This guide helps you set up your Magento 2 API integration securely by granting only the permissions the VentorTech Magento 2 connector needs. This follows the security principle of least privilege – giving access only to what is absolutely necessary.

Why should I limit API permissions?

Even if your API token is compromised, limiting permissions reduces potential damage:

• An attacker can only perform operations the token permits

• They cannot modify Magento settings or manage users

• Configuration changes and sensitive operations are blocked

• Your business risk is significantly lower

This is why we recommend Custom resource access instead of “All Resources.”

What are the required permissions for VentorTech Magento 2 connector?

Your integration needs access to these resources and nothing else:

Catalog Section:

• ☑ Inventory

• ☑ Inventory → Products → All Products

• ☑ Inventory → Products → Update Attributes

• ☑ Inventory → Categories

Sales Section:

• ☑ Operations → Orders → Actions

  • ☑ View

  • ☑ Edit

  • ☑ Ship

  • ☑ Invoice

  • ☑ Cancel

Customers Section:

• ☑ All Customers

• ☑ All Customers → Actions

How to review and update permissions?

Step 1: Create or edit your integration

1. Log in to your Magento 2 admin panel

2. Go to System → Extensions → Integrations

3. Click Add New Integration (or click an existing one to edit)

4. Enter integration name: Odoo Connector

5. Enter your admin password

6. Click Save

Step 2: Configure resource access

1. Click on your integration to edit it

2. Click the API tab

3. Select Custom for “Resource Access” (NOT “All”)

4. Use the checklist above to check only the required permissions

5. Click Save

Step 3: Enable required Magento settings

1. Go to Stores → Settings → Configuration → SERVICES → Magento Web API → Web API Security

2. Set Allow Anonymous Guest Access to Yes

3. Go to Stores → Settings → Configuration → SERVICES → OAuth → Consumer Settings

4. Set Allow OAuth Access Tokens to be used as standalone Bearer tokens to Yes

5. Click Save Config

Step 4: Activate and get your token

1. Return to System → Extensions → Integrations

2. Click Activate on your integration

3. Click Allow to confirm

4. Copy the Access Token shown

5. Store it securely in your Odoo connector configuration

Troubleshooting

I’m getting “403 Forbidden” errors

Cause: Your integration is missing a required permission for that specific operation.

Solution: Check which endpoint is failing and verify the corresponding permission is enabled in your integration settings.

For detailed troubleshooting steps: I Get “The Consumer Isn’t Authorized to Access %resources” Error in Magento 2 – How to Fix It?

My integration token is no longer working

Possible causes:

• Integration was deactivated or deleted

• Token was manually revoked

• Magento instance was reset

Solution:

1. Go to System → Extensions → Integrations

2. Verify your integration exists and is Active

3. If missing, recreate it using the steps above

4. Generate a new token and update your Odoo configuration

Should I use the same token in multiple Odoo instances?

No. Create a separate integration and token for each Odoo instance:

• Easier to deactivate one instance without affecting others

• Better security isolation

• Clearer audit trail of which system did what

• Simpler troubleshooting if one instance has issues

What if I suspect my token has been compromised?

Immediate action:

1. Go to System → Extensions → Integrations

2. Click Deactivate on your integration (this invalidates the old token immediately)

3. Click Activate again to generate a new token

4. Update your Odoo connector with the new token

The old token becomes useless once deactivated.

Questions?

If you have additional questions about API security or permissions, please contact us at support@ventor.tech or through our support portal.