cancel
Showing results for 
Search instead for 
Did you mean: 

I managed to make an api call without token. why?

SOLVED

I managed to make an api call without token. why?

Hello

 

I just did the following api without needing a token. I am really suprised now. Is it a security issue?

 

curl --request POST \
  --url http://magento.xxxx.com/index.php/rest/V1/customers \
  --header 'content-type: application/json' \
  --data '{"customer" : {"email" : "user3@example.com","firstname" : "John","lastname" : "Doe","storeId" : 1,"websiteId": 1},"password" : "Demo1234"}'

I saw my store and the customer was successfully created!

I tested this code on two places. 1- my computer, 2- a random digital ocean server

1 ACCEPTED SOLUTION

Accepted Solutions

Re: I managed to make an api call without token. why?

Some of the rest API endpoints are available anonymously, including the create account functionality - this mimics the fact that anyone can create a customer account on the frontend of the website. 

 

It's actually one of the examples on this page http://devdocs.magento.com/guides/v2.0/get-started/authentication/gs-authentication.html

----
If you've found one of my answers useful, please give "Kudos" or "Accept as Solution" as appropriate. Thanks!

View solution in original post

1 REPLY 1

Re: I managed to make an api call without token. why?

Some of the rest API endpoints are available anonymously, including the create account functionality - this mimics the fact that anyone can create a customer account on the frontend of the website. 

 

It's actually one of the examples on this page http://devdocs.magento.com/guides/v2.0/get-started/authentication/gs-authentication.html

----
If you've found one of my answers useful, please give "Kudos" or "Accept as Solution" as appropriate. Thanks!