Skip to main content

API tokens

Caution

The content of this page has not been updated to Strapi v5 yet.

Authentication strategies in Strapi can either be based on the use of the Users & Permissions plugin or on the built-in API token feature.

Using API tokens allows executing a request on REST API or GraphQL API endpoints as an authenticated user.

API tokens can be helpful to give access to people or applications without managing a user account or changing anything in the Users & Permissions plugin.

Creation

New API tokens are generated from the admin panel.

Usage

When performing a request to Strapi's REST API, the API token should be added to the request's Authorization header with the following syntax: bearer your-api-token.

✏️ Note

Read-only API tokens can only access the find and findOne functions.

Configuration

New API tokens are generated using a salt. This salt is automatically generated by Strapi and stored in .env as API_TOKEN_SALT.

The salt can be customized:

Caution

Changing the salt invalidates all the existing API tokens.