{"id":380229,"date":"2023-05-10T12:51:15","date_gmt":"2023-05-10T12:51:15","guid":{"rendered":"https:\/\/webkul.com\/blog\/?p=380229"},"modified":"2026-01-02T11:36:44","modified_gmt":"2026-01-02T11:36:44","slug":"how-to-secure-magento-2-api","status":"publish","type":"post","link":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/","title":{"rendered":"How to secure Magento 2 API"},"content":{"rendered":"\n<p>This guide explains <strong>how to secure Magento 2 API<\/strong> with clear examples. You will learn token generation, authentication types, and permission control.<\/p>\n\n\n\n<p>We will generate tokens to access <a href=\"https:\/\/webkul.com\/blog\/magento2-custom-rest-api\/\" target=\"_blank\" rel=\"noreferrer noopener\">Magento 2 API<\/a>. Magento 2 provides three types of API Authentication.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u00a0Token-Based authentication<\/li>\n\n\n\n<li>OAUTH-Based authentication<\/li>\n\n\n\n<li>Session-Based Authentication<\/li>\n<\/ul>\n\n\n\n<p>Also, <a href=\"https:\/\/store.webkul.com\/magento2-security-extension.html\" target=\"_blank\" rel=\"noreferrer noopener\">Magento 2 Security<\/a> extension helps secure your website from various attacks and hacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1) Secure Magento 2 API using Token-based authentication<\/h2>\n\n\n\n<p>To make a web API call from a client such as a <a href=\"https:\/\/store.webkul.com\/magento2-mobile-app.html\" target=\"_blank\" rel=\"noreferrer noopener\">Magento 2 mobile application<\/a>, you must supply an&nbsp;<em>access token<\/em>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Request for Token<\/h3>\n\n\n\n<p>Magento 2 offers <strong>separate token services<\/strong> for administrators and customers. When you request a token from one of these services, it returns a <strong>unique access token<\/strong> in exchange for the account\u2019s <strong>username and password<\/strong>, enabling secure authentication for API calls.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Request for Customer Token <\/h3>\n\n\n\n<p>Customer token : \/V1\/integration\/customer\/token<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"865\" height=\"591\" src=\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png\" alt=\"customerToken\" class=\"wp-image-380396\" srcset=\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png 865w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken-300x205.png 300w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken-250x171.png 250w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken-768x525.png 768w\" sizes=\"(max-width: 865px) 100vw, 865px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Request for Admin Token<\/h3>\n\n\n\n<p>Admin Token : \/V1\/integration\/admin\/token<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"870\" height=\"590\" src=\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/adminToken.png\" alt=\"adminToken\" class=\"wp-image-380397\" srcset=\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/adminToken.png 870w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/adminToken-300x203.png 300w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/adminToken-250x170.png 250w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/adminToken-768x521.png 768w\" sizes=\"(max-width: 870px) 100vw, 870px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Authentication<\/h3>\n\n\n\n<p>Magento 2 lets developers <strong>define web API resources and assign their permissions<\/strong> directly in the <strong>webapi.xml<\/strong> configuration file.<\/p>\n\n\n\n<p>Before making web API calls, you must <strong>authenticate your identity<\/strong> and ensure you have the necessary <strong>permissions<\/strong> to access the API resource. Authentication lets the application determine the caller\u2019s <strong>user type<\/strong>. A user\u2019s role\u2014whether <strong>administrator, integration, customer, or guest<\/strong>\u2014directly determines which resources the API call can access.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>USER TYPE<\/strong><\/td><td><strong>ACCESSIBLE RESOURCES (DEFINED IN WEBAPI.XML)<\/strong><\/td><\/tr><tr><td>Administrator or Integration<\/td><td>&nbsp;if administrators are authorized for the&nbsp;Magento_Customer::group&nbsp;resource, they can make a&nbsp;GET \/V1\/customerGroups\/:id&nbsp;call.<\/td><\/tr><tr><td>Customer<\/td><td>Resources with&nbsp;<code>anonymous<\/code>&nbsp;or&nbsp;<code>self<\/code>&nbsp;permission<\/td><\/tr><tr><td>Guest user<\/td><td>Resources with&nbsp;<code>anonymous<\/code>&nbsp;permission<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Example for self<\/strong><\/h3>\n\n\n\n<p>The user authenticates with their <strong>username and password<\/strong>. In response, the system generates a <strong>token<\/strong>, which serves as <strong>self-permission<\/strong> for all subsequent actions and API requests.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\">&lt;route url=&quot;\/V1\/customers&quot; method=&quot;GET&quot;&gt;\n    &lt;service class=&quot;Vendor\\Module\\Api\\CustomerManagementInterface&quot; method=&quot;getCustomerList&quot;\/&gt;\n    &lt;resources&gt;\n        &lt;resource ref=&quot;self&quot;\/&gt;\n    &lt;\/resources&gt;\n    &lt;data&gt;\n        &lt;parameter name=&quot;customer_id&quot; force=&quot;true&quot;&gt;%customer_id%&lt;\/parameter&gt;\n    &lt;\/data&gt;\n&lt;\/route&gt;<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Example for anonymous<\/strong><\/h3>\n\n\n\n<p>Unauthenticated users can access these Web APIs.