How to Get Admin Token by REST API in Magento 2.4.7 (2025)
How to Get Admin Token by REST API in Magento 2.4.7 (2025)
Magento 2.4.7 introduces improved security and API handling. One of the most essential steps in any API-based integration with Magento is obtaining the Admin Access Token using the POST /V1/integration/admin/token endpoint.
This access token is a JWT (JSON Web Token) that authorizes the user to make further secure API calls. Without this token, Magento will deny access to most admin-level REST API operations.
Table Of Content
Understanding the Importance of Admin Access Tokens
Admin tokens play a critical role in secure system communication and automation within modern eCommerce platforms. They serve as digital keys that authorize privileged operations, ensuring only authenticated users or systems can access sensitive backend features.
What Is an Admin Token?
An Admin Token is a secure, temporary access credential that allows authorized administrators or systems to interact with protected endpoints of the backend API. This token must be included in the header of each API request that performs administrative-level actions, such as managing products, customers, orders, configurations, or system operations.
Why Is an Admin Token Required?
The use of an admin token is mandatory when performing tasks that involve:
- Accessing secure backend resources
- Bypassing customer-level permissions
- Running high-level administrative operations programmatically
It ensures the system verifies and trusts the source of the API call, maintaining strict access control over critical business operations.
Common Use Cases
| Use Case | Description |
|---|---|
| Data Syncing | Automatically synchronizing product catalogs, customer records, and order information with third-party systems such as ERP, CRM, or inventory management tools. |
| Headless Frontends | When building frontend applications using JavaScript frameworks, admin tokens may be needed to fetch backend data during content management operations. |
| Bulk Product Management | Automating product creation, updates, or deletions across thousands of SKUs. |
| Order Processing | Creating, updating, or tracking orders from external systems or automation scripts. |
| Configuration Deployment | Programmatically applying configuration settings across environments. |
| System Integration | Allowing trusted external services or microservices to execute tasks via REST or GraphQL endpoints. |
Security Best Practices
| Recommendation | Details |
|---|---|
| Use HTTPS Only | Always transmit tokens over secure HTTPS connections to prevent interception. |
| Token Expiry | Implement expiration or session-based timeouts for admin tokens. Avoid long-lived tokens in production. |
| Minimal Scope | Assign only the necessary privileges associated with the token to follow the principle of least privilege. |
| Secure Storage | Do not store admin tokens in public repositories or expose them in client-side code. Use environment variables or secure vaults. |
| Audit & Revoke | Periodically audit token usage and revoke unused or compromised tokens immediately. |
Admin tokens are essential for secure, automated, and scalable management of backend operations in eCommerce environments. They enable system integrations, streamline workflows, and support custom admin functionality—all while maintaining control and security over protected resources.
Admin Token Authentication in Magento 2.4.7
Magento 2.4.7 uses admin tokens to authenticate and authorize requests to protected endpoints, ensuring secure interactions with the backend of your Magento store. Admin tokens play a critical role in automating tasks like syncing product data, managing orders, and handling other administrative tasks without manually accessing the Magento admin panel. By utilizing these tokens, systems can securely communicate with Magento’s REST API or GraphQL, allowing for a wide range of integrations.
Admin tokens are required for tasks that involve creating, modifying, or retrieving sensitive data, such as customer and order information, inventory, and product details. This method of authentication enhances security by ensuring that only authorized users or systems can perform certain actions.
Token Generation Endpoint
The admin token is generated via a REST API endpoint that requires an authenticated user’s credentials (username and password) to issue a token. The following section outlines the token generation process:
- Method:
POST - Endpoint Path:
/rest/V1/integration/admin/token
The full URL for token generation would be:
https://your-magento-domain/rest/V1/integration/admin/token
Replace <your-magento-domain> with the actual domain of your Magento instance.
Request Requirements
In order to obtain an admin token, you need to send a POST request with the admin username and password in the body. These credentials will be used to verify the identity of the user and generate a token for subsequent API requests. Here’s an example of how you should structure the request:
Request Headers:
- Content-Type:
application/json
Request Body (JSON format):
{
"username": "admin_username",
"password": "admin_password"
}
- Important: Never expose real credentials in the request body. Always ensure that the credentials are kept secure.
Example: PHP cURL Script to Get Admin Token
To generate an admin token programmatically, you can use PHP’s cURL functionality. The following script shows an example of how to use cURL to send the request to the Magento API and retrieve the token:
<?php
$url = "https://your-magento-site.com/rest/V1/integration/admin/token";
$data = ["username" => "admin_username", "password" => "admin_password"];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
$response = curl_exec($ch);
curl_close($ch);
$token = json_decode($response);
echo "Admin Token: " . $token;
?>
This PHP script initiates the POST request, sends the credentials, and retrieves the token in response.
Successful Response Format
When the request is successful, Magento returns a JSON Web Token (JWT) as a response. This token must be used in the Authorization header for any further requests that require authentication.
Here’s an example of the response format:
"eyJraWQiOiIxIiwiYWxnIjoiSFMyNTYifQ.eyJ1aWQiOjEwLCJpYXQiOjE2ODAwMDAwMDAsImV4cCI6MTY4MDAwMzYwMH0..."
You would include this token in the Authorization header of subsequent requests, like so:
Authorization: Bearer <admin_token>
This ensures that the API call is authenticated, and the corresponding user permissions are honored.
Best Practices for Admin Token Usage
Admin tokens are a powerful tool for securing automated operations, but they also require careful management. Below are key best practices to follow when working with admin tokens:
| Recommendation | Explanation |
|---|---|
| Use HTTPS Only | Always ensure that token requests are sent over a secure HTTPS connection. This protects sensitive data from being intercepted during transmission. |
| Never Hardcode Credentials | Avoid hardcoding admin usernames and passwords directly in scripts. Instead, use environment variables, or secure secrets management tools to keep your credentials safe. |
| Token Expiration Strategy | Implement expiration policies for tokens to reduce the risk of abuse. Use time-limited or session-based tokens that are automatically invalidated after a certain period. |
| Restrict Token Scope | Follow the principle of least privilege by ensuring tokens only have access to the minimal set of permissions required. |
| Secure Token Storage | Never store tokens in public repositories or client-side code like JavaScript. Use server-side memory or secure vaults for storage. |
| Audit and Revoke | Regularly audit the usage of tokens and immediately revoke any tokens that are no longer in use or are suspected of being compromised. |
By adhering to these best practices, you can significantly reduce the risk of token theft, unauthorized access, or security breaches in your Magento store.
Common Use Cases for Admin Tokens
Admin tokens can be used in a variety of scenarios where interaction with Magento’s backend is necessary without using the admin panel. Below are some common use cases:
| Use Case | Description |
|---|---|
| API-Based Integrations | Sync data with external systems like ERP, CRM, and inventory management tools. Admin tokens are used for authentication when interacting with Magento’s API for tasks like updating products, orders, and customers. |
| Headless Architectures | In headless setups, where the front end is decoupled from the Magento backend, admin tokens are required to access and manage backend data from external applications. |
| Bulk Data Operations | Admin tokens facilitate automating tasks like product creation, updating product details, or deleting thousands of records via APIs, reducing manual labor and increasing operational efficiency. |
| Deployment Automation | In CI/CD workflows, admin tokens can be used to programmatically apply configuration settings across environments, ensuring consistency across multiple Magento instances. |
| Custom Applications | Allow external systems or custom applications to securely access and modify Magento data, such as performing background tasks or managing content. |
Additional Considerations
- Rate Limiting: Be aware of any rate limits set by Magento API. If you are making multiple requests (especially in bulk), ensure that your system handles rate limits effectively by using retries or delays where necessary.
- Logging and Monitoring: Log all token-related actions and monitor for suspicious activity. If tokens are being used unexpectedly or in unusual patterns, it’s a sign that they may have been compromised.
- Token Rotation: Regularly rotate admin tokens and set up automated token expiration to prevent tokens from lingering indefinitely, reducing security risks.
Using Admin Token in Magento API Requests
Once you've successfully generated an admin access token via Magento's authentication endpoint, the next step is to use that token to interact with protected REST or GraphQL endpoints. This token enables programmatic control over backend operations such as product creation, order management, and customer synchronization.
Attaching the Token in Requests
To use the admin token in other API calls, you must include it in the Authorization header of every request. This allows Magento to authenticate the request and verify its privileges.
Header Format:
Authorization: Bearer <your-access-token>
Example:
Authorization: Bearer eyJraWQiOiIxIiwiYWxnIjoiSFMyNTYifQ.eyJ1aWQiOjEyMywidXR5cGlkIjox...
This token must be passed with every subsequent API call that requires admin-level access.
Security Considerations
Proper handling of the admin token is critical to maintaining the security and integrity of your Magento system. Below are essential guidelines:
1. Secure Token Transmission
- Always send the token over HTTPS to prevent man-in-the-middle attacks.
- Avoid exposing tokens in client-side applications, browser code, or public logs.
2. Session Management
- Tokens should be short-lived in production environments.
- Implement automatic token invalidation after inactivity or after a predefined expiry time.
3. Storage Practices
- Store tokens in server-side sessions, memory-based caches, or secure vaults.
- Do not save tokens in frontend code or expose them via JavaScript.
4. Token Rotation and Expiry
- Design your integration to handle token expiration and re-authenticate when needed.
- Rotate tokens periodically, especially for long-running applications or daemons.
5. Permission Scope
- Issue tokens only to accounts with the minimum required permissions.
- Avoid granting full admin rights unless absolutely necessary.
Practical Usage Scenarios
Here’s how the admin token is applied across real-world use cases:
| Use Case | Description |
|---|---|
| Product Management | Creating, updating, or deleting product data via REST or GraphQL endpoints. |
| Order Fulfillment | Automating order status updates, invoicing, or shipment creation using token-authenticated APIs. |
| Customer Account Handling | Managing customer data, resetting passwords, or assigning customer groups. |
| Backend Configuration Sync | Programmatically adjusting settings across environments (e.g., staging to production). |
| Report Extraction | Fetching sales reports, stock status, or analytics data for BI systems. |
Token Expiry & Renewal
Tokens in Magento are based on JSON Web Tokens (JWT). Their expiration time is controlled via server-side configuration (typically through env.php or jwt.xml). You must:
- Monitor the expiration duration of tokens.
- Use a re-authentication mechanism in your application to regenerate tokens before expiry.
- Avoid designing systems that depend on a single, persistent token for extended periods.
Using admin tokens allows powerful and secure access to Magento’s backend. However, with this power comes responsibility. Always follow industry security standards to protect tokens, validate privileges, and secure all API communications.
Admin Token API Reference
The Admin Token API in Magento allows you to programmatically generate a JSON Web Token (JWT) that grants access to all secured admin-level REST and GraphQL endpoints. This is essential for any external system or integration requiring backend-level access.
API Details
| Property | Value |
|---|---|
| Method | POST |
| Endpoint | /rest/V1/integration/admin/token |
| Content-Type | application/json |
| Request Body | { "username": "your_admin", "password": "your_password" } |
| Response | JWT access token (string format) |
Key Concepts
What Is a JWT Admin Token?
A JWT token is a secure, encoded string that represents the authenticated session. Once obtained, it must be included in the Authorization header in subsequent API requests using the format:
Authorization: Bearer <access_token>
Use Cases
- Authenticating automated scripts for catalog, order, and customer updates
- CI/CD configuration deployment workflows
- Headless application integration
- External reporting and synchronization systems
Best Practices for Token Management
1. Use Environment Variables
Store sensitive data such as admin credentials and tokens in environment variables or secure vaults (e.g., .env files or secret managers). Avoid hardcoding them in scripts or repositories.
2. Secure All Connections
Always use HTTPS when communicating with Magento’s API. Transmitting credentials or tokens over plain HTTP is insecure and exposes them to interception.
3. Rotate Admin Credentials
Change admin passwords and rotate authentication tokens periodically to minimize long-term risk in case of exposure.
4. Apply Access Control Rules
Limit API access by defining role-specific permissions using Magento’s Access Control List (ACL). Create dedicated API users with scoped permissions instead of using the super admin
5. Token Expiration Policies
Implement session timeouts and automatic token invalidation for enhanced control. JWTs should not remain valid indefinitely.
6. Audit Usage Regularly
Review logs and access trails to monitor token usage. Revoke or rotate any tokens that show suspicious activity or are no longer needed.
Security Recommendations
| Recommendation | Explanation |
|---|---|
| Use HTTPS Only | Ensures token is transmitted securely to prevent eavesdropping. |
| Never Hardcode Credentials | Prevents exposure in code repositories or browser views. |
| Token Expiry Strategy | Reduces risk by invalidating long-lived tokens. |
| Restrict Token Scope | Limits access to only the permissions required by the API role. |
| Secure Token Storage | Keeps tokens on server-side or in encrypted storage only. |
| Audit and Revoke | Periodically check token activity and revoke tokens as needed. |
Understanding Post-Authentication Use of Admin Tokens in Magento
Once an admin token is successfully generated using Magento’s REST API, it serves as a gateway to a wide range of secured operations within the system. This token authenticates API calls, allowing seamless automation and system integration.
Key Use Cases After Generating an Admin Token
Admin tokens empower developers to manage backend operations without relying on manual admin panel tasks. Here are the most common use cases:
| Use Case | Description |
|---|---|
| Product Lifecycle Management | Create, update, or delete products in bulk or individually through secure API calls. Essential for managing catalogs in ERP or PIM integrations. |
| Order and Customer Handling | Retrieve, update, or manage customer and order records. Useful for syncing customer behavior, statuses, and lifecycle across external platforms. |
| Admin Configuration Control | Adjust configuration settings programmatically, deploy changes across environments (staging, production), and ensure consistency. |
| Workflow Automation | Automate repetitive tasks such as stock updates, category assignments, or custom rule enforcement. |
| Data Synchronization | Integrate with external systems like inventory management or customer service platforms to maintain real-time data consistency. |
Token Usage Guidelines
To use the token in subsequent API calls, attach it to the request header like this:
Authorization: Bearer <your_access_token>
This token must be stored securely on the server side. Its expiration behavior is controlled by Magento's JWT settings in env.php. Tokens typically expire after a certain session duration to enhance security.
Troubleshooting Common Issues
When working with admin tokens, developers may encounter several challenges. The table below outlines common problems, potential causes, and recommended solutions.
| Issue | Possible Cause | Resolution |
|---|---|---|
| 401 Unauthorized | Token is expired or admin credentials are incorrect | Reauthenticate with correct username/password and retrieve a new token |
| Invalid JSON Response | The request body format is incorrect | Ensure the payload is valid JSON (no trailing commas, correctly quoted keys/values) |
| CURL Not Working in PHP | Server has SSL restrictions or cURL is misconfigured | Use CURL_SSL_VERIFYPEER => false during testing (not recommended for production). Also check if firewall blocks outbound requests |
Security Considerations
- Always use HTTPS when transmitting tokens to prevent man-in-the-middle attacks.
- Never expose admin tokens in front-end applications or public repositories.
- Rotate tokens and credentials regularly and audit usage logs.
- Apply role-based access control (RBAC) to limit token capabilities only to what is necessary.
Tip
To enhance your eCommerce store’s performance with Magento, focus on optimizing site speed by utilizing Emmo themes and extensions. These tools are designed for efficiency, ensuring your website loads quickly and provides a smooth user experience. Start leveraging Emmo's powerful solutions today to boost customer satisfaction and drive sales!
Conclusion
Obtaining an Admin Access Token via Magento 2.4.7’s REST API is a foundational step for securely integrating third-party systems, managing store data programmatically, and automating administrative tasks. Whether you're syncing data with ERPs, building custom applications, or automating backend operations, the V1/integration/admin/token endpoint provides the gateway to Magento's full suite of API features.
In this updated 2025 guide, we covered everything from crafting your request payload to securely handling tokens, using PHP and Postman, and applying best practices like HTTPS enforcement and session caching. By mastering token-based authentication, you ensure that your Magento integrations remain secure, scalable, and compliant with modern eCommerce standards.
Now that you can confidently generate and use the Admin Token, you’re ready to unlock deeper API functionalities—such as product creation, order management, and customer synchronization—setting the stage for seamless automation and efficient store operations in Magento 2.4.7 and beyond.
FAQs
What is the Magento 2 Admin Token used for?
The Admin Token is used to authenticate API requests that require administrative privileges in Magento 2, enabling secure interaction with store data.
Which endpoint is used to get the Admin Token in Magento 2?
You can obtain the Admin Token by sending a POST request to the /rest/V1/integration/admin/token endpoint.
What HTTP method is used to request the Admin Token?
The HTTP method used is POST with the username and password passed in the JSON request body.
What credentials are needed to generate an Admin Token?
You need a valid Magento 2 admin username and password to generate the token.
Can I use the Admin Token for customer or guest APIs?
No, Admin Tokens are only valid for endpoints requiring admin access. Use customer or guest tokens for respective APIs.
How is the Admin Token used in subsequent API calls?
The token must be passed in the header of the request as: Authorization: Bearer <access_token>
Is it secure to store the Admin Token on the client side?
No. Never store Admin Tokens on the client side. They must be handled server-side to prevent unauthorized access.
What’s the difference between Admin Token and Customer Token in Magento 2?
The Admin Token provides full access to backend operations while the Customer Token is scoped to customer-level interactions only.
Can I test the Admin Token endpoint using Postman?
Yes, you can send a POST request in Postman to the endpoint with admin credentials in the JSON body to get the token.
What response format is returned when the Admin Token is generated?
The response is a JSON string containing the token, for example: "eyJraWQiOiIxIiwiYWxnIj..."
Can I generate the Admin Token using PHP?
Yes, you can use PHP cURL to send a POST request with JSON-encoded credentials to retrieve the token.
Does Magento 2.4.7 support the same endpoint for token generation?
Yes, the V1/integration/admin/token endpoint is still used in Magento 2.4.7 for admin token authentication.
Why am I getting a 401 Unauthorized error when requesting the token?
This usually occurs if your admin credentials are incorrect or if there’s a configuration issue with your Magento installation.
How long is the Admin Token valid?
By default, the Admin Token expires after a session timeout configured in Magento. You can customize session durations in the backend settings.
Can I invalidate or revoke an Admin Token manually?
Magento does not provide a direct endpoint to revoke a token, but logging out or changing the admin password will invalidate existing tokens.
