group: web-api

title: Construct a request

To configure a web API, developers define some of the elements of each API call in the `<module root dir>/vendor/<vendor-name>/<module-name>/etc/webapi.xml` file, where `<vendor-name>` is your vendor name (for example, `magento`) and `<module-name>` is your module name (which exactly matches its definition in `composer.json`). For example, the web API for the Customer service is defined in the `<magento_root>/vendor/magento/module-customer/etc/webapi.xml` configuration file. Service data interfaces and builders define the required and optional parameters and the return values for the [API](https://glossary.magento.com/api) calls.

The following table and the sections that follow the table describe [web API](https://glossary.magento.com/web-api) call elements:

Element | Specifies

--- | ---

[HTTP verb](#verbs) | The action to perform against the endpoint.

[Endpoint](#endpoints) | A combination of the _server_ that fulfills a request, the web service, and the _resource_ against which the request is being made.

[HTTP headers](#http-headers) | The authentication token, the call request and response formats, and other information.

[Call payload](#payload) | A set of input parameters and attributes that you supply with the request. API operations have both **required** and **optional** inputs. You specify input parameters in the URI and input attributes in a request body. You can specify a JSON- or XML-formatted request body.

Specify one of these HTTP verbs in the request:

* `GET`. Requests transfer of a current representation of the target resource. If you omit the verb, `GET` is the default.

* `PUT`. Requests that the state of the target resource be created or replaced with the state defined by the representation enclosed in the request message payload.

* `POST`. Requests that the origin server accept the representation enclosed in the request as data to be processed by the target resource.

* `DELETE`. Requests that the origin server delete the target resource.

An endpoint is a combination of the _server_ that fulfills a request, the web service, the store code, the resource against which the request is being made, and any template parameters.

For example, in the `http://magento.ll/index.php/rest/default/V1/customerGroups/:id` endpoint, the server is `magento.ll/index.php/`, the web service is `rest`, the resource is `/V1/customerGroups`, and the template parameter is `id`.

A store code can have one of the following values.

* The store's assigned store code.

* `default`. This is the default value when no store code is provided.

* `all`. This value only applies to endpoints defined in the [CMS](https://glossary.magento.com/cms) and Product modules. If this value is specified, the [API](https://glossary.magento.com/api) call affects all of the merchant's stores.

{:.bs-callout-info}

To specify an HTTP header in a cURL command, use the `-H` option.

Specify one or more of the following HTTP headers in your web API calls:

HTTP header | Description | Syntax

--- | --- | ---

`Authorization` | Required, except for calls made on behalf of a guest. Specifies the authentication token that proves you as the owner of a Magento account. You specify the token in the `Authorization` request header with the `Bearer` HTTP authorization scheme. | `Authorization: Bearer <TOKEN>` <br/><br/>`<TOKEN>` is the authentication token returned by the Magento token service. See [Authentication]({{ page.baseurl }}/get-started/authentication/gs-authentication.html).

`Accept` | Optional. Specifies the format of the response body. Default is `JSON`. | `Accept: application/<FORMAT>` <br/><br/>`<FORMAT>` is either `JSON` or `XML`.

`Content-Type` | Required for operations with a request body. Specifies the format of the request body. | `Content-Type:application/<FORMAT>` <br/><br/>`<FORMAT>` is either `JSON` or `XML`.

`X-Captcha` | A shopper-entered CAPTCHA value. It is required when a shopper enters a CAPTCHA value on the frontend, unless an integration token is provided. Forms requiring CAPTCHA values are configured at **Stores** > **Configuration** > **Customers** > **Customer Configuration** > **CAPTCHA** > **Forms**. | String

The call payload is a set of input <i>parameters</i> and <i>attributes</i> that you supply with the request. API operations have both _required_ and _optional_ inputs.

You specify input parameters in the URI. For example, in the `GET/V1/customers/:customerId` URI, you must specify the `customerId` template parameter. This parameter filters the response by the specified customer ID.

