Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
github-actions
bot
added
pr: updated content
pwizla
added
pr: new content
| | `apiToken.secrets.encryptionKey` | Encryption key used to set API token visibility in the admin panel. When set, token keys remain viewable at any time by the token's owner. | string | Random string | | ||
|
|
||
| :::tip | ||
| Admin tokens — the new kind of API token for programmatic access to the Admin API — are configured entirely from the admin panel. No additional code-based configuration is required beyond the parameters above (see [Admin tokens](/cms/features/admin-tokens)). |
There was a problem hiding this comment.
Because admin tokens are a new kind of api tokens, they actually inherit the configuration defined above.
| Minimum "Access the Admin tokens settings page" in Roles > Settings - Admin tokens | ||
| </IdentityCardItem> | ||
| <IdentityCardItem icon="toggle-right" title="Activation"> | ||
| Available and activated by default |
There was a problem hiding this comment.
activated by default for super admin. Each lower-level role needs explicit grant.
|
|
||
| ## Configuration | ||
|
|
||
| Admin tokens are configured entirely from the admin panel. No code-based configuration is specific to Admin tokens. The shared salt and encryption key that apply to all token kinds are set via `apiToken.salt` and `apiToken.secrets.encryptionKey` in your `/config/admin` file (see [API tokens](/cms/features/api-tokens#code-based-configuration)). |
There was a problem hiding this comment.
There's actually a way to grant a token with the ability to configure other tokens but not sure we want to document that. We might want to hide/remove this capability from the admin panel.
|
|
||
| ### Creating a new Admin token | ||
|
|
||
| 1. Click on the **Add new Admin Token** button. |
There was a problem hiding this comment.
Copy of those labels will move to "Create new Admin Token"
| :::caution | ||
| The plaintext token key is shown only once, immediately after creation or regeneration. The `admin.secrets.encryptionKey` configuration that makes Content API token keys persistently viewable does not apply to Admin tokens. Admin token keys are always restricted to the token owner, regardless of encryption configuration. | ||
| ::: |
There was a problem hiding this comment.
This is not true in the last version. We reproduced the content api token behavior where view can be invoked anytime. Main diff still, the owner being the only user capable of seing the token value.
|
|
||
| ### Managing Admin tokens | ||
|
|
||
| Admin tokens have a dedicated settings page at <Icon name="gear-six" /> _Settings > Administration Panel > Admin Tokens_. The Admin Tokens page and the API Tokens page are independent interfaces, not filtered views of a shared list. |
There was a problem hiding this comment.
technically they are the same table but with a discriminated union on kind
| :::caution Owner account deactivation and deletion | ||
|
|
||
| * If the token owner's account is deleted, all Admin tokens owned by that user are automatically deleted along with their associated permissions. There is no recovery path. Rotate and replace Admin tokens before offboarding a team member who owns them. | ||
| * If the token owner's account is deactivated or blocked, any request authenticated with that owner's Admin token returns `401 Token owner is deactivated`. The token itself is not deleted. Re-activating or unblocking the owner restores token functionality. |
There was a problem hiding this comment.
I don't think we disclose such detailed error. May be a good addition.
| ## Usage | ||
|
|
||
| Admin tokens authenticate requests to Strapi Admin API. Once you have [created and copied an Admin token](#creating-a-new-admin-token), add it to the `Authorization` header of your request using `Bearer` syntax: | ||
|
|
||
| ```bash title="Example: authenticated Admin API request" | ||
| curl -X GET \ | ||
| https://your-strapi-instance.com/admin/content-manager/collection-types/api::article.article \ | ||
| -H "Authorization: Bearer your-admin-token" | ||
| ``` | ||
|
|
||
| :::caution | ||
| Never expose Admin tokens in client-side code. Store them in a secrets manager or environment variable. | ||
| ::: No newline at end of file |
There was a problem hiding this comment.
We probably want to remove this section
There was a problem hiding this comment.
There's something a bit strange with the admin tokens feature because they are actually opening the access to the admin api while the admin API is not a public API just yet. I don't know how we should present that aspect, especially until we release the MCP server where the admin tokens will make total sense with it.
There was a problem hiding this comment.
We'll change a bit the copy on that page. I don't know how important that will be for those screenshots.
2 participants
To document the new Admin tokens (
strapi/strapiPR #25657) that will serve as a preliminary work for the upcoming Strapi MCP, this PR updates the CMS documentation with the following changes: