Authentication
Complete guide to API authentication methods including customer authentication, admin authentication, and token management using the REST API.
Customer Authentication
Customer Registration
Register a new customer account.
Endpoint:
POST /api/shop/customers:::tabs
== cURL
curl -X POST "https://your-domain.com/api/shop/customers" \
-H "Content-Type: application/json" \
-d '{
"first_name": "John",
"last_name": "Doe",
"email": "[email protected]",
"password": "SecurePassword123!",
"password_confirmation": "SecurePassword123!",
"phone": "1234567890"
}'== Node.js
const response = await fetch('https://your-domain.com/api/shop/customers', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
first_name: 'John',
last_name: 'Doe',
email: '[email protected]',
password: 'SecurePassword123!',
password_confirmation: 'SecurePassword123!',
phone: '1234567890'
})
});
const customer = await response.json();
console.log(customer);== Python
import requests
response = requests.post(
'https://your-domain.com/api/shop/customers',
headers={'Content-Type': 'application/json'},
json={
'first_name': 'John',
'last_name': 'Doe',
'email': '[email protected]',
'password': 'SecurePassword123!',
'password_confirmation': 'SecurePassword123!',
'phone': '1234567890'
}
)
customer = response.json()
print(customer):::
Response (201 Created):
{
"@context": "/api/contexts/Customer",
"@id": "/api/shop/customers/10",
"@type": "Customer",
"id": 10,
"first_name": "John",
"last_name": "Doe",
"email": "[email protected]",
"phone": "1234567890",
"status": 1,
"created_at": "2024-01-20T10:30:00Z"
}Customer Login
Authenticate a customer and receive bearer token.
Endpoint:
POST /api/shop/customer/login:::tabs
== cURL
curl -X POST "https://your-domain.com/api/shop/customer/login" \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"password": "SecurePassword123!"
}'== Node.js
const response = await fetch('https://your-domain.com/api/shop/customer/login', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
email: '[email protected]',
password: 'SecurePassword123!'
})
});
const data = await response.json();
localStorage.setItem('authToken', data.access_token);
console.log('Access Token:', data.access_token);== Python
import requests
response = requests.post(
'https://your-domain.com/api/shop/customer/login',
headers={'Content-Type': 'application/json'},
json={
'email': '[email protected]',
'password': 'SecurePassword123!'
}
)
data = response.json()
print(f"Token: {data['access_token']}"):::
Response (200 OK):
{
"@context": "/api/contexts/Customer",
"@type": "Token",
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEwLCJlbWFpbCI6ImpvaG5AZXhhbXBsZS5jb20ifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
"token_type": "Bearer",
"expires_in": 86400,
"customer": {
"id": 10,
"first_name": "John",
"last_name": "Doe",
"email": "[email protected]"
}
}Verify Authentication Token
Verify if authentication token is still valid.
Endpoint:
POST /api/shop/verify-tokens:::tabs
== cURL
curl -X POST "https://your-domain.com/api/shop/verify-tokens" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json"== Node.js
const token = localStorage.getItem('authToken');
const response = await fetch('https://your-domain.com/api/shop/verify-tokens', {
method: 'POST',
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json'
}
});
const result = await response.json();
console.log('Token valid:', result.is_valid);== Python
import requests
token = 'YOUR_ACCESS_TOKEN'
response = requests.post(
'https://your-domain.com/api/shop/verify-tokens',
headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
}
)
result = response.json()
print(f"Token valid: {result['is_valid']}"):::
Response (200 OK):
{
"@type": "TokenVerification",
"is_valid": true,
"customer_id": 10,
"expires_at": "2024-01-21T10:30:00Z"
}Admin Authentication
Admin API requests authenticate with a pre-issued Integration token — there is no admin login endpoint. Generate a token from the Integration menu in the admin panel (a store owner can generate tokens here and share them with the sub-admins who need API access), then send it on every admin request:
Authorization: Bearer <id>|<token>See Admin Authentication for the full token lifecycle, IP allowlists, and rate limits.
Cart Token Generation
Create Cart Token
Generate a guest cart token for unauthenticated users.