You specify input attributes in a JSON- or XML-formatted request body. For example, in the `POST /V1/customers` call, you must specify a request body like this:

{

"customer": {

"email": "[email protected]",

"firstname": "John",

"lastname": "Doe"

},

"addresses": [

{

"defaultShipping": true,

"defaultBilling": true,

"firstname": "John",

"lastname": "Doe",

"region": {

"regionCode": "CA",

"region": "California",

"regionId": 12

},

"postcode": "90001",

"street": ["Zoe Ave"],

"city": "Los Angeles",

"telephone": "555-000-00-00",

"countryId": "US"

}

]

}

This JSON-formatted request body includes a `customer` object with the customer email, first name, and last name, and customer address information. The information in this request body is used to populate the new customer account.

This example shows you how to construct a REST web API call to create an account.

1. Open the [Magento/Customer/etc/webapi.xml]({{ site.mage2bloburl }}/{{ page.guide_version }}/app/code/Magento/Customer/etc/webapi.xml)

1. Find the route element that defines the `createAccount` call:

```xml

<route url="/V1/customers" method="POST">

<service class="Magento\Customer\Api\AccountManagementInterface" method="createAccount"/>

<resources>

<resource ref="anonymous"/>

</resources>

</route>

```

1. Use the <code>method</code> and `url` values on the `route` element to construct the URI. In this example, the URI is POST `/V1/customers`.

1. Use the `class` attribute on the `service` element to identify the service interface. In this example, the service interface is the `AccountManagementInterface` [PHP](https://glossary.magento.com/php) file.

Open the [AccountManagementInterface.php]({{ site.mage2bloburl }}/{{ page.guide_version }}/app/code/Magento/Customer/Api/AccountManagementInterface.php) file and find the <code>createAccount</code> method, as follows:

```php?start_inline=1

```

1. Open the [Magento/Customer/etc/webapi.xml]({{ site.mage2bloburl }}/{{ page.guide_version }}/app/code/Magento/Customer/etc/webapi.xml) configuration file and find the [CustomerRepositoryInterface]({{ site.mage2bloburl }}/{{ page.guide_version }}/app/code/Magento/Customer/Api/CustomerRepositoryInterface.php) interface with the `getList` method.

1. Set the headers, URI and method to a request object. Use URI `/V1/customers/search` and method `GET` values. Use the `searchCriteria` parameter to complete the Customer Search query. See [searchCriteria usage]({{ page.baseurl }}/rest/performing-searches.html).

The following example finds customers whose first name contains "ver" or whose last name contains "Costello".

```php?start_inline=1

```

This request returns a list of all customers in JSON format, as shown below. You can also specify XML format by changing <code>Accept</code> header of the request.

{

"items": [

{

"id": 1,

"group_id": 1,

"default_billing": "1",

"default_shipping": "1",

"created_at": "2017-12-05 09:50:11",

"updated_at": "2018-09-22 06:32:50",

"created_in": "Default Store View",

"dob": "1973-12-15",

"email": "[email protected]",

"firstname": "Veronica",

"lastname": "Costello",

"gender": 2,

"store_id": 1,

"website_id": 1,

"addresses": [

{

"id": 1,

"customer_id": 1,

"region": {

"region_code": "MI",

"region": "Michigan",

"region_id": 33

},

"region_id": 33,

"country_id": "US",

"street": [

"6146 Honey Bluff Parkway"

],

"telephone": "(555) 229-3326",

"postcode": "49628-7978",

"city": "Calder",

"firstname": "Veronica",

"lastname": "Costello",

"default_shipping": true,

"default_billing": true

},

{

"id": 19,

"customer_id": 1,

"region": {

"region_code": "London ",

"region": "London ",

"region_id": 0

},

"region_id": 0,

"country_id": "GB",

"street": [

"1 Studio 103 The Business Centre 61"

],

"telephone": "1234567890",

"postcode": "CF24 3DG",

"city": "Tottenham ",

"firstname": "Veronica",

"lastname": "Costello"

}

],

"disable_auto_group_change": 0

}

],

"search_criteria": {

"filter_groups": [

{

"filters": [

{

"field": "firstname",

"value": "%ver%",

"condition_type": "like"

