How to configure Magento REST and oAuth settings

How to configure Magento REST and oAuth settings ©

(This article is for Magento 1.7.0 and greater . Older Magento versions does not have implemented these features.)

In my last article, I wrote about the REST and oAuth to explain the terms that are used in Magento admin area for Magento REST configuration.
This article will show the steps necessary in order to be able to consume REST services provided by Magento:

  1. Creating oAuth Consumer
  2. Creating and configuring Admin roles
  3. Assigning configured Admin REST Role to admin user
  4. Configuring resource attributes and access permissions

If you didn’t read my previous article about Magento REST and oAuth, I strongly suggest you to do so and then return here again.

Let’s Log-in into our Magento admin dashboard before start.

1. Creating oAuth Consumer

Since Magento REST service is working only with oAuth authentication, we need to create oAuth consumer application first.

Navigate to System->Web Services ->REST oAuth Consumers. OAuth Consumers grid is shown. We can register any number of Consumers in Magento that can be used by various third party oAuth clients to access our Magento resources.

  1. Click on “Add New” button to add new Consumer Application.
  2. On “New Consumer” screen insert some custom name.
  3. Key and Secret fields are disabled, and we just need to copy their values somewhere in text file for later usage (We need them for our oAuth authorization in order to be able to consume REST from Magento).
  4. We can leave the Callback URL and Rejected Callback URL fields empty for now.
  5. Save Consumer app.


2. Creating and configuring Admin roles

Like I mentioned in last article about this topic, we need to create permissions for specific user type in order user to be able to consume our Magento REST service and access necessary resources.
Let’s navigate to System -> Web Services -> REST Roles. REST Roles grid is shown with two user types by default:

  • Customer
  • Guest

Let’s say, for example, that we are going to use the Magento REST service for updating Products and Customers, and we need Admin permissions for that. We don’t want to enable neither Guest or Customer user to be able to do that.
Let’s create new Admin role.

  1. Click on “Add admin Role” button in top right corner. “Add new Role” screen is shown.
  2. In the field “Role name” enter for example “Administrator”.
  3. Click on “Role API resources” tab on the left.
    Role Resources” screen is shown and here we need to check specific permissions that our Administrator user will have on specific resource. Of course, we have an option to select “All”, but be careful with that.
  4. Click on “Save Role” button in top right corner of the screen.



3. Configuring resource attributes and access permissions

Navigate to System->Web Services ->REST attributes.
Here we have grid with three user types listed:

  • Admin
  • Customer
  • Guest
  1. Let’s click on “Admin” in order to configure REST resource attributes that Admin will be allowed to access.
  2. Under “User type resources” screen, select resources that Admin user type can access or select “All“.
  3. Click on “Save” button in the top-right corner.


4. Assigning configured Admin REST Role to existing admin user

Ok, we configured everything to be able to use Magento REST services. Or not?
Hey, we did everything to configure resources for Admin user type, but we didn’t assign any user to this roles.

  1. Navigate to System->Permissions->Users. “Users” grid is shown with list of registered Magento site Administrators
  2. Click on some admin user from list in order to open “Edit user” screen.
  3. There is a tab named “REST role” on the left. Click on it and a list of Admin type roles is shown on the screen.
  4. Click on “Assigned” radio box near that role name.
  5. Save User.
  6. You have successfully assigned the admin user to be able to access REST resources on our Magento.



In some next articles I will describe how to consume REST services from PHP and authenticate using Zend_OAuth_Consumer.

Cheers 🙂

Related Inchoo Services

You made it all the way down here so you must have enjoyed this post! You may also like:

Filter order grid by multiple ID’s Petar Sambolek
Petar Sambolek, | 14

Filter order grid by multiple ID’s

Consuming Magento REST service using Zend_OAuth_Consumer Darko Goles
Darko Goles, | 45

Consuming Magento REST service using Zend_OAuth_Consumer

Introduction to Magento REST and oAuth Darko Goles
Darko Goles, | 11

Introduction to Magento REST and oAuth


  1. Can any on help me out with my issue (consumer is not authorized to access resources parameter resource catalog category products attributes)
    It’s been over 2 months since I’m trying to get the issue but not luck.
    Any one please give me some information or please contact directly.

  2. i am struggling oath authentication token. i was filled up columns and i followed by magento doc as it is i filled up..but one dailougue box appear please select item.i could not understand that problem.Every step i filled up correct..please tell me solution.