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\">&lt;route url=&quot;\/V1\/products&quot; method=&quot;GET&quot;&gt;\n    &lt;service class=&quot;Venodor\\Module\\Api\\ProductRepositoryInterface&quot; method=&quot;getProducts&quot;\/&gt;\n    &lt;resources&gt;\n        &lt;resource ref=&quot;anonymous&quot;\/&gt;\n    &lt;\/resources&gt;\n&lt;\/route&gt;<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Example for admin-authorized<\/strong> REST API<\/h3>\n\n\n\n<p>Custom web API in Magento 2<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\">&lt;route url=&quot;\/V1\/products&quot; method=&quot;GET&quot;&gt;\n    &lt;service class=&quot;Venodor\\Module\\Api\\ProductRepositoryInterface&quot; method=&quot;getProducts&quot;\/&gt;\n    &lt;resources&gt;\n        &lt;resource ref=&quot;Vendor_Module::name&quot;\/&gt;\n    &lt;\/resources&gt;\n&lt;\/route&gt;<\/pre>\n\n\n\n<p>Create a custom module ACL in <strong>etc\/acl.xml<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\">&lt;?xml version=&quot;1.0&quot;?&gt;\n&lt;config xmlns:xsi=&quot;http:\/\/www.w3.org\/2001\/XMLSchema-instance&quot;\n        xsi:noNamespaceSchemaLocation=&quot;urn:magento:framework:Acl\/etc\/acl.xsd&quot;&gt;\n    &lt;acl&gt;\n        &lt;resources&gt;\n            &lt;resource id=&quot;Magento_Backend::admin&quot;&gt;\n                &lt;resource id=&quot;Vendor_Module::name&quot; title=&quot;Pruduct List&quot;\/&gt;\n            &lt;\/resource&gt;\n        &lt;\/resources&gt;\n    &lt;\/acl&gt;\n&lt;\/config&gt;<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">2). Secure Magento 2 API via OAuth-based authentication<\/h2>\n\n\n\n<p>Adobe Commerce and Magento Open Source use <strong>OAuth 1.0a<\/strong> for secure API authentication. OAuth works as a <strong>token-passing mechanism<\/strong>, allowing the system to control which third-party applications can access internal data without exposing or storing user IDs or passwords.<\/p>\n\n\n\n<p>In Commerce, a third-party application that authenticates via OAuth is called an <strong>integration<\/strong>. Each integration specifies the resources the application can access, either granting access to all resources or a selected subset.<\/p>\n\n\n\n<p>During integration registration, Commerce generates the tokens the application needs for authentication. First, it creates a <strong>request token<\/strong>, which is short-lived and must be exchanged for an <strong>access token<\/strong>. Access tokens last for a long period and remain valid until the merchant explicitly revokes the application&#8217;s access.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">OAuth authentication process to secure magento 2 API<\/h3>\n\n\n\n<p>The following diagram shows the OAuth authentication process. Each step is described further.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"724\" height=\"1024\" src=\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/aPIoyhtg-724x1024.jpg\" alt=\"aPIoyhtg\" class=\"wp-image-382574\" srcset=\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/aPIoyhtg-724x1024.jpg 724w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/aPIoyhtg-212x300.jpg 212w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/aPIoyhtg-176x249.jpg 176w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/aPIoyhtg-768x1086.jpg 768w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/aPIoyhtg.jpg 827w\" sizes=\"(max-width: 724px) 100vw, 724px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Create an integration:<\/strong> The merchant creates a new integration from the Admin panel. Commerce generates a <strong>consumer key<\/strong> and a <strong>consumer secret<\/strong> for the integration.<\/li>\n\n\n\n<li><strong>Activate the integration:<\/strong> The OAuth process starts when the merchant activates the integration. Magento sends the <strong>consumer key<\/strong>, <strong>consumer secret<\/strong>, <strong>OAuth verifier<\/strong>, and the <strong>store URL<\/strong> to the external application using an HTTPS POST to the callback URL defined in Admin.<\/li>\n\n\n\n<li><strong>Process activation information:<\/strong> The integrator stores the activation information received in step 2. These parameters are required for requesting tokens later in the flow.<\/li>\n\n\n\n<li><strong>Call the application&#8217;s login page:<\/strong> Commerce invokes the page defined in the <strong>Identity Link<\/strong> field in Admin to initiate the login process on the external application.<\/li>\n\n\n\n<li><strong>Merchant logs in to the external application:<\/strong> The merchant enters credentials on the login page. Upon successful login, the application redirects back to the location specified in the call, and the login page is dismissed.<\/li>\n\n\n\n<li><strong>Request a request token:<\/strong> The external application calls the <strong>POST \/oauth\/token\/request<\/strong> REST API to request a <strong>request token<\/strong>. The <strong>Authorization<\/strong> header includes the consumer key and other required parameters.<\/li>\n\n\n\n<li><strong>Send the request token:<\/strong> Commerce responds with the <strong>request token<\/strong> and <strong>request token secret<\/strong>.<\/li>\n\n\n\n<li><strong>Request an access token:<\/strong> The application calls the <strong>POST \/oauth\/token\/access<\/strong> REST API to exchange the request token for an <strong>access token<\/strong>. The <strong>Authorization<\/strong> header includes the request token and other required information.<\/li>\n\n\n\n<li><strong>Commerce sends the access token:<\/strong> If the request succeeds, Magento returns the <strong>access token<\/strong> and <strong>access token secret<\/strong>.<\/li>\n\n\n\n<li><strong>Access Magento resources:<\/strong> The application can now make authenticated API calls. Every request to Commerce must include the full set of parameters in the <strong>Authorization<\/strong> header to access the web APIs.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Activate an integration to secure Magento 2 API<\/h2>\n\n\n\n<p>You must configure the integration from the Admin panel under <strong>System &gt; Extensions &gt; Integrations<\/strong>. During configuration, provide a <strong>callback URL<\/strong> and an <strong>identity link URL<\/strong>.<\/p>\n\n\n\n<p>The <strong>callback URL<\/strong> specifies where Commerce should send OAuth credentials during the token exchange process. The <strong>identity link URL<\/strong> points to the login page of the third-party application that integrates with Commerce, enabling proper authentication.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1200\" height=\"589\" src=\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/save-1200x589.png\" alt=\"save\" class=\"wp-image-382558\" srcset=\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/save-1200x589.png 1200w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/save-300x147.png 300w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/save-250x123.png 250w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/save-768x377.png 768w, https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/save.png 1287w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p>When creating an integration, a merchant can choose <strong>Save and Activate<\/strong> immediately. Alternatively, the merchant can activate a previously saved integration by clicking <strong>Activate<\/strong> from the Integrations grid.<\/p>\n\n\n\n<p>Once the integration is created, Commerce generates a <strong>consumer key<\/strong> and a <strong>consumer secret<\/strong>.<\/p>\n\n\n\n<p>Activating the integration sends these credentials to the endpoint specified during integration setup. Commerce performs an <strong>HTTP POST<\/strong> to the integration endpoint, including the following attributes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>store_base_url<\/li>\n\n\n\n<li><code>oauth_verifier<\/code><\/li>\n\n\n\n<li><code>oauth_consumer_key<\/code><\/li>\n\n\n\n<li><code>oauth_consumer_secret<\/code><\/li>\n<\/ul>\n\n\n\n<p>Integrations use the&nbsp;<code>oauth_consumer_key<\/code>&nbsp;key to get a request token and the&nbsp;<code>oauth_verifier<\/code>&nbsp;to get an access token.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">OAuth handshake details<\/h3>\n\n\n\n<p>The process of completing the OAuth handshake requires that you,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get a request token<\/li>\n\n\n\n<li>Get an access token<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Get a request token<\/h3>\n\n\n\n<p>A request token is a temporary token that the user exchanges for an access token. Use the following API to get a request token from Commerce:<\/p>\n\n\n\n<p>POST \/oauth\/token\/request<\/p>\n\n\n\n<p>You must include these request parameters in the&nbsp;<code>Authorization<\/code>&nbsp;header in the call:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>PARAMETER<\/strong><\/td><td><strong>DESCRIPTION<\/strong><\/td><\/tr><tr><td>oauth_consumer_key<\/td><td>The consumer key is generated when you create the integration.<\/td><\/tr><tr><td>oauth_signature_method<\/td><td>The name of the signature method used to sign the request. Must be the value&nbsp;<code>HMAC-SHA256<\/code>.<\/td><\/tr><tr><td>oauth_signature<\/td><td>A generated value (signature)<\/td><\/tr><tr><td>oauth_nonce<\/td><td>A random value that is uniquely generated by the application.<\/td><\/tr><tr><td>oauth_timestamp<\/td><td>A positive integer, expressed in the number of seconds since January 1, 1970 00:00:00 GMT.<\/td><\/tr><tr><td>oauth_version<\/td><td>The OAuth version.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The response contains these fields:<\/p>\n\n\n\n<p><strong>1) <code>oauth_token<\/code> &#8211;<\/strong> The token to be used when requesting an access token.<\/p>\n\n\n\n<p><strong>2) oauth_token_secret &#8211; <\/strong>A secret value that establishes ownership of the token.<\/p>\n\n\n\n<p>The response looks like this:<\/p>\n\n\n\n<p>oauth_token=4cqw0r7vo0s5goyyqnjb72sqj3vxwr0h&amp;oauth_token_secret=rig3x3j5a9z5j6d4ubjwyf9f1l21itrr<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Get an access token<\/h3>\n\n\n\n<p>The request token must be exchanged for an access token. Use the following API to get an access token from Commerce:<\/p>\n\n\n\n<p>POST \/oauth\/token\/access<\/p>\n\n\n\n<p>You must include these request parameters in the&nbsp;<code>Authorization<\/code>&nbsp;header in the call:<\/p>\n\n\n\n<p>This process is known as a 2-legged OAuth handshake.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>PARAMETER<\/strong><\/td><td><strong>DESCRIPTION<\/strong><\/td><\/tr><tr><td>oauth_consumer_key<\/td><td>The consumer key value that you retrieve after you register the integration.<\/td><\/tr><tr><td>oauth_nonce<\/td><td>A random value that is uniquely generated by the application.<\/td><\/tr><tr><td>oauth_signature<\/td><td>A generated value (signature)<\/td><\/tr><tr><td>oauth_signature_method<\/td><td>The name of the signature method used to sign the request. Must be the value&nbsp;<code>HMAC-SHA256<\/code>.<\/td><\/tr><tr><td>oauth_timestamp<\/td><td>A positive integer, expressed in the number of seconds since January 1, 1970 00:00:00 GMT.<\/td><\/tr><tr><td>oauth_version<\/td><td>The OAuth version.<\/td><\/tr><tr><td>oauth_token<\/td><td>The oauth_token value, or request token, obtained in Get a request token.<\/td><\/tr><tr><td>oauth_verifier<\/td><td>The verification code that is tied to the consumer and request token. It is sent as part of the initial POST operation when the integration is activated.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The response looks like this:<\/p>\n\n\n\n<p>oauth_token=0lnuajnuzeei2o8xcddii5us77xnb6v0&amp;oauth_token_secret=1c6d2hycnir5ygf39fycs6zhtaagx8pd<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Access the web APIs<\/h3>\n\n\n\n<p>After you authorize an integration to make API calls, third-party applications registered as integrations can invoke web APIs using the <strong>access token<\/strong>.<\/p>\n\n\n\n<p>To make a web API call with the access token, include it in your request. For example:<\/p>\n\n\n\n<p><code>GET \/rest\/V1\/products\/1<\/code><\/p>\n\n\n\n<p>Ensure that you include the required parameters in the <strong>Authorization<\/strong> header of your request. This allows the API to authenticate the integration and grant access to the requested resource:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>oauth_consumer_key<\/li>\n\n\n\n<li>oauth_nonce<\/li>\n\n\n\n<li>oauth_signature_method <\/li>\n\n\n\n<li>oauth_signature<\/li>\n\n\n\n<li>oauth_timestamp<\/li>\n\n\n\n<li>oauth_token<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">The OAuth signature<\/h3>\n\n\n\n<p>All OAuth handshake requests and Web API calls include a signature in the <strong>Authorization<\/strong> header. You generate this signature using the following process:<\/p>\n\n\n\n<p>First, concatenate a set of URL-encoded attributes and parameters to create the <strong>signature base string<\/strong>. These include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HTTP method<\/li>\n\n\n\n<li>URL<\/li>\n\n\n\n<li>oauth_nonce<\/li>\n\n\n\n<li>oauth_signature_method<\/li>\n\n\n\n<li>oauth_timestamp<\/li>\n\n\n\n<li>oauth_version<\/li>\n\n\n\n<li>oauth_consumer_key<\/li>\n\n\n\n<li>oauth_token<\/li>\n<\/ul>\n\n\n\n<p>Next, apply the <strong>HMAC-SHA256<\/strong> signature method. Construct the signing key by concatenating the <strong>consumer secret<\/strong> and <strong>token secret<\/strong>, separated by an ampersand (<code>&amp;<\/code>), even if one of the values is empty.<\/p>\n\n\n\n<p>Finally, ensure that you encode each parameter using <strong>URL parameter encoding<\/strong> before including it in the signature. This process guarantees that the OAuth request is properly signed and authenticated.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">OAuth token exchange example to secure Magento 2 API<\/h3>\n\n\n\n<p>The scripts in this document simulate the Commerce OAuth 1.0a token exchange flow. You can place these scripts in the document root of your installation to expose them as endpoints. Your system can then interact with these endpoints to mimic the token exchange process.<\/p>\n\n\n\n<p>Follow these steps for the OAuth 1.0a token exchange:<\/p>\n\n\n\n<p>Click the edit icon for the integration and review the <strong>Integration Details<\/strong> on the <strong>Integration Info<\/strong> tab. You will see all the credentials required to make authenticated API requests using OAuth 1.0.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Log in to your Admin panel and navigate to <strong>System > Extensions > Integrations<\/strong>.<\/li>\n\n\n\n<li>Click <strong>Add New Integration<\/strong>.<\/li>\n\n\n\n<li>Complete all fields in the <strong>Integration Info<\/strong> tab:\n<ul class=\"wp-block-list\">\n<li><strong>Name:<\/strong> SomeUniqueIntegrationName<\/li>\n\n\n\n<li><strong>Callback URL:<\/strong> http:\/\/your_app_host\/endpoint.php<\/li>\n\n\n\n<li><strong>Identity link URL:<\/strong> http:\/\/your_app_host\/login.php<br>Then, configure permissions as needed on the <strong>API<\/strong> tab.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>From the drop-down menu, select <strong>Save and Activate<\/strong>.<\/li>\n\n\n\n<li>A pop-up window will appear, confirming the API permissions. Click <strong>Allow<\/strong>. (Ensure your browser allows pop-ups.) This action posts the credentials to <strong>endpoint.php<\/strong>. Another pop-up opens the <strong>login.php<\/strong> script for the identity linking step.<\/li>\n\n\n\n<li>Click <strong>Login<\/strong>. (The script simulates login, so it does not perform a real authentication check.) The <strong>checklogin.php<\/strong> script receives the posted credentials and completes the token exchange process.<\/li>\n\n\n\n<li>After the token exchange finishes successfully, the system redirects you back to the Integrations grid. The newly created integration should now appear in the <strong>Active<\/strong> state.<\/li>\n\n\n\n<li>Click the edit icon for the integration and review the <strong>Integration Details<\/strong> on the <strong>Integration Info<\/strong> tab. You will see all the credentials required to make authenticated API requests using OAuth 1.0.<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<h3 class=\"wp-block-heading\"><strong>checklogin.php<\/strong><\/h3>\n<\/blockquote>\n\n\n\n<pre class=\"EnlighterJSRAW\">&lt;?php\nrequire &#039;.\/vendor\/autoload.php&#039;;\n\n$consumerKey = $_REQUEST&#091;&#039;oauth_consumer_key&#039;];\n$callback = $_REQUEST&#091;&#039;callback_url&#039;];\n\nsession_id(&#039;test&#039;);\nsession_start();\n\n\/** Use $consumerKey to retrieve the following data in case it was stored in DB when received at &quot;endpoint.php&quot; *\/\nif ($consumerKey !== $_SESSION&#091;&#039;oauth_consumer_key&#039;]) {\n    throw new \\Exception(&quot;Consumer keys received on different requests do not match.