How to access Magento 1.X REST and oAuth settings for REST API

How to access Magento 1.X REST and oAuth settings for REST API

Magento authentication is based on OAuth, an open standard for secure API authentication. It uses a token-passing mechanism that allows users to control which applications have access to their data without revealing their passwords or other credentials. This article helps you to get consumer key, consumer secret, oAuth token, oAuth token secret which are added as Authentication headers for accessing Magento REST API’s.

How to access Magento 1.X REST and oAuth settings for REST API

How to get consumer key, Consumer secret and configuring Magento REST & oAuth settings for REST API access:

Terms and Definitions:

  • User - A customer who has an account with Magento and can use the services via the Magento API.
  • Consumer - A third-party application that uses oAuth to access the Magento API. This application must be registered in the Magento system to receive the Consumer Key and Consumer Secret.
  • Consumer Key - A value used by the Consumer to identify itself with Magento.
  • Consumer Secret - A secret used by the Consumer to guarantee the ownership of the Consumer Key. This value is not passed in requests.
  • Request Token - A value used by the Consumer to obtain authorization from the User (when needed). The Request Token is exchanged for an Access Token when permission is granted.
  • Access Token - A value used by the Consumer to call Magento APIs on behalf of the User.

Magento backend (Admin panel) configuration

Step1: Creating oAuth Consumer

System-> Web Services-> Rest oAuth Consumers-> Add New-> Enter the consumer information queried and password if probed. Save (Note down the consumer key and consumer secret)

Sample Response:
Consumer_key: 1cc517b6cb934b5***************7a596

Consumer_secret: 2dfbb639a15c235***************47cf4

Step2: Creating and configuring Admin roles

System-> Web Services -> Rest Roles->Add Admin-> Enter a Role Name->Select Role API

Resources from left tab->Set Resource Access to All. Save



Step3: Assigning configured Admin REST Role to admin user

System-> Web Services-> Rest Attributes-> Select Admin-> Set Resource Access to All Save


Step4: Configuring resource attributes and access permissions

System-> Permissions -> Users -> Select any ADMIN user->Click on REST Role from left

   Tab->Check the Radio Button for the App and save.



2.How to get oAuth token and final oAuth token secret using REST client

The authentication endpoints include the following steps:

  • /oauth/initiate - this endpoint is used for retrieving the Request Token.
  • /admin/oauth_authorize - this endpoint is used for user authorization (Admin).
  • /oauth/token - this endpoint is used for retrieving the Access Token.

All steps listed below are tested using REST CLIENTS such as MOZILLA REST CLIENT EXTENSION (Recommended), POSTMAN and ADVANCED REST CLIENT

  1. 1.oauth/initiate



Method: POST


Oauth 1.0 headers: Consumer key and secret obtained from step 1.

Sample Response: oauth_token=ff1469e90aa*****868c8ed4865aa8ecb&oauth_token_secret=d11447b004681*****c86accae032cc4c&oauth_callback_confirmed=true

The below image shows generating temporary oAuth token and oAuth token secret

  2. admin/oauth_authorize


URL: received from above step

Running the url in your browser opens Magento admin panel. Login and then authorize the request.

Once authorized note down the URL in address bar:*******8d84d7f5bb5&oauth_verifier=613de3bf584d2***8c2dd2af4fb26c0


*oAuth_verifier is the required value.



Method: POST

URL: from above step.

oAuth 1.0 headers: consumer key and secret received from backend, token and token secret from step 1.

Sample Response:

(Final permanent token and token secret to be used to access Magento Rest API Resources)


Final Tokens:

consumer_key: 1cc517b6cb*********7594c7fc5d57a596

consumer_secret: 2dfbb639*********db9d15bee86e47cf4

oauth_token: 5aac4eac990c*********c680375f4a724

oauth_token_secret: 0256cb*********206666e8bd7684d6da4


The above tokens are to be sent as Oauth1.0 Authorization Headers along Oauth_version as 1.0 and randomly generated nonce, timestamp and oauth_signature.

For example:

Method: GET





'Authorization': 'OAuth oauth_signature_method="HMAC-SHA1",







Note: nonce and timestamp are randomly generated unique values.



  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
  • Youtube

leave a comment