Edit in GitHubLog an issue


The Marketplace EQP API uses a two-step process to authenticate a client application and authorize access to resources:

  1. Using your API access key, obtain a session token.
  2. Provide the session token as an HTTP Authorization Bearer header to access a resource.

Base URLs#

In code examples in this documentation, we use the Base URL of the sandbox.

Once you are confident your sandbox API calls are correct, and you wish to submit a package for full manual review on the production environment, do the following:

  • Use the production Base URL instead of the sandbox one
  • Use your production API access key: application ID and application secret
EnvironmentBase Url

Authentication and authorization flow#

You must use your API access key -- which is an application ID and secret -- to obtain your session token. The following is an example:

  • application IDAQ17NZ49WC
  • application secret8820c99614d65f923df7660276f20e029d73e2ca

How to obtain a session token {#session-token}#

The following endpoint grants a session token:

Copied to your clipboard
POST /rest/v1/app/session/token


You must specify the grant type in the request body:

Copied to your clipboard
2 "grant_type": "session",
3 "expires_in": 7200

Field details:

grant_typestringyesThe API only supports the session grant type; other values will give an error.
expires_inintnoSpecifies the number of seconds that the session token will be valid. If the requested time exceeds the system's maximum allowed, the system's maximum limit will be used instead.

The following example shows a request to the sandbox, using the application ID and secret from above. A successful HTTP 200 OK response will be sent for a valid application ID and secret.

Copied to your clipboard
1curl -X POST \
2 -u 'AQ17NZ49WC:8820c99614d65f923df7660276f20e029d73e2ca' \
3 -H 'Content-Type: application/json' \
4 -d '{ "grant_type" : "session" }' \
5 https://developer-stg-api.magento.com/rest/v1/app/session/token

Field details:

mage_idstringYour user account. This is your "Magento ID."
uststringUser Session Token. It will be used in the Authorization: Bearer header for all subsequent API calls.
expires_inintNumber of seconds the session token will be valid. Example: 7200 seconds is 2 hours.
  • The session token has a relatively short duration.
  • You can get as many session tokens as you need. You do not need to wait for a session token to expire before requesting another one. Multiple session tokens can be active at the same time, so you can run multiple scripts at the same time.
  • Once the session token expires, a new token must be obtained as described above.
  • Session tokens are specific to each environment. Session tokens generated for the sandbox cannot be used for production, and vice-versa.

How to use a session token#

After obtaining a valid session token, you must use it as an authorization bearer token in all subsequent API calls. Using the example values from above, run the following command to access your user profile with a session token:

Copied to your clipboard
1curl -X GET \
2 -H 'Authorization: Bearer baGXoStRuR9VCDFQGZNzgNqbqu5WUwlr.cAxZJ9m22Le7' \
3 https://developer-stg-api.magento.com/rest/v1/users/MAG123456789
  • Privacy
  • Terms of Use
  • Do not sell my personal information
  • AdChoices
Copyright © 2022 Adobe. All rights reserved.