Authenticated Requests to Strapi

Sujay Prabhu's avatar

Sujay Prabhu

This blog covers how to make requests to Strapi endpoints as an authenticated user in Strapi v3 & v4.

Before starting, I have created Employees collection type and added some employees.

With Strapi v3

  • Lets try to fetch employee details by making a GET request
// Request
curl --request GET 'http://localhost:1337/employees'
// Response
    "statusCode": 403,
    "error": "Forbidden",
    "message": "Forbidden"
  • As collections are restricted by default, it cannot be accessed as a Public user resulting in 403 status code.
  • To get rid of the Forbidden error, lets add permission to /employees endpoint by enabling:
Settings -> Users & Permissions plugin -> Roles -> Authenticated -> Employees -> find
  • A JWT token should be added to API request to fetch data from restricted endpoints
  • To get the JWT token, create a user and get the user authenticated.
// Request
curl --request POST 'localhost:1337/auth/local' \
--form 'identifier="test@test.com"' \
--form 'password="test@123"'
// Response
    "jwt": TOKEN,
    "user": {
        "id": 3,
        "username": "test",
        "email": "test@test.com",
        "provider": "local",
        "confirmed": false,
        "blocked": false,
        "role": {
            "id": 1,
            "name": "Authenticated",
            "description": "Default role given to authenticated user.",
            "type": "authenticated"
        "created_at": "2022-04-21T14:01:32.672Z",
        "updated_at": "2022-04-21T14:01:32.679Z"
  • Now, add the JWT token obtained in last step to our first step request's Authorization header
// Request
curl --request GET 'localhost:1337/employees' \
--header 'Authorization: Bearer TOKEN'
// Response
        "id": 1,
        "name": "test",
        "age": null,
        "published_at": "2022-04-13T06:27:46.430Z",
        "created_at": "2022-04-13T06:27:44.423Z",
        "updated_at": "2022-04-13T06:27:46.441Z"

With Strapi v4

In Strapi v4, they have added another way to get the restricted content.

  • First way is same as the v3's, based on roles and Permissions.
  • This approach can be followed when the requirement is to restrict contents based on roles.
  • Learn more about authenticated requests to Strapi by assigning permissions to roles here
Note: In Strapi v4, endpoint is changed to `localhost:1337/api/employees`
  • Second way is by making use of API tokens, which is a built-in feature in Strapi v4.
  • This allows executing request on restricted endpoints as an authenticated user without the hassle of roles and permissions.
  • To generate API tokens, click on
Settings -> API tokens -> Create new token
  • Copy the token generated and add it to request's Authorization header
// Request
curl --request GET 'localhost:1337/api/employees' \
--header 'Authorization: Bearer API_TOKEN'
// Response
    "data": [
            "id": 1,
            "attributes": {
                "name": "test",
                "age": 50,
                "createdAt": "2022-04-18T15:46:02.760Z",
                "updatedAt": "2022-04-18T15:46:06.891Z",
                "publishedAt": "2022-04-18T15:46:06.887Z"
    "meta": {
        "pagination": {
            "page": 1,
            "pageSize": 25,
            "pageCount": 1,
            "total": 1
  • Learn more about making authenticated requests to Strapi using API tokens here