Authorization tokens
Magento provides separate token services for customers and administrators. When you request a token from one of these services, the service returns a unique access token in exchange for the username and password for a Magento account.
Magento GraphQL provides a mutation that returns a token on behalf of a logged-in customer. You must use a REST call to fetch an admin token. Use this token in the Authorization request header field for any queries and mutations. See Request headers
Customer tokens
The generateCustomerToken
mutation requires the customer email address and password in the payload, as shown in the following example.
By default, a customer token is valid for 1 hour. You can change these values from Admin by selecting Stores > Settings > Configuration > Services > OAuth > Access Token Expiration > Customer Token Lifetime.
Request:
1
2
3
4
5
mutation {
generateCustomerToken(email: "customer@example.com", password: "password") {
token
}
}
Response:
1
2
3
4
5
6
7
{
"data": {
"generateCustomerToken": {
"token": "hoyz7k697ubv5hcpq92yrtx39i7x10um"
}
}
}
You can now use this token in the Authorization request header field for any queries and mutations.
If necessary, you also can [revoke the customer’s token](/guides/v2.4/graphql/mutations/revoke-customer-token.html
The generateCustomerTokenAsAdmin
mutation generates a new customer token as an admin so that an administrator can perform remote shopping assistance.
The customer must have enabled the allow_remote_shopping_assistance
feature while creating the customer profile. The mutation requires the customer email address in the payload, as shown in the following example.
Request:
1
2
3
4
5
6
7
mutation{
generateCustomerTokenAsAdmin(input: {
customer_email: "customer1@mail.com"
}){
customer_token
}
}
Response:
1
2
3
4
5
6
7
{
"data": {
"generateCustomerTokenAsAdmin": {
"customer_token": "cr0717abzoagxty1xjn4lj13kim36r6x"
}
}
}
Admin tokens
In Magento GraphQL, you specify an admin token only if you need to query products, categories, price rules, or other entities that are scheduled to be in a campaign (staged content). Staging is supported in Magento Commerce only. See Staging queries for more information.
Magento does not provide a GraphQL mutation that generates an admin token. You must use a REST endpoint such as POST /V1/tfa/provider/google/authenticate
instead. Generate the admin token shows how to use this endpoint.
By default, an admin token is valid for 4 hours. You can change these values from Admin by selecting Stores > Settings > Configuration > Services > OAuth > Access Token Expiration > Admin Token Lifetime.