I'm testing the REST API of magento.
According to the docs: "To make a web API call from a client such as a mobile application, you must supply an access token on the call."
I can successfully get the token for my admin account using the code below.
$userData = array("username" => "admin", "password" => "...");
$ch = curl_init("http://localhost/magento2/index.php/rest/V1/integration/admin/token");
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($userData));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/json", "Content-Length: " . strlen(json_encode($userData))));
$token = curl_exec($ch);
Strangely, I can call the REST API even without using the token like so:
curl -H "Content-Type: application/json" -X POST -d '{"customer": {"email": "test@invalid.com", "firstname": "Test", "lastname": "Customer"}}' http://localhost/magento2/index.php/rest/V1/customers
No token is used in this call, however the customer is still created. Why does the REST API of my magento API not require credentials and how do I change this?
Best Answer
Magento 2 allows some web APIs to be accessed by unauthenticated (anonymous) users. Many of these APIs allow a customer to have a robust shopping experience on the website without having to log in.
Please check this link https://devdocs.magento.com/guides/v2.3/rest/anonymous-api-security.html
Preventing anonymous access to these endpoints could cause third-party integrations to fail. If a third-party integration calls any of these endpoints, it will receive an authentication error instead of the expected response. In this case, you might need to disable this feature.
To disable this feature, log in to the Admin panel and navigate to Stores > Settings > Configuration > Services > Magento Web API > Web API Security. Then select Yes from the Allow Anonymous Guest Access menu.