Authentication

All API requests must be authenticated using HTTP Basic Authentication. The REST APIs use a two-step process to authenticate a client application and authorize access to resources:

1. Obtain a session token using an application ID and secret.
2. Provide the session token as an HTTP Authorization Bearer header to access a resource.

First, you must create an application on the Developer Portal to obtain an application ID and secret for sandbox and production endpoints.

Session Token

You must use an application ID and secret to obtain a session token. See the following list for examples of an application ID and secret:

• id—AQ17NZ49WC
• secret—8820c99614d65f923df7660276f20e029d73e2ca

The following endpoint grants an application session token:

POST /rest/v1/apps/session/token

You must specify the grant type in the request body:

{
   “grant_type”: “session”
}

The following example shows a request and expected response:

Request

curl -X POST \
     -u 'AQ17NZ49WC:8820c99614d65f923df7660276f20e029d73e2ca' \
     -H 'Content-Type: application/json' \
     -d '{ "grant_type" : "session" }' \
     https://developer-api.magento.com/rest/v1/apps/session/token

Response

A successful HTTP 200 OK response will be sent for a valid application ID and secret:

{
 "mage_id": "MAG123456789",
 "ust": "baGXoStRuR9VCDFQGZNzgNqbqu5WUwlr.cAxZJ9m22Le7",
 "expires_in": 3600
}

Authorization Bearer

After obtaining a valid session token, you must use it as a bearer token in all subsequent API calls.

For example, to access a user profile with a session token:

curl -X GET \
     -H 'Authorization: Bearer baGXoStRuR9VCDFQGZNzgNqbqu5WUwlr.cAxZJ9m22Le7' \
     https://developer-api.magento.com/rest/v1/users/MAG123456789