Skip to main content
A RESTful API should be stateless. This means that request authentication should not depend on cookies or sessions. Instead, each request should come with authentication credentials. Out-of-the-box, OroPlatform provides OAuth 2.0 as its authentication mechanism.

OAuth 2.0

OAuth 2.0 is the industry-standard protocol for authorization. It supports specific authorization flows for web applications, desktop applications, mobile phones, and other device types. Oro implements OAuth 2.0 via OroOAuth2ServerBundle, which supports the following grant types:

Authorization Code Grant

For web and mobile applications that can redirect users. Supports PKCE extension.

Client Credentials Grant

For machine-to-machine communication without user interaction.

Password Grant

For trusted applications that handle user credentials directly.

Using an access token

Once you have obtained an access token, include it as a Bearer token in the Authorization header of each request: 
GET /api/users HTTP/1.1
Accept: application/vnd.api+json
Authorization: Bearer <access_token>
Access tokens are valid for 3600 seconds (1 hour) and can be reused until they expire.
Access tokens for back-office and storefront API are not interchangeable. A token generated for the back-office application cannot be used to access storefront API resources, and vice versa.

Prerequisites

OAuth authentication requires private and public keys to be generated and placed on the server. Contact your administrator if you see the error: 
The encryption key does not exist.
If the customer portal package is installed, OAuth authorization for customer users to the storefront API resources is enabled automatically.

Build docs developers (and LLMs) love

Get started for freeTalk to us