Introduction to Magento 2 API

This article provides an introduction to API in Magento 2.

Introduction to API

API stands for Application Programming Interface.

  • Application = any software with a distinct function
  • Interface = a contract of service between two applications

The applications communicate with each other via requests and responses.

  • Client = the application sending the request
    Client application sends the request to the Server application.
  • Server = the application sending the response
    Server application processes the request and sends the response back to the Client application.

Application of API in Magento

APIs can have the following use in Magento:

  • To create a mobile shopping app
  • To create a headless application (decoupled frontend from the backend)
  • To integrate third-party systems with Magento (ERP, CRM, etc.)

Types of API Architecture/Protocol

API architecture/protocol defines the format or rules for the API calls. It consists of rules on how and what data can be shared between the client and the server.

REST, SOAP, and RPC are the most used API architectures.

SOAP APIs

  • SOAP stands for Simple Object Access Protocol.
  • It was the most popular API architecture in the past days.
  • The message between the client and server is exchanged using XML.
  • It’s a less flexible API architecture as compared to others architectures.

REST APIs

  • REST stands for Representational State Transfer.
  • It’s the most popular and flexible APIs in the present time.
  • Client and Server communicate using HTTP protocol.
  • Server Response is sent in JSON (JavaScript Object Notation) format.
  • There’s a clear client-server separation.
    • Client sends request to server.
    • Server sends response back to the client.
    • The vice-versa will not work.
    • Server cannot send request to client.
    • And, client cannot send response to the server.

RPC APIs

  • RPC stands for Remote Procedure Calls.
  • The client invokes a function (or procedure) on the server, i.e. the client will execute a script on the server.
  • Then, the server sends the output back to the client.
  • RPC API can utilize either JSON or XML in its call.
    • If JSON is used then it’s called JSON-RPC protocol.
    • If XML is used then it’s called XML-RPC protocol.

Magento uses REST and SOAP API architecture in its APIs.

GraphQL in Magneto

In addition to REST and SOAP, Magento also uses GraphQL (Graph Query Language) to fetch data from the application server in a similar manner as REST GET call.

As an alternative to REST GET calls, GraphQL is designed to make API calls faster, flexible, and developer-friendly. Using GraphQL, you can exactly get the data you requested without any other extra unnecessary data.

Different types of data can be fetched using GraphQL in Magento, like:

  • Products data
  • Shopping cart data
  • Customer data
  • Configuration settings values

API users in Magento

There are three different types of API users in Magento 2. They are different account types with different permissions.

Admin Users

  • They are authenticated with their own (admin) login credentials.
  • They can access whatever they have been given access to via User Role Management in Magento.

Integration Users

  • They are only used by the OAuth authentication system.
  • They can access whatever they have been given access to via Integration Role Management in Magento while creating the Integration.

Customer Users

  • They are authenticated with their own (customer) login credentials.
  • They can only access resources with a type of self (data for that specific customer) or anonymous (data for Guest users).

Guest Users

  • They can only access resources with a type of anonymous.
  • They have the least access to the Magento resource and data.

API Authentication in Magento

There are three different authentications used to secure the APIs in Magento 2.

Session-Based Authentication

  • Session is used to authenticate the API requests
  • Customers’ logged-in session information is used to verify their identity and authorize access to the requested resource

Note:
Admin session-based authentication is not currently possible for API endpoints. The session-based authentication functionality is restricted to AJAX calls. Direct browser requests cannot be made due to security vulnerabilities. A developer can create a custom storefront widget that can issue requests without additional authentication steps.

Magento Docs: Session-based Authentication

Token-Based Authentication

  • Login username and password of customer or admin user are provided to get the token
  • Then, the token is used to authenticate the API requests
  • Tokens have expiration date/time
  • The API requests are authenticated until the token expires.

Token Lifetime

  • Integration Token Lifetime = Indefinite. It lasts until it is manually revoked.
  • Admin Token Lifetime = 4 hours
  • Customer Token Lifetime = 1 hour

Using access-token from Integration

The “access token” from the integration (Magento admin > SYSTEM > Extensions > Integration) can also be used in token-based authentication. However, this feature is disabled by default in Magento 2.4 and above.

This feature has been disabled by default due to the security implications of a never-expiring access token. Namely, if the access token is compromised it provides undetected persistent access to a store.

If you need to enable the feature, then you can do so from Magento admin or from the command-line tool.

Enable from Magento admin


Stores > Configuration > Services > OAuth > Consumer Settings > Allow OAuth Access Tokens to be used as standalone Bearer tokens = Yes

Enable from CLI


bin/magento config:set oauth/consumer/enable_integration_as_bearer 1

Magento Docs: Token-based Authentication

OAuth-Based Authentication

  • Authorization tokens are used instead of username and password to authenticate the API requests
  • The integration module (Magento admin > SYSTEM > Extensions > Integration) in Magento is used to generate the consumer key, consumer secret, access token, and access token secret keys.
  • These keys are used for the OAuth-based Authentication in Magento.

Magento Docs: OAuth-based Authentication

Hope this helps. Thanks.