This is a beta release of documentation for Magento 2.4, published for previewing soon-to-be-released functionality. Content in this version is subject to change. Links to the v2.4 code base may not properly resolve until the code is officially released.

Session-based authentication

Edit on GitHub
Log an Issue

As a customer, you log in to the Magento storefront with your customer credentials. As an admin, you log in to the Magento Admin with your admin credentials.

The Magento web API framework uses your logged-in session information to verify your identity and authorize access to the requested resource.

Customers can access resources that are configured with anonymous or self permission in the webapi.xml configuration file.

Admins can access resources that are assigned to their Magento Admin profile.

The Magento web API framework enables guest users to access resources that are configured with anonymous permission. Any user that the framework cannot authenticate through existing authentication mechanisms is considered a guest user.

For example, if a customer is logged in to the Magento storefront and the JavaScript widget invokes the self API, details for the logged-in customer are fetched:

GET /rest/V1/customers/me

Similarly, if an admin is logged in to the Magento Admin and the JavaScript widget invokes the Magento_Customer::group API, details for the logged-in admin are fetched. The web API framework establishes the identity of the admin user based on logged-in session information and authorizes access to the Magento_Customer::group resource.

Admin session-based authentication is not currently possible for API endpoints. The session based authentication functionality is restricted to AJAX calls. Direct browser requests cannot be made due to security vulnerabilities. A developer can create a custom storefront widget that can issue requests without additional authentication steps.

Configure services as web APIs

© 2020 Magento. All rights reserved.