# Authenticated request
Learn how to make API requests as an authenticated user.
# Introduction
This guide shows you how to assign roles and permissions to multiple users and authenticate API requests with JSON Web Tokens (JWT).
To demonstrate how roles work, you will create two different roles and grant each role certain permissions.
Authors can fetch, create, and update Articles; Readers can only fetch Articles.
# Project Setup
To follow along, you must have a Strapi project. If you don’t have a Strapi project, run the following command:
After creating your Strapi project, you will be redirected to your project’s admin panel (opens new window).
# Create a new Collection Type
Create an Articles collection type.
To create a new collection:
- In the left sidebar, select Content-Type Builder.
- Select + Create new collection type.
- In the Display Name field, enter “Articles”. a. In the API ID (Singular) field, enter “article”. b. In the API ID (Plural) field, enter “articles”.
- Select Continue.
- Select Text.
- In the Name field, enter “title”, select Short text, and select Finish.
- Select Add another field to this collection type and select Rich text.
- In the Name field, enter “content” and select Finish.
- Select Save.
With your Articles content type ready, create some sample articles:
- Go to Content Manager.
- Under COLLECTION TYPES, select Articles.
- Select + Create new entry.
- Enter a title and some sample text in the content textbox.
- Select Save and then Publish.
# Create Roles and Permissions
Create an Author role and manage its permissions:
- From the left sidebar, select Settings.
- Under Users & Permissions Plugin, select Roles.
- Select + Add new role.
- In the Name field, enter “Author” and enter a Description (for example, “User with author permissions”).
- Select the Article content type and Select All.
- Select Save.
Create another role called Reader by repeating the steps above, but only select find and findOne from the Article content type permissions.
✏️ NOTE
Roles are authenticated by default.
# Create users
Create two users with the following data.
User 1 | User Data |
---|---|
username | author |
author@strapi.io | |
password | strapi |
role | Author |
User 2 | User Data |
---|---|
username | reader |
reader@strapi.io | |
password | strapi |
role | Reader |
# Log in as a Reader
To log in as a user with the role of Reader, send a POST request to the /api/auth/local
API route.
If your request is successful, you will receive the user's JWT in the jwt
key:
{
"jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiaWF0IjoxNTc2OTM4MTUwLCJleHAiOjE1Nzk1MzAxNTB9.UgsjjXkAZ-anD257BF7y1hbjuY3ogNceKfTAQtzDEsU",
"user": {
"id": 1,
"username": "reader",
...
}
}
Save the JWT
in your application or copy it to your clipboard. You will use it to make future requests.
✏️ NOTE
See the login documentation for more information.
# Fetch articles
Fetch the Articles you created earlier by sending a GET request to the /articles
route:
Your response will return a 403 Forbidden
error.
When a user sends an unauthorized request (a request that omits an Authorization
header), Strapi assigns that user a Public role (opens new window) by default.
To authenticate a user’s request, use the bearer authentication scheme by including an Authorization
header signed with the user’s JWT ( Bearer [JWT Token]
):
import axios from 'axios';
const { data } = await axios.get('http://localhost:1337/api/articles', {
headers: {
Authorization:
'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiaWF0IjoxNTc2OTM4MTUwLCJleHAiOjE1Nzk1MzAxNTB9.UgsjjXkAZ-anD257BF7y1hbjuY3ogNceKfTAQtzDEsU',
},
});
console.log(data);
With your bearer token included in the Authorization
header, you will receive a Status: 200 OK
response and a payload containing your articles.
# Create an Article
Now, create an Article by sending a POST request to the /api/articles
route:
You will receive a 403 Forbidden
response because you made this request as a user with the role Reader.
Only users with the role Author can create Articles. Sign in with the Author user credentials to receive your JWT. Then, send the POST request to the /articles
endpoint by including the JWT in the Authorization
header.
You will receive a 200 OK
response and see your new article in the payload.