&quot;);\n}\n\n$consumerSecret = $_SESSION&#091;&#039;oauth_consumer_secret&#039;];\n$magentoBaseUrl = rtrim($_SESSION&#091;&#039;store_base_url&#039;], &#039;\/&#039;);\n$oauthVerifier = $_SESSION&#091;&#039;oauth_verifier&#039;];\n\ndefine(&#039;TESTS_BASE_URL&#039;, $magentoBaseUrl);\n\n$credentials = new \\OAuth\\Common\\Consumer\\Credentials($consumerKey, $consumerSecret, $magentoBaseUrl);\n$oAuthClient = new OauthClient($credentials);\n$requestToken = $oAuthClient-&gt;requestRequestToken();\n$accessToken = $oAuthClient-&gt;requestAccessToken(\n    $requestToken-&gt;getRequestToken(),\n    $oauthVerifier,\n    $requestToken-&gt;getRequestTokenSecret()\n);\nheader(&quot;location: $callback&quot;);<\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<h3 class=\"wp-block-heading\">endpoint.php<\/h3>\n<\/blockquote>\n\n\n\n<pre class=\"EnlighterJSRAW\">&lt;?php\nsession_id(&#039;test&#039;);\nsession_start();\n\n\/\/ If this data is stored in the DB, oauth_consumer_key can be used as ID to retrieve this data later in &quot;checklogin.php&quot;\n\/\/ For simplicity of this sample, it is stored in session\n$_SESSION&#091;&#039;oauth_consumer_key&#039;] = $_POST&#091;&#039;oauth_consumer_key&#039;];\n\n$_SESSION&#091;&#039;oauth_consumer_secret&#039;] = $_POST&#091;&#039;oauth_consumer_secret&#039;];\n$_SESSION&#091;&#039;store_base_url&#039;] = $_POST&#091;&#039;store_base_url&#039;];\n$_SESSION&#091;&#039;oauth_verifier&#039;] = $_POST&#091;&#039;oauth_verifier&#039;];\n\nsession_write_close();\n\nheader(&quot;HTTP\/1.0 200 OK&quot;);\necho &quot;Response&quot;;<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">login.php<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\">&lt;?php\n$consumerKey = $_REQUEST&#091;&#039;oauth_consumer_key&#039;];\n$callbackUrl = urlencode(urldecode($_REQUEST&#091;&#039;success_call_back&#039;]));\n\necho &lt;&lt;&lt;HTML\n&lt;table width=&quot;300&quot; border=&quot;0&quot; align=&quot;center&quot; cellpadding=&quot;0&quot; cellspacing=&quot;1&quot; bgcolor=&quot;#CCCCCC&quot;&gt;\n    &lt;tr&gt;\n        &lt;form name=&quot;form1&quot; method=&quot;post&quot; action=&quot;checklogin.php?oauth_consumer_key={$consumerKey}&amp;callback_url={$callbackUrl}&quot;&gt;\n            &lt;td&gt;\n                &lt;table width=&quot;100%&quot; border=&quot;0&quot; cellpadding=&quot;3&quot; cellspacing=&quot;1&quot; bgcolor=&quot;#FFFFFF&quot;&gt;\n                    &lt;tr&gt;\n                        &lt;td colspan=&quot;3&quot;&gt;&lt;strong&gt;Integrations Login&lt;\/strong&gt;&lt;\/td&gt;\n                    &lt;\/tr&gt;\n                    &lt;tr&gt;\n                        &lt;td width=&quot;78&quot;&gt;Username&lt;\/td&gt;\n                        &lt;td width=&quot;6&quot;&gt;:&lt;\/td&gt;\n                        &lt;td width=&quot;294&quot;&gt;&lt;input name=&quot;myusername&quot; type=&quot;text&quot; id=&quot;myusername&quot;&gt;&lt;\/td&gt;\n                    &lt;\/tr&gt;\n                    &lt;tr&gt;\n                        &lt;td&gt;Password&lt;\/td&gt;\n                        &lt;td&gt;:&lt;\/td&gt;\n                        &lt;td&gt;&lt;input name=&quot;mypassword&quot; type=&quot;text&quot; id=&quot;mypassword&quot;&gt;&lt;\/td&gt;\n                    &lt;\/tr&gt;\n                    &lt;tr&gt;\n                        &lt;td&gt;&amp;nbsp;&lt;\/td&gt;\n                        &lt;td&gt;&amp;nbsp;&lt;\/td&gt;\n                        &lt;td&gt;&lt;input type=&quot;submit&quot; name=&quot;Submit&quot; value=&quot;Login&quot;&gt;&lt;\/td&gt;\n                    &lt;\/tr&gt;\n                &lt;\/table&gt;\n            &lt;\/td&gt;\n        &lt;\/form&gt;\n    &lt;\/tr&gt;\n&lt;\/table&gt;\nHTML;<\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<h3 class=\"wp-block-heading\">OauthClient.php<\/h3>\n<\/blockquote>\n\n\n\n<pre class=\"EnlighterJSRAW\">&lt;?php\n\nuse OAuth\\Common\\Consumer\\Credentials;\nuse OAuth\\Common\\Http\\Client\\ClientInterface;\nuse OAuth\\Common\\Http\\Exception\\TokenResponseException;\nuse OAuth\\Common\\Http\\Uri\\Uri;\nuse OAuth\\Common\\Http\\Uri\\UriInterface;\nuse OAuth\\Common\\Storage\\TokenStorageInterface;\nuse OAuth\\OAuth1\\Service\\AbstractService;\nuse OAuth\\OAuth1\\Signature\\SignatureInterface;\nuse OAuth\\OAuth1\\Token\\StdOAuth1Token;\nuse OAuth\\OAuth1\\Token\\TokenInterface;\n\nclass OauthClient extends AbstractService\n{\n    \/** @var string|null *\/\n    protected $_oauthVerifier = null;\n\n    public function __construct(\n        Credentials $credentials,\n        ClientInterface $httpClient = null,\n        TokenStorageInterface $storage = null,\n        SignatureInterface $signature = null,\n        UriInterface $baseApiUri = null\n    ) {\n        if (!isset($httpClient)) {\n            $httpClient = new \\OAuth\\Common\\Http\\Client\\StreamClient();\n        }\n        if (!isset($storage)) {\n            $storage = new \\OAuth\\Common\\Storage\\Session();\n        }\n        if (!isset($signature)) {\n            $signature = new \\OAuth\\OAuth1\\Signature\\Signature($credentials);\n        }\n        parent::__construct($credentials, $httpClient, $storage, $signature, $baseApiUri);\n    }\n\n    \/**\n     * @return UriInterface\n     *\/\n    public function getRequestTokenEndpoint()\n    {\n        return new Uri(&#039;http:\/\/my.host\/oauth\/token\/request&#039;);\n    }\n\n    \/**\n     * Returns the authorization API endpoint.\n     *\n     * @throws \\OAuth\\Common\\Exception\\Exception\n     *\/\n    public function getAuthorizationEndpoint()\n    {\n        throw new \\OAuth\\Common\\Exception\\Exception(\n            &#039;The REST API is 2-legged. Current operation is not available.&#039;\n        );\n    }\n\n    \/**\n     * Returns the access token API endpoint.\n     *\n     * @return UriInterface\n     *\/\n    public function getAccessTokenEndpoint()\n    {\n        return new Uri(&#039;http:\/\/magento.host\/oauth\/token\/access&#039;);\n    }\n\n    \/**\n     * Parses the access token response and returns a TokenInterface.\n     *\n     * @param string $responseBody\n     * @return TokenInterface\n     *\/\n    protected function parseAccessTokenResponse($responseBody)\n    {\n        return $this-&gt;_parseToken($responseBody);\n    }\n\n    \/**\n     * Parses the request token response and returns a TokenInterface.\n     *\n     * @param string $responseBody\n     * @return TokenInterface\n     * @throws TokenResponseException\n     *\/\n    protected function parseRequestTokenResponse($responseBody)\n    {\n        $data = $this-&gt;_parseResponseBody($responseBody);\n        if (isset($data&#091;&#039;oauth_verifier&#039;])) {\n            $this-&gt;_oauthVerifier = $data&#091;&#039;oauth_verifier&#039;];\n        }\n        return $this-&gt;_parseToken($responseBody);\n    }\n\n    \/**\n     * Parse response body and create oAuth token object based on parameters provided.\n     *\n     * @param string $responseBody\n     * @return StdOAuth1Token\n     * @throws TokenResponseException\n     *\/\n    protected function _parseToken($responseBody)\n    {\n        $data = $this-&gt;_parseResponseBody($responseBody);\n        $token = new StdOAuth1Token();\n        $token-&gt;setRequestToken($data&#091;&#039;oauth_token&#039;]);\n        $token-&gt;setRequestTokenSecret($data&#091;&#039;oauth_token_secret&#039;]);\n        $token-&gt;setAccessToken($data&#091;&#039;oauth_token&#039;]);\n        $token-&gt;setAccessTokenSecret($data&#091;&#039;oauth_token_secret&#039;]);\n        $token-&gt;setEndOfLife(StdOAuth1Token::EOL_NEVER_EXPIRES);\n        unset($data&#091;&#039;oauth_token&#039;], $data&#091;&#039;oauth_token_secret&#039;]);\n        $token-&gt;setExtraParams($data);\n        return $token;\n    }\n\n    \/**\n     * Parse response body and return data in array.\n     *\n     * @param string $responseBody\n     * @return array\n     * @throws \\OAuth\\Common\\Http\\Exception\\TokenResponseException\n     *\/\n    protected function _parseResponseBody($responseBody)\n    {\n        if (!is_string($responseBody)) {\n            throw new TokenResponseException(&quot;Response body is expected to be a string.&quot;);\n        }\n        parse_str($responseBody, $data);\n        if (null === $data || !is_array($data)) {\n            throw new TokenResponseException(&#039;Unable to parse response.&#039;);\n        } elseif (isset($data&#091;&#039;error&#039;])) {\n            throw new TokenResponseException(&quot;Error occurred: &#039;{$data&#091;&#039;error&#039;]}&#039;&quot;);\n        }\n        return $data;\n    }\n\n    \/**\n     * @override to fix since parent implementation from lib not sending the oauth_verifier when requesting access token\n     * Builds the authorization header for an authenticated API request\n     *\n     * @param string $method\n     * @param UriInterface $uri the uri the request is headed\n     * @param \\OAuth\\OAuth1\\Token\\TokenInterface $token\n     * @param $bodyParams array\n     * @return string\n     *\/\n    protected function buildAuthorizationHeaderForAPIRequest(\n        $method,\n        UriInterface $uri,\n        TokenInterface $token,\n        $bodyParams = null\n    ) {\n        $this-&gt;signature-&gt;setTokenSecret($token-&gt;getAccessTokenSecret());\n        $parameters = $this-&gt;getBasicAuthorizationHeaderInfo();\n        if (isset($parameters&#091;&#039;oauth_callback&#039;])) {\n            unset($parameters&#091;&#039;oauth_callback&#039;]);\n        }\n\n        $parameters = array_merge($parameters, &#091;&#039;oauth_token&#039; =&gt; $token-&gt;getAccessToken()]);\n        $parameters = array_merge($parameters, $bodyParams);\n        $parameters&#091;&#039;oauth_signature&#039;] = $this-&gt;signature-&gt;getSignature($uri, $parameters, $method);\n\n        $authorizationHeader = &#039;OAuth &#039;;\n        $delimiter = &#039;&#039;;\n\n        foreach ($parameters as $key =&gt; $value) {\n            $authorizationHeader .= $delimiter . rawurlencode($key) . &#039;=&quot;&#039; . rawurlencode($value) . &#039;&quot;&#039;;\n            $delimiter = &#039;, &#039;;\n        }\n\n        return $authorizationHeader;\n    }\n}<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">3). Secure Magento 2 API using Session-based authentication<\/h2>\n\n\n\n<p>As a customer, you log in to the storefront using your customer credentials. Similarly, as an admin, you log in to the Admin panel with your admin credentials.<\/p>\n\n\n\n<p>The web API framework then verifies your identity and authorizes access by using your active session information.<\/p>\n\n\n\n<p>Customers can directly access resources that the <strong>webapi.xml<\/strong> configuration file marks with <strong>anonymous<\/strong> or <strong>self<\/strong> permissions. In contrast, admins can access resources assigned to their Admin profile.<\/p>\n\n\n\n<p>For example, when a customer is logged in to the storefront and a JavaScript widget calls the <strong>self<\/strong> API, the system fetches the details of the logged-in customer:<\/p>\n\n\n\n<p><code>GET \/rest\/V1\/customers\/me<\/code><\/p>\n\n\n\n<p>Similarly, when an admin is logged in to the Admin panel and a JavaScript widget calls the <strong>Magento_Customer::group<\/strong> API, the system retrieves details for the logged-in admin. Here, the web API framework identifies the admin from the active session and authorizes access to the <strong>Magento_Customer::group<\/strong> resource.