Magento 2 REST & GraphQL API Development
Before writing code
Fetch live docs:
- Fetch
https://developer.adobe.com/commerce/webapi/for Web API overview - Fetch
https://developer.adobe.com/commerce/webapi/graphql/develop/for GraphQL development guide - Fetch
https://developer.adobe.com/commerce/webapi/get-started/authentication/gs-authentication-token/for authentication - Web-search
site:developer.adobe.com commerce php development components web-apifor webapi.xml reference
REST API
How It Works
REST endpoints map HTTP methods + URL paths to service contract methods. Defined in etc/webapi.xml.
webapi.xml Structure
Each route defines:
url— endpoint path (e.g.,/V1/custom/items/:id)method— HTTP method (GET, POST, PUT, DELETE)service— class + method implementing the endpointresource— ACL resource for authorization
Path parameters (:id) map to method parameters by name.
Authentication Types
| Type | Header | Use Case |
|---|---|---|
| Admin Token | Authorization: Bearer <token> | Back-office integrations |
| Customer Token | Authorization: Bearer <token> | Customer-facing apps |
| OAuth 1.0a | OAuth headers | Third-party integrations |
| Session | PHP session cookie | Storefront JS widgets |
| Anonymous | resource="anonymous" | Public endpoints |
Swagger/OpenAPI
Available at /rest/<store>/schema — auto-generated from webapi.xml and service contracts.
GraphQL API
How It Works
GraphQL uses a single endpoint (/graphql) with schema files and resolver classes.
Schema Files (schema.graphqls)
Define types, queries, and mutations in etc/schema.graphqls:
- Custom types with fields
- Query definitions mapping to resolver classes
- Mutation definitions with input/output types
- Extend existing types with new fields
Resolver Classes
Implement Magento\Framework\GraphQl\Query\ResolverInterface:
resolve(Field $field, $context, ResolveInfo $info, array $value = null, array $args = null)- Return arrays matching the GraphQL type definition
- Context provides store, customer, and extension attributes
Identity for Cache
Implement Magento\Framework\GraphQl\Query\Resolver\IdentityInterface for full-page cache invalidation of GraphQL responses.
GraphQL Authorization
- Customer context via
Authorization: Bearer <customer-token>header - Admin context not supported in GraphQL (by design — GraphQL is storefront-facing)
- Use
$context->getExtensionAttributes()->getIsCustomer()for auth checks
ACL (Access Control List)
acl.xml
Defines the resource tree for authorization:
- Nested
<resource>elements form a hierarchy - Referenced in
webapi.xmlvia<resource ref="Vendor_Module::resource_name"/> - Special values:
anonymous(no auth),self(customer's own data)
Best Practices
- Always define service contract interfaces first, then expose via webapi.xml
- Use ACL resources for all non-public endpoints
- Prefer GraphQL for storefront/headless, REST for integrations
- Return proper HTTP status codes (200, 201, 400, 401, 403, 404)
- Use SearchCriteria for list endpoints
- Add cache identity classes for GraphQL resolver performance
Fetch the Web API and GraphQL development docs for exact XML schema, resolver signatures, and authentication patterns before implementing.