Magento 2 API Essential Guide

Aug 9, 2024 • 6 minute read

What type of API does Magento 2 provide?

REST API

Magento 2 provides a comprehensive REST API that allows developers to interact with the system using standard HTTP methods. Key points about the REST API include:

It uses lightweight JSON or XML for data exchange
It's stateless and cacheable, making it highly scalable
It's relatively simple to use and understand
It supports CRUD operations on Magento resources

SOAP API

Magento 2 also offers a SOAP API. Some key aspects of the SOAP API are:

It uses XML for data exchange
It provides built-in error handling and ACID-compliant transactions
It's more complex than REST but offers robust features
It's a good choice for applications requiring high security and reliability

GraphQL API

Magento 2 has added support for GraphQL in recent versions. Notable points about the GraphQL API include:

It allows clients to request exactly the data they need
It's more efficient for mobile applications and scenarios with limited bandwidth
It has a strongly typed schema that defines available data types and operations
It provides a flexible query language for interacting with Magento data

Key Considerations

The choice between REST, SOAP, and GraphQL depends on specific needs and use cases
REST is often favored for its simplicity and scalability
SOAP offers robust features but can be more complex
GraphQL provides a balance of power and flexibility

Does the Magento 2 API have webhooks?

Official Magento 2 API and Webhooks

The official Magento 2 API does not natively include webhooks functionality.
Better support for webhooks in Magento 2 is on the backlog, but there is no guarantee of implementation in the short term.

Third-Party Webhook Extensions

Several third-party extensions add webhook capabilities to Magento 2:

Mageplaza Webhook extension
Wizkunde Magento 2 Webhooks

Events That Can Be Subscribed To

With third-party extensions like Mageplaza Webhook, you can typically subscribe to events such as:

New Order/Invoice/Shipment/Credit Memo
New Order Comment
New/Update/Delete Customer
New/Update/Delete Product
New/Update/Delete Category
Customer Login
Abandoned Cart

How Webhooks Work in Magento 2

Webhooks allow sending API requests to configurable destinations (URLs) when specific events occur.
They use an event-based output mechanism, as opposed to the request-based mechanism of APIs.
Webhooks can be used to automate tasks, trigger notifications, and update external systems in real-time.

Implementing Webhooks

Webhooks can be implemented by registering observers for specific events.
The observer can then send an HTTP request to a remote endpoint when the event occurs.
Ideally, webhook calls should be performed asynchronously to avoid slowing down the main processing flow.

Best Practices

Use webhooks for small tasks and requests that don't require frequent updates.
Configure error notifications and logging for webhook requests.
Consider using webhooks in combination with Magento's native API capabilities for more complex integrations.

In summary, while Magento 2 does not have built-in webhook functionality, third-party extensions can add this capability, allowing you to subscribe to various store events and automate interactions with external systems.

Rate Limits and other limitations

Here are the key points about API rate limits in Magento 2:

Default Rate Limiting

By default, Magento 2 does not have built-in API rate limiting.
However, Magento 2 does provide some built-in input limiting capabilities that can help mitigate denial-of-service vulnerabilities:
- REST requests containing lists of entities are limited to 20 items for synchronous requests and 5,000 for asynchronous requests (when enabled)
- Paginated REST and GraphQL queries are limited to 300 items per page (when enabled)
- Paginated REST queries have a default of 20 items per page (when enabled)
These input limits are disabled by default but can be enabled via the Admin, CLI commands, env.php file, or environment variables.

Configuring Custom Rate Limits

Developers can set custom input limits for specific REST endpoints in the webapi.xml or webapi_async.xml files.
Global default limits for REST endpoints can be configured in the env.php file.
As of Magento 2.4.7, rate limiting can be configured specifically for payment-related API calls to prevent carding attacks.

Rate Limiting Configuration

Rate limiting for order placement can be configured with the following parameters:

sales/backpressure/enabled - Enable/disable rate limiting
sales/backpressure/guest_limit - Request limit per guest
sales/backpressure/limit - Request limit per authenticated customer
sales/backpressure/period - Time period in seconds for the limits

Best Practices

While Magento doesn't have built-in rate limiting, it's recommended to implement rate limiting using third-party tools or web server configurations for API security.
Configure appropriate limits based on your specific use case and traffic patterns.
Use Redis or AWS ElastiCache to store rate limiting data.
Regularly monitor API usage and adjust limits as needed.

In summary, while Magento 2 doesn't have comprehensive built-in rate limiting, it does provide some input limiting capabilities and allows for custom configuration of rate limits, especially for critical operations like payments. For more robust API rate limiting, third-party solutions are recommended.

Latest API Version

Based on the search results provided, here is the most up-to-date information about the latest version of the Magento 2 API:

The most recent version of Magento 2 is 2.4.7, which was released on April 9, 2024 [1]. This version includes several key updates and enhancements to the Magento platform, including improvements to the API.

Key points to consider:

Magento 2.4.7 introduces support for PHP 8.3, while maintaining compatibility with PHP 8.2 [5].
The release includes updates to various platform components, including:
- RabbitMQ 3.13 support
- Composer 2.7.x compatibility
- Varnish Cache 7.4 support
- Elasticsearch 8.11 compatibility
- OpenSearch 2.12 and 1.3 support
- Redis 7.2 support [5]
The release enhances GraphQL capabilities, including increased coverage for custom attributes and improvements to GraphQL resolver caches [5].
New REST endpoints have been introduced to address limitations in the REST API GET and POST V1/products/attributes, providing more flexibility in attribute management [1].
Security improvements include integration of security fixes from previous patch releases and additional Admin panel protection methods [1].

While the search results don't explicitly mention API version numbers, it's important to note that Magento's API typically evolves with each major release. The improvements and updates in Magento 2.4.7 likely include enhancements to the API, particularly in areas such as GraphQL and REST endpoints.

For developers working with the Magento 2 API, it's recommended to refer to the official Magento 2.4.7 documentation for the most accurate and detailed information about API changes and improvements in this latest version.

How to get a Magento 2 developer account and API Keys?

Here's how you can get a developer account for Magento 2 to create an API integration:

Key Steps

Set up a Magento 2 installation:
- You'll need access to a Magento 2 admin panel, either on a live site or a local development environment.
Create an Integration in the Magento 2 admin:
- Go to System > Extensions > Integrations
- Click "Add New Integration"
Configure the Integration:
- Enter a Name, Email Address, and your admin Password
- Under "Available APIs", select "Custom" and choose the necessary API resources (e.g. Sales, Carts)
Activate the Integration:
- Save the integration
- Click "Activate" on the Integrations page
- Click "Allow" to confirm access to the selected resources
Obtain API Credentials:
- You'll receive four credentials: Consumer Key, Consumer Secret, Access Token, and Access Token Secret

Key Considerations

Your Magento 2 server must be publicly accessible or whitelist the IPs that will be making API requests.
The integration credentials give access to your Magento 2 store's data, so keep them secure.
You can create multiple integrations with different access levels for various purposes.

What can you do with the Magento 2 API?

Based on the search results, here are the key data models you can interact with using the Magento 2 API, along with what is possible for each:

Products

Create, read, update, and delete product data
Manage product attributes and custom attributes
Update product inventory and pricing
Handle product categories

Customers

Create, read, update, and delete customer data
Manage customer accounts and authentication
Access customer order history

Orders

Create, read, update, and delete order data
Manage order statuses and processing
Handle invoices, shipments, and refunds

Cart/Checkout

Create and manage shopping carts
Process checkout and payments

Catalog

Manage product categories
Handle product attributes and attribute sets

Inventory

Update product stock levels
Manage multi-source inventory

CMS

Create and manage CMS pages and blocks

Store Configuration

Access and update store configuration settings

Custom Entities

Create custom API endpoints for custom modules and entities
Extend existing APIs to add custom functionality

Key Points:

Magento 2 API supports REST, SOAP, and GraphQL protocols
APIs can be used for real-time integrations with third-party systems like ERP, CRM, PIM, etc.
Custom APIs can be created to meet specific business requirements
The API allows for scalability and flexibility in managing e-commerce operations
Proper authentication and security measures should be implemented when using the API

Magento 2's API provides extensive capabilities for interacting with various aspects of the e-commerce platform, allowing for seamless integrations, custom development, and efficient management of store data and operations.