<\/p>\n\n\n\n<p>Currently, API endpoints do not support session-based authentication for admins.<\/p>\n\n\n\n<p>Additionally, session-based authentication works only for AJAX calls. You cannot make direct browser requests because they expose security vulnerabilities.<\/p>\n\n\n\n<p>For technical assistance, please get in touch with us via email at&nbsp;<a href=\"mailto:support@webkul.com\" target=\"_blank\" rel=\"noreferrer noopener\">support@webkul.com<\/a>.<\/p>\n\n\n\n<p>Discover powerful solutions to enhance your Magento 2 store by exploring our&nbsp;<a href=\"https:\/\/store.webkul.com\/Magento-2.html\">Magento 2 plugins<\/a>&nbsp;page.<\/p>\n\n\n\n<p>Bring your vision to life with custom-built solutions\u2014hire skilled&nbsp;<a href=\"https:\/\/webkul.com\/hire-magento-developers\/\">Magento 2 developers<\/a>&nbsp;today.<br>Happy Coding!!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This guide explains how to secure Magento 2 API with clear examples. You will learn token generation, authentication types, and permission control. We will generate tokens to access Magento 2 API. Magento 2 provides three types of API Authentication. Also, Magento 2 Security extension helps secure your website from various attacks and hacks. 1) Secure <a href=\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/\">[&#8230;]<\/a><\/p>\n","protected":false},"author":379,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9121],"tags":[2070],"class_list":["post-380229","post","type-post","status-publish","format-standard","hentry","category-magento-2","tag-magento2"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to secure Magento 2 API - Webkul Blog<\/title>\n<meta name=\"description\" content=\"how to secure Magento 2 API.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to secure Magento 2 API - Webkul Blog\" \/>\n<meta property=\"og:description\" content=\"how to secure Magento 2 API.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/\" \/>\n<meta property=\"og:site_name\" content=\"Webkul Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/webkul\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-10T12:51:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-02T11:36:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png\" \/>\n<meta name=\"author\" content=\"Krishna Mohan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@webkul\" \/>\n<meta name=\"twitter:site\" content=\"@webkul\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Krishna Mohan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/\"},\"author\":{\"name\":\"Krishna Mohan\",\"@id\":\"https:\/\/webkul.com\/blog\/#\/schema\/person\/32da2f954b256b95b4c44ddeacca51b1\"},\"headline\":\"How to secure Magento 2 API\",\"datePublished\":\"2023-05-10T12:51:15+00:00\",\"dateModified\":\"2026-01-02T11:36:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/\"},\"wordCount\":2024,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/webkul.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png\",\"keywords\":[\"Magento2\"],\"articleSection\":[\"Magento 2\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/\",\"url\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/\",\"name\":\"How to secure Magento 2 API - Webkul Blog\",\"isPartOf\":{\"@id\":\"https:\/\/webkul.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png\",\"datePublished\":\"2023-05-10T12:51:15+00:00\",\"dateModified\":\"2026-01-02T11:36:44+00:00\",\"description\":\"how to secure Magento 2 API.\",\"breadcrumb\":{\"@id\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#primaryimage\",\"url\":\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png\",\"contentUrl\":\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png\",\"width\":865,\"height\":591,\"caption\":\"customerToken\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/webkul.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to secure Magento 2 API\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/webkul.com\/blog\/#website\",\"url\":\"https:\/\/webkul.com\/blog\/\",\"name\":\"Webkul Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/webkul.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/webkul.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/webkul.com\/blog\/#organization\",\"name\":\"WebKul Software Private Limited\",\"url\":\"https:\/\/webkul.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/webkul.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2021\/08\/webkul-logo-accent-sq.png\",\"contentUrl\":\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2021\/08\/webkul-logo-accent-sq.png\",\"width\":380,\"height\":380,\"caption\":\"WebKul Software Private Limited\"},\"image\":{\"@id\":\"https:\/\/webkul.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/webkul\/\",\"https:\/\/x.com\/webkul\",\"https:\/\/www.instagram.com\/webkul\/\",\"https:\/\/www.linkedin.com\/company\/webkul\",\"https:\/\/www.youtube.com\/user\/webkul\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/webkul.com\/blog\/#\/schema\/person\/32da2f954b256b95b4c44ddeacca51b1\",\"name\":\"Krishna Mohan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/webkul.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ff4d070d18606ffded6efe51b5703bf4b6a46b26b9e4db5e6ecfdbf023daab4c?s=96&d=https%3A%2F%2Fcdnblog.webkul.com%2Fblog%2Fwp-content%2Fuploads%2F2019%2F10%2Fmike.png&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ff4d070d18606ffded6efe51b5703bf4b6a46b26b9e4db5e6ecfdbf023daab4c?s=96&d=https%3A%2F%2Fcdnblog.webkul.com%2Fblog%2Fwp-content%2Fuploads%2F2019%2F10%2Fmike.png&r=g\",\"caption\":\"Krishna Mohan\"},\"description\":\"Krishna, a Software Engineer, specializes in the Magento platform, delivering high-performance eCommerce solutions. Expertise spans custom development, system optimization, and seamless integration, driving innovation and enhancing business operations.