Skip to main content
Skip to main content


Version 1.17.0 of Medusa ships new and improved authentication methods.


Breaking changes

This release comes with changes to our authentication methods, which has led to a breaking change in the client-side usage of our API token method.

The header used for API token authentication has changed from a Bearer authorization scheme to a custom header specific to Medusa, x-medusa-access-token.

Specifically, an authenticated request with API tokens have changed from:

curl -L GET '<BACKEND_URL>/admin/products' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer {api_token}'


curl -L GET '<BACKEND_URL>/admin/products' \
-H 'Content-Type: application/json' \
-H 'x-medusa-access-token: {api_token}'

Additionally, the underlying strategies of session authentication have been updated in both the Store and Admin API, causing existing alive sessions to no longer be valid.


Existing sessions will not be converted to fit the updated strategies. Make sure to plan your upgrade accordingly.

How to Update

Run the following command in your project:

npm install @medusajs/medusa@1.17.0

To avoid unexpected issues with dependencies, it is also recommended to update all other Medusa plugins or packages you have installed.

Was this section helpful?