Fibric. Docs fibric.io →
v1.0.0 · stable
Guides

Connect Magento

Bring Magento orders, line items, status changes, and proof approvals into Fibric as governed events, read incrementally from a cursor so a restart never re-reads the store. This guide covers creating a REST integration token, scoping it, installing the cn-magento connector, verifying the event streams, and diagnosing the failures you are most likely to hit.

5 steps ~20 minutes Needs Magento 2.4+ CLI installed

The cn-magento connector runs in production today under BearScope, Fibric's flagship product, on live specialty-commerce orders. It senses orders and line items as they are placed and change status, proof approvals with their revisions and customer responses, and invoice and shipment records tied back to the originating order. Its writes are deliberately few: order comments and status updates within the transitions you allow, both idempotent, so a retry is a safe no-op. See Connectors for the general model.

Prerequisites

RequirementWhy
Magento 2.4 or later with the REST API enabledThe connector reads through the REST API. Earlier versions are not supported.
Admin access to System → Extensions → IntegrationsCreating the integration token requires it. Step 1 walks through the token.
The Fibric CLI, authenticatedfibric auth login and fibric auth whoami confirm your workspace. See Installation and the CLI reference.
A Fibric workspace on the free plan or laterThe platform is free during early access; premium connectors are priced from $29 per source per month.
1

Create a REST integration token

In the Magento admin, go to System → Extensions → Integrations and choose Add New Integration. Name it so its purpose survives an audit, for example fibric-connector-prod, then open the API tab and set Resource Access to Custom. Do not grant All: the connector needs sales resources, not your catalog, customers, or configuration.

Required resource scopes

ResourceAccessUsed for
Sales → Operations → OrdersreadSensing orders, line items, and status changes. This is the minimum grant.
Sales → Operations → InvoicesreadInvoice records tied back to the originating order.
Sales → Operations → ShipmentsreadShipment records tied back to the originating order.
Sales → Operations → Orders → CommentswriteOptional. Only needed if you grant order.comment.write in step 3.

Save, then choose Activate on the integration's row and approve the resource list. Magento shows four credentials; the connector uses the Access Token, which it sends as a bearer token on every request. Copy it now, it is only shown while the dialog is open.

!
Token lifetime and admin token expiry are different things

Integration access tokens do not expire on the four-hour admin-token schedule, but re-saving the integration's API scopes deactivates it and invalidates the token until it is re-activated. If reads stop with 401 after a scope change, re-activate the integration and reinstall the connection with the new token.

2

Install the connector

Add cn-magento from the marketplace and bind it to the commerce role. Operators ask for commerce capabilities such as order.read, never for Magento by name, so moving storefronts later is a rebinding, not a rewrite. The CLI prompts for the access token and stores it in your tenant's secret store; it never writes it to disk.

bash
# find the connector, then install it bound to the commerce role
fibric connectors search magento
fibric connectors add cn-magento --as commerce \
    --connection magento-prod \
    --config '{"base_url":"https://store.example.com","store_code":"default"}'
$ fibric connectors add cn-magento --as commerce --connection magento-prod \ --config '{"base_url":"https://store.example.com","store_code":"default"}' cn-magento@1.3.0 requires: api key paste key (input hidden): ******** key stored in tenant secret store. running probe... ok connection magento-prod is healthy. 2 tools, 4 event streams live.

Configuration parameters

Non-secret configuration is passed with --config and lands in the connector's ctx.config. Credentials never go here.

ParameterTypeDescription
base_urlstringRequired. The store's base URL. The connector calls {base_url}/rest/<store_code>/V1/….
store_codestringOptional, default default. The store view to read through, for multi-store installations.
poll_intervalstringOptional, default 60s. Cadence of the incremental cursor reads described in step 4.
backfill_sinceISO 8601 dateOptional. Where the first cursor read starts. Unset means the cursor starts at install time, no history.
allowed_transitionslistOptional. Status transitions order.status.write may perform, for example processing→holded. Empty means status writes are refused.
3

Grant capabilities

Installing a connector exposes capabilities; it grants nothing. An operator gets exactly the capabilities you list in its manifest, and the deterministic executor blocks anything else by omission. List what the connection now exposes:

bash
fibric capabilities ls
$ fibric capabilities ls CAPABILITY CONNECTOR STATUS order.read cn-magento ready proof.read cn-magento ready shipment.read cn-magento ready order.comment.write cn-magento ready order.status.write cn-magento ready

An order-risk operator senses through order.read and proof.read and typically writes only order.comment.write. Status writes are the sharper tool: they are constrained twice, once by allowed_transitions in the connector config and once by trust policy. See Capabilities for the indirection and Catch order risk early for the worked example against this connector.

