We want to develop mobile applications for Android and iOS which will communicate through Magento2's REST APIs.
What will be the proper way to pass the authorization token to access Magento2's resources?
What I know:
For example:
We can use the V1/guest-carts endpoint to create a cart on behalf of a guest.
We can create a cart for a logged-in customer and use /V1/carts/mine endpoint, calls for a logged-in customer must specify the customer’s token in the header.
Now I want to get the product details by SKU and I will call the /V1/products/SKU endpoint, but it will give an error:
enter image description here
Because a customer or guest does not have access to this resource, I have to provide an Admin Authorization Token or I can create an integration System > Extensions > Integrations and provide the Access Token to access the resource.
*Resources: Magento_Catalog::products enter image description here
What I don't know:
Do I have to hardcode the Access Token or Admin User and Password in the mobile application source code?
If yes, customers can use tools like HTTP Toolkit and capture the token from the request and they can just delete a product by calling
DELETE /V1/products/SKU endpoint.
If not, what is the proper way to do it?
1 Answer 1
Navigate to Stores > Settings > Configuration > Services > Magento Web API > Web API Security. Then select Yes from the Allow Anonymous Guest Access menu.
The above configuration will only allow GET action on Catalog, CMS, and Store endpoints.
However, it is a possible security concern on production though, and opens you up to bots hitting the site. It is recommended to create a custom ACL.