API Tokens
API tokens allow users to authenticate REST and GraphQL API queries (see Developer Documentation). Administrators can manage API tokens from Settings > Global settings > API Tokens.
Plan: Free feature.
Role & permission: Minimum "Access the API tokens settings page" in Roles > Settings - API tokens.
Activation: Available by default.
Environment: Available in both Development & Production environment.
Configuration
Most configuration options for API tokens are available in the admin panel, and your Strapi project's code can be used to alter how API tokens are generated.
Admin panel settings
The API Tokens settings sub-section displays a table listing all of the created API tokens.
The table displays each API token's name, description, date of creation, and date of last use. From the table, administrators can also:
- Click on the to edit an API token's name, description, type, duration or regenerate the token.
- Click on the to delete an API token.
Creating a new API token
To create a new API token:
-
Click on the Create new API Token button.
-
In the API token edition interface, configure the new API token:
Setting name Instructions Name Write the name of the API token. Description (optional) Write a description for the API token. Token duration Choose a token duration: 7 days, 30 days, 90 days, or Unlimited. Token type Choose a token type: Read-only, Full access, or Custom. -
(optional) For the Custom token type, define specific permissions for your API endpoints by clicking on the content-type name and using checkboxes to enable or disable permissions.
-
Click on the Save button. The new API token will be displayed at the top of the interface, along with a copy button .
For security reasons, API tokens are only shown right after they have been created. When refreshing the page or navigating elsewhere in the admin panel, the newly created API token will be hidden and will not be displayed again.
Regenerating an API token
To regenerate an API token:
- Click on the API token's edit button.
- Click on the Regenerate button.
- Click on the Regenerate button to confirm in the dialog.
- Copy the new API token displayed at the top of the interface.
Code-based configuration
New API tokens are generated using a salt. This salt is automatically generated by Strapi and stored in environment variables (the .env
file) as API_TOKEN_SALT
.
The salt can be customized:
- either by updating the string value for
apiToken.salt
in./config/admin.js
(see admin panel configuration documentation) - or by creating an
API_TOKEN_SALT
environment variable in the.env
file of the project
Changing the salt invalidates all the existing API tokens.
Usage
Using API tokens allows executing a request on REST API or GraphQL API endpoints as an authenticated user.
API tokens can be helpful to give access to people or applications without managing a user account or changing anything in the Users & Permissions plugin.
When performing a request to Strapi's REST API, the API token should be added to the request's Authorization
header with the following syntax: bearer your-api-token
.
Read-only API tokens can only access the find
and findOne
functions.