Medusa
Store API
Admin API
Medusa
  • Getting Started
    • Introduction
    • Authentication
    • HTTP Compression
    • Publishable API Key
    • Expanding Fields
    • Selecting Fields
    • Query Parameter Types
    • Pagination
  • Auth
  • Carts
  • Customers
  • Gift Cards
  • Orders
  • Order Edits
  • Payment Collections
  • Products
  • Product Variants
  • Product Tags
  • Product Categories
  • Product Collections
  • Product Types
  • Regions
  • Returns
  • Return Reasons
  • Shipping Options
  • Swaps
logoPowered by Apidog

    Authentication

    There are two ways to send authenticated requests to the Medusa server: Using a JWT token or using a Cookie Session ID.

    JWT Token

    Use a JWT token to send authenticated requests. Authentication state is managed by the client, which is ideal for Jamstack applications and mobile applications.

    How to Obtain the JWT Token

    JWT tokens are obtained by sending a request to the Customer Login (JWT) endpoint passing it the customer's email and password in the request body. For example:

    curl -X POST 'https://medusa-url.com/store/auth/token' \
-H 'Content-Type: application/json' \
--data-raw '{
  "email": "user@example.com",
  "password": "supersecret"
}'

    If authenticated successfully, an object is returned in the response with the property access_token being the JWT token.

    How to Use the JWT Token

    The JWT token can be used for Bearer Authentication. It's passed in the
    Authorization header as the following:

    Authorization: Bearer {jwt_token}

    Cookie Session ID

    Use a cookie session to send authenticated requests.

    How to Obtain the Cookie Session

    If you're sending requests through a browser, using Medusa's JS and Medusa React clients, or using
    tools like Postman, the cookie session should be automatically set when
    the customer is logged in.

    If you're sending requests using cURL, you must set the Session ID in the cookie manually.

    To do that, send a request to authenticate the customer and pass the cURL option -v:

    curl -v -X POST 'https://medusa-url.com/store/auth' \
-H 'Content-Type: application/json' \
--data-raw '{
  "email": "user@example.com",
  "password": "supersecret"
}'

    The headers will be logged in the terminal as well as the response. You should find in the headers a Cookie header similar to this:

    Set-Cookie: connect.sid=s%3A2Bu8BkaP9JUfHu9rG59G16Ma0QZf6Gj1.WT549XqX37PN8n0OecqnMCq798eLjZC5IT7yiDCBHPM;

    Copy the value after connect.sid (without the ; at the end) and pass it as a cookie in subsequent requests as the following:

    curl 'https://medusa-url.com/store/customers/me/orders' \
-H 'Cookie: connect.sid={sid}'

    Where {sid} is the value of connect.sid that you copied.

    If you're sending requests using JavaScript's Fetch API, you must pass the credentials option with the value include to all the requests you're sending. For example:

    fetch(`<BACKEND_URL>/admin/products`, {
  credentials: "include",
})
    Last modified: a year ago
    Previous
    Introduction
    Next
    HTTP Compression