Create protected Glue API endpoints

Edit on GitHub

This document describes how to create a protected endpoint for a resource, or a custom-route in storefront and backend API applications.

Let’s say you have a module named ModuleRestApi, where you want to have a new protected endpoint /module with GET and POST methods. To create the protected endpoint, follow these steps::

To set up a protected endpoint, follow these steps:

  1. Aadd a route or regular expression for the endpoint to src/Pyz/Shared/GlueStorefrontApiApplicationAuthorizationConnector/GlueStorefrontApiApplicationAuthorizationConnectorConfig.php:

namespace Pyz\Shared\GlueStorefrontApiApplicationAuthorizationConnector;

use Spryker\Shared\GlueStorefrontApiApplicationAuthorizationConnector\GlueStorefrontApiApplicationAuthorizationConnectorConfig as SprykerGlueStorefrontApiApplicationAuthorizationConnectorConfig;

class GlueStorefrontApiApplicationAuthorizationConnectorConfig extends SprykerGlueStorefrontApiApplicationAuthorizationConnectorConfig
    public function getProtectedPaths(): array
        return [
            // Route added by fully name and provide access for all
            // methods if the token is passed and valid
            '/module' => [
                'isRegularExpression' => false,
            // Route added by regular expression and provide access for 
            // methods patch, get if the token is passed and valid
            '/\/module\/.+/' => [
                'isRegularExpression' => true,
                'methods' => [

For backend API, use the appropriate backend-specific class src/Pyz/Shared/GlueBackendApiApplicationAuthorizationConnector/GlueBackendApiApplicationAuthorizationConnectorConfig.php.

  1. Try to access without an access token.
  2. Check that the output contains the 403 response with the Unauthorized request. message.
  3. Access, with a valid access token.