Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
github-actions
Bot
added
pr: updated content
pwizla
added
pr: new content
| :::caution Owner account deactivation and deletion | ||
|
|
||
| * If the token owner's account is deleted, all Admin tokens owned by that user are automatically deleted along with their associated permissions. There is no recovery path. Rotate and replace Admin tokens before offboarding a team member who owns them. | ||
| * If the token owner's account is deactivated or blocked, any request authenticated with that owner's Admin token returns `401 Token owner is deactivated`. The token itself is not deleted. Re-activating or unblocking the owner restores token functionality. |
There was a problem hiding this comment.
I don't think we disclose such detailed error. May be a good addition.
| ## Usage | ||
|
|
||
| Admin tokens authenticate requests to Strapi Admin API. Once you have [created and copied an Admin token](#creating-a-new-admin-token), add it to the `Authorization` header of your request using `Bearer` syntax: | ||
|
|
||
| ```bash title="Example: authenticated Admin API request" | ||
| curl -X GET \ | ||
| https://your-strapi-instance.com/admin/content-manager/collection-types/api::article.article \ | ||
| -H "Authorization: Bearer your-admin-token" | ||
| ``` | ||
|
|
||
| :::caution | ||
| Never expose Admin tokens in client-side code. Store them in a secrets manager or environment variable. | ||
| ::: No newline at end of file |
There was a problem hiding this comment.
We probably want to remove this section
There was a problem hiding this comment.
Hey Nico, thanks for the feedback! For structure parity with other features pages, I need a Usage section (what's a feature if you can't use it or don't know how to use it, right? 😅 )
But considering we might not want to disclose any admin route for now since the API is not public yet, I updated this section with a much more generic usage definition. WDYT?
There was a problem hiding this comment.
There's something a bit strange with the admin tokens feature because they are actually opening the access to the admin api while the admin API is not a public API just yet. I don't know how we should present that aspect, especially until we release the MCP server where the admin tokens will make total sense with it.
There was a problem hiding this comment.
We'll change a bit the copy on that page. I don't know how important that will be for those screenshots.
- Update IdentityCard: Super Admin default, explicit grant for other roles - Rename button to "Create new Admin Token" - Clarify token storage (same table, kind discriminator) - Allow any authorized user to view tokens - Remove specific error message disclosure - Scope Usage section to Bearer pattern + MCP server context - Add FeatureFlagBadge with TODO placeholder - Add admin tokens row to features configuration table Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove curl example and Admin API reference since the Admin API is not yet public. Keep the section for template consistency, following the same structure as the API tokens page. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The page does not exist yet. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2 participants
To document the new Admin tokens (
strapi/strapiPR #25657) that will serve as a preliminary work for the upcoming Strapi MCP, this PR updates the CMS documentation with the following changes: