Chat with us on Discord: Discord
📍 Bolt Help / Platforms / Adobe Commerce / Adobe Commerce - Checkout / Native API Integration Reference / Authentication
Authentication
How Bolt authenticates against your Magento 2 REST API.

Page Contents

Click to expand.

Every call Bolt makes against your Magento 2 store carries an OAuth Bearer token. This page describes how the token is established, how it’s used, and how to rotate it.

Token Establishment

When you install the Bolt plugin and click Create and send API keys to Bolt in the plugin admin, the plugin:

  1. Provisions a Magento integration with the resource scope required by Bolt (cart, order, sales rule, product, plus the Bolt plugin’s custom resources).
  2. Authorizes the integration and exchanges credentials for an OAuth access token.
  3. Posts the token to Bolt over a TLS channel.

Bolt stores the token encrypted in its merchant credential vault and uses it for all subsequent backend → Magento calls. There is no per-request token exchange; the token persists until rotated.

For setup details see Set Up Bolt → Step 2.

Per-Request Authentication

Every Bolt → Magento HTTP request includes:

Authorization: Bearer <oauth_access_token>
Content-Type: application/json
Accept: application/json

This applies uniformly to:

  • Standard Magento REST endpoints (/V1/carts/..., /V1/orders/..., etc.)
  • Custom Bolt plugin endpoints (/V1/bolt/boltpay/...)
  • Third-party bridge endpoints

No additional integration token, session cookie, or basic-auth credential is used.

Token Rotation

Rotate the token any time you suspect compromise or as part of routine credential hygiene:

  1. In Magento Admin, navigate to System → Extensions → Integrations and revoke the existing Bolt integration.
  2. Re-create the integration from the plugin admin (Stores → Configuration → Sales → Payment Methods → Bolt Pay → Advanced Options → Create and send API keys to Bolt).
  3. Bolt automatically picks up the new token on the next call. No checkout downtime is required.

Old tokens are invalidated immediately on revoke. If a Bolt request fires against a revoked token it returns 401 Unauthorized and Bolt’s backend surfaces a setup-error event in the Merchant Dashboard.

What’s Authorized — Resource Scope

The integration created by the plugin grants the access required for:

  • Cart and quote lifecycle (create, fetch, update, delete cart and items)
  • Sales rule and coupon validation
  • Shipping method estimation and totals
  • Order creation, comment writing, and lifecycle reads
  • Product, product render info, directory countries, store agreements
  • Plugin-exposed resources for Bolt-specific operations

You can review the exact resource list under System → Extensions → Integrations → [Bolt Integration] → Edit → API. Removing required resources will break checkout — add custom integrations instead of editing the Bolt one.

Network Allowlisting

If your Magento store sits behind an IP allowlist or WAF, allow Bolt’s outbound IP ranges. The current ranges are listed in the environment details reference. Bolt requests are TLS-only and originate from these ranges per environment (production, sandbox, staging).

Troubleshooting

Symptom Likely cause Fix
401 Unauthorized on every Bolt call Token revoked or rotated outside the plugin flow. Re-run Create and send API keys to Bolt.
Sporadic 403 on /V1/bolt/boltpay/... paths Plugin not installed or plugin version too old. Install / upgrade the plugin per setup guide.
429 Too Many Requests Magento rate-limit on the integration token. Increase the integration’s rate limit, or contact Bolt support if traffic spikes are expected.
adobe commerce magento 2 api authentication oauth

Custom Bolt Plugin Endpoints
Supported Applications