This blog covers how to make requests to Strapi endpoints as an authenticated user in Strapi v3 & v4.

Before starting, I have created Employees collection type and added some employees.

With Strapi v3

• Lets try to fetch employee details by making a GET request

// Request

curl --request GET 'http://localhost:1337/employees'

// Response

{
    "statusCode": 403,
    "error": "Forbidden",
    "message": "Forbidden"
}

• As collections are restricted by default, it cannot be accessed as a Public user resulting in 403 status code.
• To get rid of the Forbidden error, lets add permission to /employees endpoint by enabling:

Settings -> Users & Permissions plugin -> Roles -> Authenticated -> Employees -> find

• A JWT token should be added to API request to fetch data from restricted endpoints
• To get the JWT token, create a user and get the user authenticated.

// Request

curl --request POST 'localhost:1337/auth/local' \
--form 'identifier="test@test.com"' \
--form 'password="test@123"'

// Response

{
    "jwt": TOKEN,
    "user": {
        "id": 3,
        "username": "test",
        "email": "test@test.com",
        "provider": "local",
        "confirmed": false,
        "blocked": false,
        "role": {
            "id": 1,
            "name": "Authenticated",
            "description": "Default role given to authenticated user.",
            "type": "authenticated"
        },
        "created_at": "2022-04-21T14:01:32.672Z",
        "updated_at": "2022-04-21T14:01:32.679Z"
    }
}

• Now, add the JWT token obtained in last step to our first step request's Authorization header

// Request

curl --request GET 'localhost:1337/employees' \
--header 'Authorization: Bearer TOKEN'

// Response

[
    {
        "id": 1,
        "name": "test",
        "age": null,
        "published_at": "2022-04-13T06:27:46.430Z",
        "created_at": "2022-04-13T06:27:44.423Z",
        "updated_at": "2022-04-13T06:27:46.441Z"
    }
]

With Strapi v4

In Strapi v4, they have added another way to get the restricted content.

• First way is same as the v3's, based on roles and Permissions.
• This approach can be followed when the requirement is to restrict contents based on roles.
• Learn more about authenticated requests to Strapi by assigning permissions to roles here

Note: In Strapi v4, endpoint is changed to `localhost:1337/api/employees`

• Second way is by making use of API tokens, which is a built-in feature in Strapi v4.
• This allows executing request on restricted endpoints as an authenticated user without the hassle of roles and permissions.
• To generate API tokens, click on

Settings -> API tokens -> Create new token

• Copy the token generated and add it to request's Authorization header

// Request

curl --request GET 'localhost:1337/api/employees' \
--header 'Authorization: Bearer API_TOKEN'

// Response

{
    "data": [
        {
            "id": 1,
            "attributes": {
                "name": "test",
                "age": 50,
                "createdAt": "2022-04-18T15:46:02.760Z",
                "updatedAt": "2022-04-18T15:46:06.891Z",
                "publishedAt": "2022-04-18T15:46:06.887Z"
            }
        }
    ],
    "meta": {
        "pagination": {
            "page": 1,
            "pageSize": 25,
            "pageCount": 1,
            "total": 1
        }
    }
}

• Learn more about making authenticated requests to Strapi using API tokens here