Authorize Masterdata API call from react (admin) to node to masterdata

Hi Saito, this didn’t help, I still can call the API from the POSTMAN, and not from the vtex admin react app

Hello Sirev,

At this point I would change the endpoint to a public one or change it to a graphQL call.

Yeah, when setting public to true it is available to everyone, but you can control who can access it through policies using vrn resources, therefore setting the “access” attribute to authorized, so it’ll use VtexIdclientAutCookie, by the way we can use either VtexIdclientAutCookie or Authorization header, they both works, as I set both headers on masterdata too inside clients files (node side). I think it should be more explicitly described, maybe when I get some free time will make some PRs into vtex api docs…

The most strange thing is that I can’t use it in private mode using the same vrn resource, so my final resolution is:

"token": {
      "path": "/_v/token",
      "public": true,
      "access": "authorized",
      "policies": [
          "effect": "allow",
          "actions": ["options", "get", "post", "delete"],
          "principals": [

Useful references:
VRN - VTEX Resource Name (VRN)
Policies - Policies
Manifest - Manifest

1 Like


Never heard about the access option before. Thanks for sharing it.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.