Skip to main content

API Tokens

API tokens allow users to authenticate REST and GraphQL API queries (see Developer Documentation). Administrators can manage API tokens from Settings icon Settings > Global settings > API Tokens.

Identity Card of the Feature

Plan: Free feature.
Role & permission: Minimum "Access the API tokens settings page" in Roles > Settings - API tokens.
Activation: Available by default.
Environment: Available in both Development & Production environment.

API tokensAPI tokens

Configuration

Most configuration options for API tokens are available in the admin panel, and your Strapi project's code can be used to alter how API tokens are generated.

Admin panel settings

The API Tokens settings sub-section displays a table listing all of the created API tokens.

The table displays each API token's name, description, date of creation, and date of last use. From the table, administrators can also:

  • Click on the edit button to edit an API token's name, description, type, duration or regenerate the token.
  • Click on the delete button to delete an API token.

Creating a new API token

To create a new API token:

  1. Click on the Create new API Token button.

  2. In the API token edition interface, configure the new API token:

    Setting nameInstructions
    NameWrite the name of the API token.
    Description(optional) Write a description for the API token.
    Token durationChoose a token duration: 7 days, 30 days, 90 days, or Unlimited.
    Token typeChoose a token type: Read-only, Full access, or Custom.
  3. (optional) For the Custom token type, define specific permissions for your API endpoints by clicking on the content-type name and using checkboxes to enable or disable permissions.

  4. Click on the Save button. The new API token will be displayed at the top of the interface, along with a copy button copy button.

Custom API tokenCustom API token
Caution

For security reasons, API tokens are only shown right after they have been created. When refreshing the page or navigating elsewhere in the admin panel, the newly created API token will be hidden and will not be displayed again.

Regenerating an API token

To regenerate an API token:

  1. Click on the API token's edit button.
  2. Click on the Regenerate button.
  3. Click on the Regenerate button to confirm in the dialog.
  4. Copy the new API token displayed at the top of the interface.

Code-based configuration

New API tokens are generated using a salt. This salt is automatically generated by Strapi and stored in environment variables (the .env file) as API_TOKEN_SALT.

The salt can be customized:

Caution

Changing the salt invalidates all the existing API tokens.

Usage

Using API tokens allows executing a request on REST API or GraphQL API endpoints as an authenticated user.

API tokens can be helpful to give access to people or applications without managing a user account or changing anything in the Users & Permissions plugin.

When performing a request to Strapi's REST API, the API token should be added to the request's Authorization header with the following syntax: bearer your-api-token.

Note

Read-only API tokens can only access the find and findOne functions.