Create protected Glue API endpoints

Edit on GitHub

This document describes how to create a protected endpoint for a resource, or a custom-route in storefront and backend API applications.


Integrate authorization into your project. For details, see Authorization protected endpoints integration.

Create protected endpoints

Let’s say you have a module named ModuleRestApi, where you want to have a new protected endpoint /module with GET and POST methods. To create the protected endpoint, follow these steps:

  1. To src/Pyz/Shared/GlueStorefrontApiApplicationAuthorizationConnector/GlueStorefrontApiApplicationAuthorizationConnectorConfig.php, add a route or regular expression for the endpoint:

namespace Pyz\Shared\GlueStorefrontApiApplicationAuthorizationConnector;

use Spryker\Shared\GlueStorefrontApiApplicationAuthorizationConnector\GlueStorefrontApiApplicationAuthorizationConnectorConfig as SprykerGlueStorefrontApiApplicationAuthorizationConnectorConfig;

class GlueStorefrontApiApplicationAuthorizationConnectorConfig extends SprykerGlueStorefrontApiApplicationAuthorizationConnectorConfig
    public function getProtectedPaths(): array
        return [
            // Route added by a full name and provide access for all
            // methods if the token is passed and valid
            '/module' => [
                'isRegularExpression' => false,
            // Route added by regular expression and provide access for
            // methods patch, get if the token is passed and valid
            '/\/module\/.+/' => [
                'isRegularExpression' => true,
                'methods' => [

For backend API, use the appropriate backend-specific class src/Pyz/Shared/GlueBackendApiApplicationAuthorizationConnector/GlueBackendApiApplicationAuthorizationConnectorConfig.php.

  1. Try to access without an access token.
  2. Check that the output contains the 403 response with the Unauthorized request. message.
  3. Access, with a valid access token.