API tokens

Authentication strategies in Strapi can either be based on the use of the Users & Permissions plugin or on the built-in API token feature.

Using API tokens allows executing a request on REST API or GraphQL API endpoints as an authenticated user.

Creation

New API tokens are generated from the admin panel.

Usage

When performing a request to Strapi's REST API, the API token should be added to the request's Authorization header with the following syntax: bearer your-api-token.

note

Read-only API tokens can only access the find and findOne functions.

Configuration

New API tokens are generated using a salt. This salt is automatically generated by Strapi and stored in .env as API_TOKEN_SALT.

The salt can be customized:

either by updating the string value for apiToken.salt in ./config/admin.js (see admin panel configuration documentation)
or by creating an API_TOKEN_SALT environment variable in the .env file of the project

caution

Changing the salt invalidates all the existing API tokens.

API tokens

Creation​

Usage​

Configuration​

Creation

Usage

Configuration