Authenticated Requests to Strapi

Written by Sujay Prabhu on April 21, 2022, tagged under Strapi,

This blog covers how to make requests to Strapi endpoints as an authenticated user in Strapi v3 & v4.

Before starting, I have created Employees collection type and added some employees.

With Strapi v3

  • Lets try to fetch employee details by making a GET request
// Request

curl --request GET 'http://localhost:1337/employees'

// Response

    "statusCode": 403,
    "error": "Forbidden",
    "message": "Forbidden"
  • As collections are restricted by default, it cannot be accessed as a Public user resulting in 403 status code.
  • To get rid of the Forbidden error, lets add permission to /employees endpoint by enabling:
Settings -> Users & Permissions plugin -> Roles -> Authenticated -> Employees -> find
  • A JWT token should be added to API request to fetch data from restricted endpoints
  • To get the JWT token, create a user and get the user authenticated.
// Request

curl --request POST 'localhost:1337/auth/local' \
--form 'identifier=""' \
--form 'password="test@123"'

// Response

    "jwt": TOKEN,
    "user": {
        "id": 3,
        "username": "test",
        "email": "",
        "provider": "local",
        "confirmed": false,
        "blocked": false,
        "role": {
            "id": 1,
            "name": "Authenticated",
            "description": "Default role given to authenticated user.",
            "type": "authenticated"
        "created_at": "2022-04-21T14:01:32.672Z",
        "updated_at": "2022-04-21T14:01:32.679Z"

  • Now, add the JWT token obtained in last step to our first step request's Authorization header
// Request

curl --request GET 'localhost:1337/employees' \
--header 'Authorization: Bearer TOKEN'

// Response

        "id": 1,
        "name": "test",
        "age": null,
        "published_at": "2022-04-13T06:27:46.430Z",
        "created_at": "2022-04-13T06:27:44.423Z",
        "updated_at": "2022-04-13T06:27:46.441Z"

With Strapi v4

In Strapi v4, they have added another way to get the restricted content.

  • First way is same as the v3's, based on roles and Permissions.
  • This approach can be followed when the requirement is to restrict contents based on roles.
  • Learn more about authenticated requests to Strapi by assigning permissions to roles here
Note: In Strapi v4, endpoint is changed to `localhost:1337/api/employees`
  • Second way is by making use of API tokens, which is a built-in feature in Strapi v4.
  • This allows executing request on restricted endpoints as an authenticated user without the hassle of roles and permissions.
  • To generate API tokens, click on
Settings -> API tokens -> Create new token
  • Copy the token generated and add it to request's Authorization header
// Request

curl --request GET 'localhost:1337/api/employees' \
--header 'Authorization: Bearer API_TOKEN'

// Response

    "data": [
            "id": 1,
            "attributes": {
                "name": "test",
                "age": 50,
                "createdAt": "2022-04-18T15:46:02.760Z",
                "updatedAt": "2022-04-18T15:46:06.891Z",
                "publishedAt": "2022-04-18T15:46:06.887Z"
    "meta": {
        "pagination": {
            "page": 1,
            "pageSize": 25,
            "pageCount": 1,
            "total": 1
  • Learn more about making authenticated requests to Strapi using API tokens here