Authorization tokens

Magento provides separate token services for customers and administrators. When you request a token from one of these services, the service returns a unique access token in exchange for the username and password for a Magento account.

Magento GraphQL provides a mutation that returns a token on behalf of a logged-in customer. You must use a REST call to fetch an admin token. Use this token in the Authorization request header field for any queries and mutations. See Request headers

Customer tokens

The generateCustomerToken mutation requires the customer email address and password in the payload, as shown in the following example:

Request:

1
2
3
4
5
mutation {
  generateCustomerToken(email: "customer@example.com", password: "password") {
    token
  }
}

Response:

1
2
3
4
5
6
7
 {
   "data": {
     "generateCustomerToken": {
       "token": "hoyz7k697ubv5hcpq92yrtx39i7x10um"
     }
   }
 }

You can now use this token in the Authorization request header field for any queries and mutations.

If necessary, you also can revoke the customer’s token

By default, a customer token is valid for 1 hour. You can change these values from Admin by selecting Stores > Settings > Configuration > Services > OAuth > Access Token Expiration > Customer Token Lifetime.

Admin tokens

In Magento GraphQL, you specify an admin token only if you need to query products, categories, price rules, or other entities that are scheduled to be in a campaign (staged content). Staging is supported in Adobe Commerce only. See Staging queries for more information.

Magento does not provide a GraphQL mutation that generates an admin token. You must use the POST /V1/integration/admin/token REST endpoint instead. Generate the admin token shows how to use this endpoint.

By default, an admin token is valid for 4 hours. You can change these values from Admin by selecting Stores > Settings > Configuration > Services > OAuth > Access Token Expiration > Admin Token Lifetime.