Api Authentication For Customers?

Hi There,

We are trying to allow customers to delete their accounts via API. I know API is typically set up for admin privileges. Is there a way to authenticate customers for specific purposes so that they are able to delete their accounts?

Thank you.


You can enable the API for your customers, by setting the value of api_allow_customer tweak to true:

$config['tweaks']['api_allow_customer'] = true;

in the config.local.php file or in its override, local_conf.php.

Then your customers can receive the token by sending POST request with login and password to the auth_tokens API entity. For example:


$curl = curl_init();

curl_setopt_array($curl, [
CURLOPT_URL => “http://localhost/api/auth_tokens/”,
CURLOPT_POSTFIELDS => ‘{“email”: “customer@example.com”,“password”: “customer”}’,
“Content-Type: application/json”

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
echo “cURL Error #:” . $err;
} else {
echo $response;

The received token later can be used for authentication. Instead of usage of pair email and API-key in the basic auth, you will be able to simply send the token in the User field of basic auth.

As for the deleting the the customer account by his/her own request, you will need to create separate API entity that will make possible to make such an action.

Hope it helps.

Thanks very much for the response. I’m still getting an unauthorized error even after following the above steps. We are doing:

  1. Enabled API for customers by changing api_allow_customer to true in config
  2. Still getting unauthorized error when sending a POST request, calling the login API gets a token
  3. We GET a token, when we try to use that token to submit a request, it’s giving an unauthorized error

Are we missing anything from the above?

Thank you.


Please check if your server does not truncate the $_SERVER[' PHP_AUTH_USER'] variable.