Endpoint:
POST /api/shop/cart-tokens:::tabs
== cURL
curl -X POST "https://your-domain.com/api/shop/cart-tokens" \
-H "Content-Type: application/json" \
-d '{}'== Node.js
const response = await fetch('https://your-domain.com/api/shop/cart-tokens', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({})
});
const cart = await response.json();
localStorage.setItem('cartToken', cart.token);
console.log('Cart Token:', cart.token);== Python
import requests
response = requests.post(
'https://your-domain.com/api/shop/cart-tokens',
headers={'Content-Type': 'application/json'},
json={}
)
cart = response.json()
print(f"Cart Token: {cart['token']}"):::
Response (201 Created):
{
"@context": "/api/contexts/Cart",
"@id": "/api/shop/cart-tokens/xyz-token-123",
"@type": "Cart",
"token": "xyz-token-123",
"items": [],
"total": 0,
"created_at": "2024-01-20T10:30:00Z"
}Password Management
Forgot Password
Request password reset for customer account.
Endpoint:
POST /api/shop/forgot-passwords:::tabs
== cURL
curl -X POST "https://your-domain.com/api/shop/forgot-passwords" \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]"
}'== Node.js
const response = await fetch('https://your-domain.com/api/shop/forgot-passwords', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
email: '[email protected]'
})
});
const result = await response.json();
console.log(result.message);== Python
import requests
response = requests.post(
'https://your-domain.com/api/shop/forgot-passwords',
headers={'Content-Type': 'application/json'},
json={'email': '[email protected]'}
)
result = response.json()
print(result['message']):::
Response (200 OK):
{
"@type": "Message",
"message": "If that email address is in our database, we will send you an email with password reset instructions."
}Change Password
There is no standalone change-password endpoint. A logged-in customer changes their password through the Customer Profile Update endpoint (PUT /api/shop/customer-profile-updates/{id}) by sending the current password alongside the new password.
Token Revocation
Logout & Revoke Token
Invalidate current authentication token.
Endpoint:
POST /api/shop/customer/logout:::tabs
== cURL
curl -X POST "https://your-domain.com/api/shop/customer/logout" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json"== Node.js
const token = localStorage.getItem('authToken');
const response = await fetch('https://your-domain.com/api/shop/customer/logout', {
method: 'POST',
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json'
}
});
localStorage.removeItem('authToken');
console.log('Logged out successfully');== Python
import requests
token = 'YOUR_ACCESS_TOKEN'
response = requests.post(
'https://your-domain.com/api/shop/customer/logout',
headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
}
)
print('Logged out successfully'):::
Response (200 OK):
{
"@type": "Message",
"message": "Successfully logged out"
}Admin Logout
Admin tokens are not logged out over the API. To revoke an admin Integration token, open the Integration menu in the admin panel and click Revoke (or use the signed one-click link in the lifecycle email). A revoked token stops working immediately.
Authentication Headers
Using Bearer Token
Include bearer token in Authorization header for authenticated requests.
Authorization: Bearer YOUR_ACCESS_TOKENUsing Cart Token
Include cart token in X-Cart-Token header for guest cart operations.
X-Cart-Token: YOUR_CART_TOKENUsing API Key (if available)
Some endpoints may accept API Key authentication.
X-API-Key: YOUR_API_KEYError Handling
Authentication Errors
401 Unauthorized:
{
"@context": "/api/contexts/Error",
"@type": "hydra:Error",
"hydra:title": "An error occurred",
"hydra:description": "Invalid credentials or expired token"
}403 Forbidden:
{
"@context": "/api/contexts/Error",
"@type": "hydra:Error",
"hydra:title": "Access Denied",
"hydra:description": "Insufficient permissions for this operation"
}Best Practices
- Store tokens securely (use httpOnly cookies or secure storage)
- Implement token refresh mechanisms before expiration
- Use HTTPS for all authentication requests
- Validate tokens on every request
- Revoke tokens on logout
- Implement rate limiting on authentication endpoints
- Use strong passwords (minimum 8 characters, mixed case, numbers, special characters)

