-

name: 4.2.0

support:

2.3.0: compatible

2.3.1: compatible

2.3.2: compatible

2.3.3: compatible

2.3.4: compatible

2.3.5-p1: compatible

2.4.0: supported

- label: Security.txt

url: /security/security-txt.html

exclude_versions: ["2.3"]

- label: Magento B2B Release Notes

url: /release-notes/b2b-release-notes.html

If you authenticate to a project with multi-factor authentication (MFA) enabled, you might receive the following error when connecting to other projects that do not require MFA:

```bash

ssh [email protected]

[email protected]: Permission denied (publickey).

```

During the SSH certificate generation, the Magento Cloud CLI adds an additional SSH key to your local environment. That key will be used by default if your local SSH configuration does not include the SSH key for project access.

{:.procedure}

To add your SSH key to the local configuration:

1. Create the `config` file if it does not exists.

```bash

touch ~/.ssh/config

```

1. Add an `IdentityFile` configuration.

```yaml

{:.bs-callout-info}

You can specify multiple SSH keys by adding multiple `IdentityFile` entries to your configuration.

1. Reload your SSH configuration to apply the changes.

```bash

1. Run the following command to to ensure the service is listening on VM:

```bash

netstat -na |grep <port>

```

1. Run the following command to check the packages flow:

```bash

tcpdump -i <ethernet interface> -tt -nn port <destination port> and host <source host>

```

Check the following internal settings to ensure that the configuration is valid:

- Endpoint and endpoint services settings

- NLB settings

- The target groups in NLB and verify they are healthy

- The netcat/curl endpoint URL from each VM ( listed above)

- A Network Load Balancer (NLB)

.container > .feature > ul > li > img.img-icon {

margin-top: -4px;

}

Amazon Sales Channel versions 4.0.0 and 4.1.0 are only supported for Magento 2.3.x versions.<br/>Amazon Sales Channel version 4.2.0 is compatible with Magento 2.3.x versions but is only supported for Magento 2.4.x versions.

Amazon Sales Channel 4.2.0 is compatible with versions 2.3.x but only supported for versions 2.4.x of {{site.data.var.ce}}, {{site.data.var.ee}}, and {{site.data.var.ece}}. If you have a previous Amazon Sales Channel version installed and attempt to update your Magento to version 2.4.0, you will be prompted to update the extension before you can complete the Magento update.

This version of Amazon Sales Channel includes a new feature along with improvements and fixes.

- {:.new}Amazon Sales Channel has been enhanced to accept text-based address data and match it to standardized address formats, including city, state, and zip code. This enables order and shipping data to synchronize (sync) with Amazon without address errors.<br/>For example, a shopper inputs the city, state, zip code as `Escondido, californiA 92025-1501`. Amazon Sales Channel imports and matches the data to the standard format as `Escondido, CA 92025`, and then syncs it back to Amazon in this standardized format.

- {:.new}Added support for PHP 7.4.

- {:.new}<!--CHAN-4334-->Added support for Magento 2.4.x. Previous versions may be compatible with Magento 2.4.x, but are not supported. See [Upcoming releases](https://devdocs.magento.com/release/) for version compatibility. Amazon Sales Channel must be updated to 4.2.0 before the Magento 2.4.0 update can be completed.

- {:.fix}<!--CHAN-4431-->Corrected an issue that caused an _Access Denied_ error for UK customers.

- {:.fix}<!--CHAN-4394-->Corrected an issue that prevented the Amazon shipping status from syncing to the corresponding Magento order, thus “locking” the order’s shipping status as `Pending` in Magento and `Unshipped` in Amazon. With the new standardized address feature, these shipping status errors have been resolved.

- {:.fix}<!--ticket#-->Updated order synchronization (sync) to ignore failed order imports, thus reducing multiple sync attempts and allowing subsequent imports to process, with order sync requests submitted every 5 minutes. Sync errors are still recorded in the error log, but marked as "processed" to allow further logging functions. Also, Amazon Sales Channel now automatically removes excess data collected for orders that fail to create in Magento.

- {:.fix}Updated error logging to collect more information for uncaught exception and extension update errors.

- {:.fix}<!--ticket#-->Corrected an issue that caused the initial sync of the _lowest price_ data to fail due to a missing _price_ value.

- {:.fix}<!--CHAN-4410-->Corrected issues that caused filtering errors in the _Amazon orders_ view when the date range field is left blank.

- {:.fix}<!--CHAN-4439-->Corrected an issue that caused quantity-related stock and fulfillment sync errors. The extension now rounds down quantity values entered as a decimal before syncing with Amazon.<br/> For example, when a merchant manually inputs a quantity of `2.5`, the extension rounds down the value to `2` and then syncs the updated quantity with Amazon.

Amazon Sales Channel 4.0.0 is not supported for Magento 2.3.5. For support with Magento 2.3.5, upgrade to Amazon Sales Channel 4.1.0.

Magento does not provide a GraphQL mutation that generates an admin token. You must use the `POST /V1/integration/admin/token` REST endpoint instead. [Generate the admin token]({{page.baseurl}}/rest/tutorials/prerequisite-tasks/create-admin-token.html) shows how to use this endpoint.

`Authorization Bearer: <authorization_token>` | An admin token. Use the `POST /V1/integration/admin/token` REST endpoint to generate this token.

group: web-api

title: Token-based authentication

functional_areas:

- Integration

To make a web [API](https://glossary.magento.com/api) call from a client such as a mobile application, you must supply an *access token* on the call. The token acts like an electronic key that lets you access the API.

