile application. The crux of token-based authentication is as follows:

  • Client requests access with a username and password
  • Application validates credentials
  • Application provides a signed token to the client.

This signed token acts like an electronic key that lets the client to access the API. When we make web API calls,we supply this token in the Authorization request header with the Bearer HTTP authorization scheme to prove our identity. The token never expires but it can be revoked. Following are the steps to get the authentication token and how to use it in our calls.

Steps by step guide for using Magento2 token-based authentication

1. Request an authentication token from the Magento token service

Create a post call with header and body. In header pass the content type you want to send (xml or json) and in body username and password.


curl  -X POST  "http://your-host-name/rest/V1/integration/customer/token"

// For json content-type

 -H "Content-Type: application/json"
 -d '{"username":"<user_name>","password": "<password>"}'

// For  xml content type

       -H "Content-Type: application/xml"
       -d '<login><username>user_name</username><password>password</password></login>'

For Example:

curl  -X POST  ""

// For json content-type

      -H "Content-Type: application/json"
      -d '{"username":"rahulbansal","password": "test123"}'

// For  xml content type

      -H "Content-Type: application/xml"
      -d '<login><username>rahulbansal</username><password>test123</password></login>'

2. Receive Response with an authentication token from the Magento token service

A successful request returns a response body with the token. For example:


 3. Specify the user access

Set up permissions to operate with resources to a specific user from the three different user types: admin, customer, and guest . Create a GET call with the above received token in header :

// For admin access

Admins have the authorization to access all the resources for which they are authorized.

      curl -X GET ""
           -H "Authorization: Bearer xyzqstrasvbdbxhsbjanjxsbchqs"

// For customer access

Customers can access only resources with self permissions.

      curl -X GET ""
           -H "Authorization: Bearer xyzqstrasvbdbxhsbjanjxsbchqs"

// For guest access

Guest users cannot be authenticated through existing authentication mechanisms in the Magento web API framework . Guest users can access the resources that are configured with anonymous permission. So it optional to specify a token in a web API call for a resource with anonymous permission.

After completing the above steps clients are enabled to access the Magento Rest API and they can make a call to any API for which they are authorized to, by passing the signed token in header .

In Conclusion

Magento2.0 has a great scalability with more flexible architecture .Magento2 Token-based authentication not only give easy access to the Magento Rest API but also improve the security of the ecommerce store.



Leave a Comment

Scroll to Top