policy.yaml
# governs writes back into Magento. default is deny.
policy: commerce-writes
rules:
  - allow: order.comment.write
    limit:
      per: hour
      max: 100
    single_flight: order_id   # one write in flight per order
  - allow: order.status.write
    limit:
      per: hour
      max: 25
default: deny
bash
fibric policy apply ./policy.yaml
fibric policy validate commerce-writes
i
Every write carries two keys

Order comments and status updates go through the deterministic executor with an entity_key (the order) and an idempotency_key (the specific write). A retried comment dedupes with a DEDUP disposition instead of stacking on the order history. See Single-flight & idempotency and Write guardrails that hold.

4

Understand incremental cursor reads

Magento does not push. The connector's event streams are declared poll, and each stream keeps a cursor: the updated_at high-water mark of the last record it turned into an envelope. On every cycle it queries the REST API with search criteria filtered above the cursor, emits one envelope per changed record, and advances the cursor only after the envelope is durably written. A restart resumes from the stored cursor, so it never re-reads the whole store and never drops an order that changed while the connector was down.

Two consequences worth knowing. First, the first sync is shaped by backfill_since: set it to ingest history, leave it unset to start from install time. Second, because updated_at has one-second granularity, the connector re-reads the boundary second on each cycle and relies on envelope-level deduplication to keep the stream exact. Duplicate suppression is by record identity and change time, not by hoping the clock cooperates.

Event streams and emitted event types

Event typeStreamFires when
order.createdordersA new order is placed, with its line items in the payload.
order.status.changedordersAn order moves between statuses, including holds and cancellations.
order.line_item.updatedordersA line item changes: quantity, item status, or options.
proof.approvedproofsA customer approves a proof. For specialty commerce, the step where orders quietly stall.
proof.revision.requestedproofsA proof is sent back for changes.
invoice.createdinvoicesAn invoice posts against an order.
shipment.createdshipmentsA shipment posts against an order.

Every event is a tenant-scoped event envelope with source: "magento", a dotted event_type as above, and a correlation_id that ties an order's events together across streams.

5

Verify events are flowing

Place a test order, or edit any existing order, then tail the event stream. With the default poll_interval of 60s, expect the envelope within about a minute of the change.

bash
fibric events tail --source magento
$ fibric events tail --source magento event order.created order=SO-10944 items=3 total=$412.00 event proof.approved order=SO-10921 proof=pf_2210 event order.status.changed order=SO-10921 pending → processing event shipment.created order=SO-10893 carrier=ups events flowing · cursor 2026-07-02T14:31:07Z

Then confirm the write path with a dry run. Side-effecting tools dry-run by default: input validation and the trust evaluation execute, the handler does not.

bash
fibric connectors test cn-magento order.comment.write \
    --connection magento-prod \
    --args '{"order_id":"SO-10944","comment":"connectivity check"}'
$ fibric connectors test cn-magento order.comment.write --connection magento-prod \ --args '{"order_id":"SO-10944","comment":"connectivity check"}' order.comment.write is side-effecting: dry run (pass --live to execute) input validation ok trust evaluation ALLOW (rule: order.comment.write) handler not called (dry run)

Common failures

Every failure below is visible in fibric connectors test output or in receipts; the connector's probe reports the first three on install.

SymptomCauseFix
Probe fails with 401 UnauthorizedThe access token is wrong, or the integration was deactivated, commonly by re-saving its API scopes.Re-activate the integration under System → Extensions → Integrations, copy the new token, and re-run fibric connectors add to replace the stored secret.
Orders read, invoices or shipments do notThe integration's resource access omits that Sales resource.Add the resource in the API tab, then re-activate the integration and reinstall the connection with the fresh token.
Reads stall with 429 or 503 in connector logsStore-side rate limiting: Magento's web server or a WAF is throttling the poll traffic.Raise poll_interval, or allow-list Fibric's egress at the WAF. The connector backs off and the cursor holds; nothing is lost, only delayed.
Probe fails with 404 on every endpointbase_url or store_code is wrong, so /rest/<store_code>/V1/… resolves nowhere.Fix the value with fibric connectors add --config and confirm the URL serves /rest/default/V1/ paths.
order.status.write receipts show BLOCKThe transition is missing from allowed_transitions, or no trust rule allows the action; both fail closed.Add the transition to the connector config and an allow rule to the policy, then fibric policy apply. See Trust tiers.
A gap after downtime, then a burst of old eventsThe connector resumed from its cursor and is catching up.Expected. Envelopes carry the record's change time, not arrival time, so downstream operators order correctly.

Next steps