REST API

Every CDA operation that’s available in the admin UI is also exposed as a REST endpoint. Useful for:

Headless / PWA storefronts
Bulk field provisioning via scripts
Third-party integrations (CRM sync, marketing platform attribute lookup)

Authentication

CDA REST endpoints use Magento’s standard token authentication:

Audience	Token type	Endpoint
Admin	Admin token	`/V1/integration/admin/token`
Customer (logged in)	Customer token	`/V1/integration/customer/token`
Guest cart	Anonymous	(uses masked cart ID as bearer)

See Magento REST API authentication docs for full details.

Admin endpoints — manage fields

Method	URL	What it does
`GET`	`/V1/cda/custom-fields`	List all fields (paginated, filterable)
`GET`	`/V1/cda/custom-fields/:fieldId`	Get a field by ID
`GET`	`/V1/cda/custom-fields/by-code/:code`	Get a field by code
`POST`	`/V1/cda/custom-fields`	Create a new field
`PUT`	`/V1/cda/custom-fields/:fieldId`	Update an existing field
`DELETE`	`/V1/cda/custom-fields/:fieldId`	Delete a field (data preserved on order rows)

ACL required: CDA_CustomFields::field_save for writes, CDA_CustomFields::manage for reads, CDA_CustomFields::field_delete for deletes.

Example: create a field via curl

curl -X POST 'https://yourshop.com/rest/V1/cda/custom-fields' \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "customField": {
      "code": "gift_message",
      "label": "Gift Message",
      "field_type": "textarea",
      "applies_to": "cart_page",
      "is_active": true,
      "is_required": false,
      "sort_order": 10,
      "placeholder": "Your personal message"
    }
  }'

Storefront endpoints — read/write values

For logged-in customers (/mine/ routes auto-resolve the cart ID from the session):

Method	URL	What it does
`GET`	`/V1/carts/mine/cda-custom-fields`	List values on the current cart
`POST`	`/V1/carts/mine/cda-custom-fields`	Save / update values on the current cart
`GET`	`/V1/carts/mine/cda-custom-fields/applicable`	List fields the cart’s customer-group/store-view sees

For guest carts (use the masked cart ID Magento returned at cart create):

Method	URL	What it does
`GET`	`/V1/guest-carts/:cartId/cda-custom-fields`	List values
`POST`	`/V1/guest-carts/:cartId/cda-custom-fields`	Save / update values

Example: save values from a PWA

curl -X POST 'https://yourshop.com/rest/V1/carts/mine/cda-custom-fields' \
  -H "Authorization: Bearer $CUSTOMER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "values": [
      { "field_code": "engraving_text", "value": "Veronica '26" },
      { "field_code": "engraving_font", "value": "script" }
    ]
  }'

Response:

{ "success": true }

Extension attributes — payment information

CDA fields are also attached to PaymentInterface.extension_attributes.cda_custom_fields so headless callers can submit values alongside payment information in the standard set-payment-information call. This is the canonical Magento pattern; CDA’s side-channel save endpoint exists primarily for Luma checkout where the extension_attribute deserialization is unreliable.

{
  "paymentMethod": {
    "method": "checkmo",
    "extension_attributes": {
      "cda_custom_fields": [
        { "field_code": "po_number", "value": "PO-12345" }
      ]
    }
  }
}

Error responses

Standard Magento REST shape:

{
  "message": "License key not found.",
  "trace": null
}

Common error codes:

400 — malformed request body
401 — missing or invalid token
403 — token lacks the required ACL resource
404 — field or value not found
500 — server error (check var/log/exception.log)

Rate limits

CDA endpoints inherit Magento’s default REST rate limiting — which is none by default. If you have a Magento WAF or front-end rate-limit setup (Cloudflare, Vercel Firewall, Magento Cloud rate limits), those apply.

For high-throughput batch operations, consider using a single multi-value POST instead of one POST per field — the payload accepts an array of {field_code, value} pairs.