Authorization tokens

Magento provides separate token services for customers and administrators. When you request a token from one of these services, the service returns a unique access token in exchange for the username and password for a Magento account.

Magento GraphQL provides a mutation that returns a token on behalf of a logged-in customer. You must use a REST call to fetch an admin token. Use this token in the Authorization request header field for any queries and mutations. See Request headers

Customer tokens

The generateCustomerToken mutation requires the customer email address and password in the payload, as shown in the following example.

By default, a customer token is valid for 1 hour. You can change these values from Admin by selecting Stores > Settings > Configuration > Services > OAuth > Access Token Expiration > Customer Token Lifetime.

Request:

1
2
3
4
5
mutation {
  generateCustomerToken(email: "customer@example.com", password: "password") {
    token
  }
}

Response:

1
2
3
4
5
6
7
 {
   "data": {
     "generateCustomerToken": {
       "token": "hoyz7k697ubv5hcpq92yrtx39i7x10um"
     }
   }
 }

You can now use this token in the Authorization request header field for any queries and mutations.

GraphQL Authorization Bearer

If necessary, you also can [revoke the customer’s token](/guides/v2.4/graphql/mutations/revoke-customer-token.html

The generateCustomerTokenAsAdmin mutation generates a new customer token as an admin so that an administrator can perform remote shopping assistance. The customer must have enabled the allow_remote_shopping_assistance feature while creating the customer profile. The mutation requires the customer email address in the payload, as shown in the following example.

Request:

1
2
3
4
5
6
7
mutation{
  generateCustomerTokenAsAdmin(input: {
    customer_email: "customer1@mail.com"
  }){
    customer_token
  }
}

Response:

1
2
3
4
5
6
7
{
  "data": {
    "generateCustomerTokenAsAdmin": {
      "customer_token": "cr0717abzoagxty1xjn4lj13kim36r6x"
    }
  }
}

Admin tokens

In Magento GraphQL, you specify an admin token only if you need to query products, categories, price rules, or other entities that are scheduled to be in a campaign (staged content). Staging is supported in Adobe Commerce only. See Staging queries for more information.

Magento does not provide a GraphQL mutation that generates an admin token. You must use a REST endpoint such as POST /V1/tfa/provider/google/authenticate instead. Generate the admin token shows how to use this endpoint.

By default, an admin token is valid for 4 hours. You can change these values from Admin by selecting Stores > Settings > Configuration > Services > OAuth > Access Token Expiration > Admin Token Lifetime.