  3. HI guys,
    I have problem with this.
    In first if statement my script goes to
    header(‘Location: ‘ . $adminAuthorizationUrl . ‘?oauth_token=’ . $requestToken[‘oauth_token’]);
    and responce shows me magento LOG IN AS A CUSTOMER page

    Im running on apache2, server api: apache2.0 handler

  4. Very nice tutorial..Its really help me to solve a My big Problem in Magento to create Web service in Rest and oAuth.

  5. Hello
    one query regarding rest api in magento.
    i have configure all setting in magento admin panel.but in oauth consumers in callbackurl which url is put on this?and the file which name are saved??and which directory in put this file??
    — when this file are run in browser i got
    Authorize application

    An error occurred. Your authorization request is invalid.

    so what can i do??
    please u give me solution fast..
    Thank You.

    1. In the callbackurl, try to call funtion, like ‘callbackUrl’ => ‘listProductAction’, and then call the magento REST API to get product list

  6. I followed each and every step above but still I am getting 404 not found exception. Do you have any idea where I am doing wrong?

    1. Hi,
      For error, the only reason is .htaccess file. Please upload .htaccess file to your server’s magento folder(If you have no .htaccess file then upload default magento .htaccess file).

  7. Hi!
    I need a little help, can’t find solution to my problem anywhere. So I guess its the last place to ask for.
    I want my vendors to upload products by themselves. But when I check the catalog-> manage products in a role. Then the new user created with that role can add products, But the problem is that he can also edit, delete products uploaded by our employees. I don’t want to show him the products , which are already added. I just want him to add products and edit or delete those products which he added.
    plus if he can just get the orders which are placed on his products. but its a bonus not necessary.

  8. Hi, i use Magento Community Edition1.9.10,.
    1.How to introduce hosting free 1 year can be used with magento. Please teach me. please .
    2. How to share photos and detail product on the product page to the Line (LINE For Media Operatores) and What app. (WhatsApp :: Home) Wechat (. The new way to connect)
    3. How to share the blog article to the Line (LINE For Media Operatores) and What app. (WhatsApp :: Home) Wechat (http: // www. .The new way to connect /)

  9. Hello All,

    Good Evening,

    I have used the following code for creating the product in magento admin via rest api


    if (!isset($_GET[‘oauth_token’]) && !$_SESSION[‘state’]) {

    $requestToken = $oauthClient->getRequestToken($temporaryCredentialsRequestUrl);
    $_SESSION[‘secret’] = $requestToken[‘oauth_token_secret’];
    $_SESSION[‘state’] = 1;
    echo $adminAuthorizationUrl . ‘?oauth_token=’ . $requestToken[‘oauth_token’];
    header(‘Location: ‘ . $adminAuthorizationUrl . ‘?oauth_token=’ . $requestToken[‘oauth_token’]);
    } else if ($_SESSION[‘state’] == 1) {

    $oauthClient->setToken($_GET[‘oauth_token’], $_SESSION[‘secret’]);
    $accessToken = $oauthClient->getAccessToken($accessTokenRequestUrl);
    $_SESSION[‘state’] = 2;
    $_SESSION[‘token’] = $accessToken[‘oauth_token’];
    $_SESSION[‘secret’] = $accessToken[‘oauth_token_secret’];
    header(‘Location: ‘ . $callbackUrl);
    } else {

    $oauthClient->setToken($_SESSION[‘token’], $_SESSION[‘secret’]);
    $resourceUrl = “$apiUrl/products”;
    $oauthClient->fetch($resourceUrl, array(), ‘GET’, array(‘Content-Type’ => ‘application/json’));
    $productsList = json_decode($oauthClient->getLastResponse());
    } catch (OAuthException $e) {

    But it is redirecting to oauth_admin.php with out creating new product in admin

    It is redirecting to

    Please help where i did the mistake

    Awaiting for your reply ,

    Thank you ,

  10. In looking at the Magento documentation, it appears that there are no POST methods written yet for the REST API. We are looking to accept orders from another system via an API so that we don’t have to re-enter them manually. But even when looking at the SOAP API, there doesn’t appear to be any method to create new orders, just perform various updates to them. Am I correct in my interpretation?

  11. hi I got the consumer key but still not able to see mt token key…how do I find it in the admin panel

  12. i want to add the admin user at the time of customer account creation …..

    means i want to make customer as adminuser..

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <blockquote cite=""> <code> <del datetime=""> <em> <s> <strike> <strong>. You may use following syntax for source code: <pre><code>$current = "Inchoo";</code></pre>.

Tell us about your project

Drop us a line. We'd love to know more about your project.