Magento issues the following types of access tokens:

Token type | Description | Default lifetime

--- | --- | ---

Integration | The merchant determines which Magento resources the integration has access to. | Indefinite. It lasts until it is manually revoked.

Admin | The merchant determines which Magento resources an admin user has access to. | 4 hours

Customer | Magento grants access to resources with the `anonymous` or `self` permission. Merchants cannot edit these settings. | 1 hour

When a merchant creates and activates an integration, Magento generates a consumer key, consumer secret, access token, and access token secret. All of these entities are used for [OAuth-based authentication]({{ page.baseurl }}/get-started/authentication/gs-authentication-oauth.html), but token-based authentication requires only the access token.

Use the following steps to generate an access token:

1. Log in to Admin and click **System** > **Extensions** > **Integrations** to display the Integrations page.

1. Click **Add New Integration** to display the New Integration page.

1. Enter a unique name for the integration in the **Name** field. Then enter your admin password in the **Your Password** field. Leave all other fields blank.

1. Click the API tab. Select the Magento resources the integration can access. You can select all resources, or select a custom list.

1. Click **Save** to save your changes and return to the Integrations page.

1. Click the **Activate** link in the grid that corresponds to the newly-created integration.

1. Click **Allow** . A dialog similar to the following displays:


The access token can be used in all calls made on behalf of the integration.

Magento provides a separate token service for administrators and customers. When you request a token from one of these services, the service returns a unique access token in exchange for the username and password for a Magento account.

The Magento web API framework allows *guest users* to access resources that are configured with the permission level of anonymous. Guest users are users who the framework cannot authenticate through existing authentication mechanisms. As a guest user, you do not need to, but you can, specify a token in a web API call for a resource with anonymous permission. [Restricting access to anonymous web APIs]({{ page.baseurl }}/rest/anonymous-api-security.html) contains a list of APIs that do not require a token.

The following table lists endpoints and services that can be used to get an authentication token. Some 2FA providers may require multiple calls.

Token type |REST| SOAP

---|---|---

Admin with Google Authenticator | `POST /V1/tfa/provider/google/authenticate` | `twoFactorAuthGoogleAuthenticateV1`

Admin with Duo Security | `POST /V1/tfa/provider/duo-security/authenticate` | `twoFactorAuthDuoAuthenticateV1`

Admin with Authy | `POST /V1/tfa/provider/authy/authenticate` | `twoFactorAuthAuthyAuthenticateV1`

Admin with U2F | `POST /V1/tfa/provider/u2fkey/verify` | `twoFactorAuthU2fKeyAuthenticateV1`

Customer | `POST /V1/integration/customer/token` | `integrationCustomerTokenServiceV1`

For most [web API](https://glossary.magento.com/web-api) calls, you supply this token in the `Authorization` request header with the `Bearer` HTTP [authorization](https://glossary.magento.com/authorization) scheme to prove your identity. By default, an admin token is valid for 4 hours, while a customer token is valid for 1 hour. You can change these values from Admin by selecting **Stores** > **Settings** > **Configuration** > **Services** > **OAuth** > **Access Token Expiration**.

A cron job that runs hourly removes all expired tokens.

A access token request contains three basic elements:

Component | Specifies

--- | ---

Endpoint | A combination of the _server_ that fulfills the request, the web service, and the `resource` against which the request is being made.<br/><br/>For example, in the `POST <host>/rest/<store_code>/V1/integration/customer/token` endpoint:<br/>The server is `magento.host/index.php/`,<br/> the web service is `rest`.<br/> and the resource is `/V1/integration/customer/token`.

Content type | The content type of the request body. Set this value to either `"Content-Type:application/json"` or `"Content-Type:application/xml"`.

Credentials | The username and password for a Magento account.<br/><br/>To specify these credentials in a JSON request body, include code similar to the following in the call: <br/><br/>`{"username":"<USER-NAME>;", "password":"<PASSWORD>"}`<br/><br/>To specify these credentials in XML, include code similar to the following in the call:<br/><br/>`<login><username>customer1</username><password>customer1pw</password></login>`

The following image shows a token request for the [admin](https://glossary.magento.com/admin) account using a REST client:


The following example uses the `curl` command to request a token for a customer account:

curl -X POST "https://magento.host/index.php/rest/V1/integration/customer/token" \

-H "Content-Type:application/json" \

-d '{"username":"[email protected]", "password":"customer_password"}'

The following example makes the same request with [XML](https://glossary.magento.com/xml) for a customer account token:

curl -X POST "http://magento.vg/index.php/rest/V1/integration/customer/token" \

-H "Content-Type:application/xml" \

-d "<login><username>customer1</username><password>customer1pw</password></login>"

For more information about the `curl` command, see [Use cURL to run the request]({{ page.baseurl }}/get-started/gs-curl.html)

A successful request returns a response body with the token, as follows:

Any web API call that accesses a resource that requires a permission level higher than anonymous must contain the authentication token in the header To do this, specify a HTTP header in the following format:

Admins can access any resources for which they are authorized.

For example, to make a web API call with an admin token:

Customers can access only resources with `self` permissions.

For example, to make a web API call with a customer token:

{:.ref-header}

Related topics

[Construct a request]({{ page.baseurl }}/get-started/gs-web-api-request.html)

[Configure services as web APIs]({{ page.baseurl }}/extension-dev-guide/service-contracts/service-to-web-service.html)

[Restricting access to anonymous web APIs]({{ page.baseurl }}/rest/anonymous-api-security.html)