\",\"url\":\"https:\/\/webkul.com\/blog\/author\/krishna-mohan439webkul-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to secure Magento 2 API - Webkul Blog","description":"how to secure Magento 2 API.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/","og_locale":"en_US","og_type":"article","og_title":"How to secure Magento 2 API - Webkul Blog","og_description":"how to secure Magento 2 API.","og_url":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/","og_site_name":"Webkul Blog","article_publisher":"https:\/\/www.facebook.com\/webkul\/","article_published_time":"2023-05-10T12:51:15+00:00","article_modified_time":"2026-01-02T11:36:44+00:00","og_image":[{"url":"https:\/\/webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png","type":"","width":"","height":""}],"author":"Krishna Mohan","twitter_card":"summary_large_image","twitter_creator":"@webkul","twitter_site":"@webkul","twitter_misc":{"Written by":"Krishna Mohan","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#article","isPartOf":{"@id":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/"},"author":{"name":"Krishna Mohan","@id":"https:\/\/webkul.com\/blog\/#\/schema\/person\/32da2f954b256b95b4c44ddeacca51b1"},"headline":"How to secure Magento 2 API","datePublished":"2023-05-10T12:51:15+00:00","dateModified":"2026-01-02T11:36:44+00:00","mainEntityOfPage":{"@id":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/"},"wordCount":2024,"commentCount":0,"publisher":{"@id":"https:\/\/webkul.com\/blog\/#organization"},"image":{"@id":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#primaryimage"},"thumbnailUrl":"https:\/\/webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png","keywords":["Magento2"],"articleSection":["Magento 2"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/","url":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/","name":"How to secure Magento 2 API - Webkul Blog","isPartOf":{"@id":"https:\/\/webkul.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#primaryimage"},"image":{"@id":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#primaryimage"},"thumbnailUrl":"https:\/\/webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png","datePublished":"2023-05-10T12:51:15+00:00","dateModified":"2026-01-02T11:36:44+00:00","description":"how to secure Magento 2 API.","breadcrumb":{"@id":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#primaryimage","url":"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png","contentUrl":"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2023\/05\/customerToken.png","width":865,"height":591,"caption":"customerToken"},{"@type":"BreadcrumbList","@id":"https:\/\/webkul.com\/blog\/how-to-secure-magento-2-api\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/webkul.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How to secure Magento 2 API"}]},{"@type":"WebSite","@id":"https:\/\/webkul.com\/blog\/#website","url":"https:\/\/webkul.com\/blog\/","name":"Webkul Blog","description":"","publisher":{"@id":"https:\/\/webkul.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/webkul.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/webkul.com\/blog\/#organization","name":"WebKul Software Private Limited","url":"https:\/\/webkul.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/webkul.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2021\/08\/webkul-logo-accent-sq.png","contentUrl":"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2021\/08\/webkul-logo-accent-sq.png","width":380,"height":380,"caption":"WebKul Software Private Limited"},"image":{"@id":"https:\/\/webkul.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/webkul\/","https:\/\/x.com\/webkul","https:\/\/www.instagram.com\/webkul\/","https:\/\/www.linkedin.com\/company\/webkul","https:\/\/www.youtube.com\/user\/webkul\/"]},{"@type":"Person","@id":"https:\/\/webkul.com\/blog\/#\/schema\/person\/32da2f954b256b95b4c44ddeacca51b1","name":"Krishna Mohan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/webkul.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ff4d070d18606ffded6efe51b5703bf4b6a46b26b9e4db5e6ecfdbf023daab4c?s=96&d=https%3A%2F%2Fcdnblog.webkul.com%2Fblog%2Fwp-content%2Fuploads%2F2019%2F10%2Fmike.png&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ff4d070d18606ffded6efe51b5703bf4b6a46b26b9e4db5e6ecfdbf023daab4c?s=96&d=https%3A%2F%2Fcdnblog.webkul.com%2Fblog%2Fwp-content%2Fuploads%2F2019%2F10%2Fmike.png&r=g","caption":"Krishna Mohan"},"description":"Krishna, a Software Engineer, specializes in the Magento platform, delivering high-performance eCommerce solutions. Expertise spans custom development, system optimization, and seamless integration, driving innovation and enhancing business operations.","url":"https:\/\/webkul.com\/blog\/author\/krishna-mohan439webkul-com\/"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/posts\/380229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/users\/379"}],"replies":[{"embeddable":true,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/comments?post=380229"}],"version-history":[{"count":30,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/posts\/380229\/revisions"}],"predecessor-version":[{"id":520410,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/posts\/380229\/revisions\/520410"}],"wp:attachment":[{"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/media?parent=380229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/categories?post=380229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/tags?post=380229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}