# API tokens
Authentication strategies in Strapi can either be based on the use of the Users & Permissions plugin or on the built-in API token feature.
Using API tokens allows executing a request on REST API endpoints as an authenticated user.
# Creation
New API tokens are generated from the admin panel.
# Usage
When performing a request to Strapi's REST API, the API token should be added to the request's Authorization
header with the following syntax: bearer your-api-token
.
✏️ NOTE
Read-only API tokens can only access the find
and findOne
functions.
# Configuration
New API tokens are generated using a salt. This salt is automatically generated by Strapi and stored in .env
as API_TOKEN_SALT
.
The salt can be customized:
- either by updating the string value for
apiToken.salt
in./config/admin.js
(see admin panel configuration documentation) - or by creating an
API_TOKEN_SALT
environment variable in the.env
file of the project
✋ CAUTION
Changing the salt invalidates all the existing API tokens.
← Middlewares Functions →