Skip to main content
Skip table of contents

Magento 2.X Authorization

OAuth Definitions

There are some definitions you need to get familiar with before you start using OAuth. These are as follows:

  • User - A customer who has an account with Magento and can use the services via the Magento API.
  • Consumer - A third-party application that uses OAuth to access the Magento API. This application must be registered in the Magento system to receive the Consumer Key and Consumer Secret.
  • Consumer Key - A value used by the Consumer to identify itself with Magento.
  • Consumer Secret - A secret used by the Consumer to guarantee the ownership of the Consumer Key. This value is not passed in requests.
  • Request Token - A value used by the Consumer to obtain authorization from the User (when needed). The Request Token is exchanged for an Access Token when permission is granted.
  • Access Token - A value used by the Consumer to call Magento APIs on behalf of the User.

Activate an integration

The integration must be configured from the Magento Admin (System > Extensions > Integrations).

The configuration includes a callback URL and an identity link URL. The callback URL specifies where OAuth credentials can be sent when using OAuth for token exchange. The identity link points to the login page of the third-party application that is integrating with Magento.

A merchant can choose to select Save and Activate when the integration is created. Alternatively, the merchant can click on Activate against a previously saved integration from the Integration grid.

When the integration is created, Magento generates a consumer key and a consumer secret.

Activating the integration submits the credentials to the endpoint specified when creating the Integration. An HTTP POST from Magento to the Integration endpoint will contain these attributes:

  • store_base_url For example, http://my-magento-store.com/.
  • oauth_verifier
  • oauth_consumer_key
  • oauth_consumer_key_secret

Grants

Grants to the API are under "API" tab. They could be issued granularly per object or as "ALL" to get access to all endpoints.


Screenshots for these steps are listed below.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close