The Magento web API framework uses your logged-in session information to verify your identity and authorize access to the requested resource.
Customers can access resources that are configured with
self permission in the
webapi.xml configuration file.
Admins can access resources that are assigned to their Magento Admin profile.
The Magento web API framework enables guest users to access resources that are configured with
anonymous permission. Any user that the framework cannot authenticate through existing authentication mechanisms is considered a guest user.
Similarly, if an admin is logged in to the Magento Admin
Magento_Customer::group API, details for the logged-in admin are fetched.
The web API framework establishes the identity of the admin user based on logged-in session information and authorizes access to the
The session based authentication functionality is restricted to only allow for AJAX calls and not direct browser requests due to security vulnerabilities. A developer can create a custom storefront widget that can issue requests without additional authentication steps.