}

]

}

]

},

"total_count": 1

}

{:.ref-header}

Related topics

Run the web API call through a [cURL command]({{ page.baseurl }}/get-started/gs-curl.html) or a REST client.

group: graphql

title: Protected mutations

If CAPTCHA is enabled on pages requiring shopper input, then in most cases, the corresponding mutations that send requests to the Magento server must include the shopper's CAPTCHA response. Supply the shopper's response in the HTTP `X-Captcha` header. The exception to this policy is that you do not send the CAPTCHA response if you specify an integration authorization token in the header of the mutation.

The following table lists the forms that can be configured to require CAPTCHA. Go to **Stores** > **Configuration** > **Customers** > **Customer Configuration** > **CAPTCHA** > **Forms** to enable or disable CAPTCHA on these forms.

Form name | Mutation

--- | ---

Add Gift Card Code | `applyGiftCardToCart`

Applying Coupon Code | `applyCouponToCart`

Change password | `changeCustomerPassword`

Checkout/Placing Order | `setPaymentMethodOnCart`, `setPaymentMethodAndPlaceOrder`

Contact Us | Not applicable

Create company | Not applicable

Create user | `createCustomer`

Forgot password | Not applicable

Login | `generateCustomerToken`

Payflow Pro | `setPaymentMethodOnCart`, `setPaymentMethodAndPlaceOrder`

Send to Friend Form | `sendEmailToFriend`

Share Wishlist Form | Not applicable

{:.ref-header}

Related topics

[Construct a request]({{page.baseurl}}/get-started/gs-web-api-request.html)

group: graphql

title: GraphQL requests

Magento GraphQL supports the HTTP GET and POST methods. You can send a query as a GET or POST request. Mutations must be POST requests. You can optionally send a GET query request in a URL. In these requests, you must specify `query` as the query string. You might need to encode the query, as shown below:

The previous example is equivalent to the following query. You could send the query as either a GET or POST request.

**Request:**

{

products(

filter: { sku: { eq: "24-WB01" } }

) {

items {

name

sku

}

}

}

**Response:**

{

"data": {

"products": {

"items": [

{

"name": "Voyage Yoga Bag",

"sku": "24-WB01"

}

]

}

}

}

Some queries sent as a GET request can be cached. See [GraphQL caching]({{page.baseurl}}/graphql/caching.html) for more information.

Magento accepts the following headers in a GraphQL request:

Header name | Value | Description

--- | --- | ---

`Authorization` | `Bearer <authorization_token>` | A customer or admin token. [Authorization tokens]({{page.baseurl}}/graphql/authorization-tokens.html) describes how to generate tokens.

`Content-Currency` | A valid currency code, such as `USD` | This header is required only if the currency is not the store view's default currency.

`Content-Type` | `application/json` | Required for all requests.

`Preview-Version` | A timestamp (seconds since January 1, 1970). | Use this header to query products, categories, price rules, and other entities that are scheduled to be in a campaign (staged content). Staging is supported in {{site.data.var.ee}} only.

`Store` | `<store_view_code>` | The store view code on which to perform the request. The value can be `default` or the code that is defined when a store view is created.

`X-Captcha` | Shopper-entered CAPTCHA value | Required when a shopper enters a CAPTCHA value on the frontend, unless an integration token is provided. Forms requiring CAPTCHA values are configured at **Stores** > **Configuration** > **Customers** > **Customer Configuration** > **CAPTCHA** > **Forms**.

GraphQL browsers, such as GraphiQL, allow you to enter a set of header name/value pairs. The following example shows an example customer authorization token and content type headers.


Use the curl command with a separate `-H` argument to specify each request header. The following example uses the same request headers as those used in the GraphQL browser.

curl 'http://magento.config/graphql' -H 'Authorization: Bearer hoyz7k697ubv5hcpq92yrtx39i7x10um' -H 'Content-Type: application/json' --data-binary '{"query":"query {\n customer {\n firstname\n lastname\n email\n }\n}"}'