Skip to content
Convermax Docs

How to Obtain REST API OAuth Tokens for Magento 1

How to Obtain REST API OAuth Tokens for Magento 1

1. Prerequisites

Admin Account Required: You need an admin account with access to the Magento store dashboard. This account will be used to create the REST roles, users, and OAuth consumers needed for API access.

2. Create a REST Role and User

  1. Add a new REST role: In the Admin panel, go to System > Web Services > REST - Roles. Click Add Admin Role.

  2. Name and permissions: Enter a role name (e.g. “API Admin”) under Role Info. In the Role API Resources tab, set Resource Access to All (or select “Custom” and check only the needed boxes under “Products” for safety). Click Save Role.

  3. Assign the REST role to a user: Go to System > Permissions > Users and select (or create) the admin user account that your integration will use. On the User edit page, click the REST Role tab. Select the REST role you just created and click Save User. This links the API permissions to that user. (If you need a dedicated user, first click Add New User, fill in details and give it an existing admin role, then assign the REST role as above.)

3. Register a New OAuth Consumer

  1. Open Consumers page: In Admin go to System > Web Services > REST - OAuth Consumers.

  2. Add new consumer: Click Add New. In the “New Consumer” form, enter a descriptive Name for your app (e.g. “My Catalog App”). You can leave Callback URL empty if your app does not use a web callback (or specify one for OAuth flow).

  3. Save and copy keys: Click Save. Magento will generate a Consumer Key and Consumer Secret on this page (both are shown after saving). Copy these values and keep them confidential. They identify your third‑party application to Magento. (For reference, the figure above shows the “New Consumer” screen with key/secret.)

4. Authorize the Consumer and Get Tokens

  1. Request Token: Make a POST request to https://<your-magento>/oauth/initiate (include your consumer key/secret and an oauth_callback URL). Magento will return a temporary request token and token secret.

    Note: You can use the provided magento1_oauth_obtain.sh script to automate this step. Edit the script to add your Magento host, Consumer Key, and Consumer Secret, then run it to obtain the request token and token secret.

  2. Authorize: Direct an admin user (or simulate browser login) to https://<your-magento>/admin/oauth_authorize?oauth_token=<request_token>. The admin will log in (if not already) and click Allow to authorize your consumer. Magento then redirects back to your callback URL. Important: You need to grab the oauth_verifier parameter from this callback URL - this is the main reason to specify a dummy callback URL that points to localhost, so you can see and extract this parameter.

  3. Access Token: Exchange the request token for an access token by POSTing to https://<your-magento>/oauth/token with the oauth_verifier obtained. Magento responds with the final Access Token and Access Token Secret.

    Note: You can use the provided magento1_oauth_token.sh script to automate this step. Edit the script with your Magento host, Consumer Key, Consumer Secret, Request Token, Request Token Secret, and OAuth Verifier (obtained from the previous authorization step), then run it to get your final Access Token and Access Token Secret.

  4. Store the tokens: You now have four credential strings: Consumer Key, Consumer Secret, Access Token, and Access Token Secret. These are used together for all API calls. Save them.

(After the above flow, your integration has a long‑lived Access Token on behalf of the chosen user.)

5. Automation Scripts

The repository includes two helper scripts to automate the OAuth token process:

  1. magento1_oauth_obtain.sh - Helps you obtain the initial request token
  2. magento1_oauth_token.sh - Helps you exchange the request token for the final access token

Both scripts require you to edit them first to add your specific credentials and URLs.