How are permissions checked for a Web API request?

Step 1. Magento\Webapi\Controller\Rest\InputParamsResolver::resolve()

Step 2. Magento\Webapi\Controller\Rest\RequestValidator::validate()

Step 3. Magento\Webapi\Controller\Rest\RequestValidator::checkPermissions()

Step 4. Magento\Framework\Webapi\Authorization::isAllowed()

Step 5.

5.1. For a guest customer:

How is the «resource ref='anonymous’» webapi.xml rule handled for a request?

5.2. For a registered customer:

How is the «resource ref='self'» webapi.xml rule handled for a request?

See also: