diff --git a/docusaurus/docs/cms/configurations/admin-panel.md b/docusaurus/docs/cms/configurations/admin-panel.md
index 3738dbf84b..f512d0215b 100644
--- a/docusaurus/docs/cms/configurations/admin-panel.md
+++ b/docusaurus/docs/cms/configurations/admin-panel.md
@@ -106,7 +106,7 @@ module.exports = ({ env }) => ({
-```js title="/config/admin.ts"
+```ts title="/config/admin.ts"
export default ({ env }) => ({
host: "my-host.com",
port: 3000,
@@ -208,7 +208,7 @@ module.exports = ({ env }) => ({
-```js title="/config/server.ts"
+```ts title="/config/server.ts"
export default ({ env }) => ({
host: env("HOST", "0.0.0.0"),
port: env.int("PORT", 1337),
@@ -216,7 +216,7 @@ export default ({ env }) => ({
});
```
-```js title="/config/admin.ts"
+```ts title="/config/admin.ts"
export default ({ env }) => ({
/**
* Note: The administration will be accessible from the root of the domain
@@ -239,10 +239,14 @@ With this configuration:
The [API tokens](/cms/features/api-tokens) feature can be configured with the following parameters:
-| Parameter | Description | Type | Default |
-|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------------------------------------------------------------------------------|
-| `apiToken.salt` | Salt used to generate API tokens | string | Random string |
-| `apiToken.secrets.encryptionKey` | Encryption key used to set API tokens visibility in the admin panel | string | Random string |
+| Parameter | Description | Type | Default |
+|------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|---------------|
+| `apiToken.salt` | Salt used to generate API tokens (applies to both `content-api` and `admin` token kinds). | string | Random string |
+| `apiToken.secrets.encryptionKey` | Encryption key used to set API token visibility in the admin panel. When set, token keys remain viewable at any time by the token's owner. | string | Random string |
+
+:::tip
+Admin tokens — the new kind of API token for programmatic access to the Admin API — are configured entirely from the admin panel. No additional code-based configuration is required beyond the parameters above (see [Admin tokens](/cms/features/admin-tokens)).
+:::
## Audit logs
@@ -592,4 +596,4 @@ export default ({ env }) => ({
-
\ No newline at end of file
+
diff --git a/docusaurus/docs/cms/configurations/features.md b/docusaurus/docs/cms/configurations/features.md
index a97d6315d6..15bdc9a44a 100644
--- a/docusaurus/docs/cms/configurations/features.md
+++ b/docusaurus/docs/cms/configurations/features.md
@@ -20,7 +20,7 @@ The `config/features.js|ts` file is used to enable feature flags. Currently this
Some incoming Strapi features are not yet ready to be shipped to all users, but Strapi still offers community users the opportunity to provide early feedback on these new features or changes. With these experimental features, developers have the flexibility to choose and integrate new features and changes into their Strapi applications as they become available in the current major version as well as assist us in shaping these new features.
-Such experimental features are indicated by a badge throughout the documentation, where the name of the feature flag to use is included in the badge (e.g., ). Enabling these features requires enabling the corresponding future flags. Future flags differ from features that are in alpha in that future flags are disabled by default.
+Such experimental features are indicated by a badge throughout the documentation, where the name of the feature flag to use is included in the badge (e.g., ). Enabling these features requires enabling the corresponding future flags. Future flags differ from features that are in alpha in that future flags are disabled by default.
:::danger
Enable future flags at your own risk. Experimental features may be subject to change or removal, may contain breaking changes, may be unstable or not fully ready for use, and some parts may still be under development or using mock data.
@@ -112,3 +112,5 @@ Developers can use the following APIs to interact with future flags:
| Property name | Related feature | Suggested environment variable name |
| ------------- | --------------- | ---------------------------------- |
| `experimental_firstPublishedAt` | [Draft & Publish](/cms/features/draft-and-publish#recording-the-first-publication-date) | `STRAPI_FUTURE_EXPERIMENTAL_FIRST_PUBLISHED_AT` |
+| `adminTokens` | [Admin Tokens](/cms/features/admin-tokens) | `STRAPI_FUTURE_ADMIN_TOKENS` |
+
diff --git a/docusaurus/docs/cms/features/admin-tokens.md b/docusaurus/docs/cms/features/admin-tokens.md
new file mode 100644
index 0000000000..e63113aec8
--- /dev/null
+++ b/docusaurus/docs/cms/features/admin-tokens.md
@@ -0,0 +1,126 @@
+---
+title: Admin Tokens
+description: Learn how to use Admin tokens to authenticate programmatic access to the Strapi Admin API.
+toc_max_heading_level: 4
+displayed_sidebar: cmsSidebar
+tags:
+ - admin tokens
+ - admin panel
+ - authentication
+ - RBAC
+ - features
+---
+
+# Admin Tokens
+
+
+
+Admin tokens authenticate programmatic access to the Strapi Admin API. Each token is scoped to a subset of its owner's permissions and is designed for automation workflows such as MCP agents, CI/CD pipelines, and scripts.
+
+
+Admin tokens allow automated clients to authenticate requests to the Strapi Admin API. For authenticating requests to the Content API, see [API Tokens](/cms/features/api-tokens).
+
+Admin tokens and API tokens are strictly separated: each is rejected on the other's routes.
+
+
+
+ Free feature
+
+
+ Activated by default for Super Admin. Each lower-level role needs an explicit permission grant in Roles > Settings - Admin tokens.
+
+
+ Requires enabling the corresponding future flag,
see [Features configuration](/cms/configurations/features)
+
+
+ Available in both Development & Production environment
+
+
+
+
+
+
+## Configuration
+
+Admin tokens are configured entirely from the admin panel. No code-based configuration is specific to Admin tokens. The shared salt and encryption key that apply to all token kinds are set via `apiToken.salt` and `apiToken.secrets.encryptionKey` in your `/config/admin` file (see [API tokens](/cms/features/api-tokens#code-based-configuration)).
+
+**Path to configure the feature:** _Settings > Administration Panel > Admin Tokens_
+
+### Creating a new Admin token
+
+1. Click on the **Create new Admin Token** button.
+2. In the token creation form, configure the new Admin token:
+
+ | Setting name | Instructions |
+ | --- | --- |
+ | Name | Write the name of the token. |
+ | Description | (optional) Write a description for the token. |
+ | Token duration | Choose a duration: _7 days_, _30 days_, _90 days_, or _Unlimited_. |
+3. Define which admin actions this token can perform:
+ - Click the tabs below the form to browse permission categories.
+ - Use the checkboxes to enable or disable individual permissions.
+
+ :::note
+ Permissions that the current user does not hold appear disabled and cannot be selected. Conditions applied to the owner's role are shown as read-only and apply automatically to the token.
+ :::
+4. Click on the **Save** button. The new Admin token will be displayed at the top of the interface, along with a copy button .
+
+
+
+
+:::caution
+The plaintext token key is shown only once, immediately after creation or regeneration. The `admin.secrets.encryptionKey` configuration that makes Content API token keys persistently viewable does not apply to Admin tokens. Admin token keys are always restricted to the token owner, regardless of encryption configuration.
+:::
+
+### Managing Admin tokens
+
+Admin tokens have a dedicated settings page at _Settings > Administration Panel > Admin Tokens_. Admin tokens and API tokens are stored in the same database table (differentiated by a `kind` field) but are managed through independent interfaces in the admin panel.
+
+The Admin Tokens page displays an **Owner** column showing the display name of each token's owner.
+
+Any user with access to the Admin Tokens settings page can view Admin tokens. A token can only be edited or deleted by its owner or a super-admin.
+
+When a super-admin views an Admin token owned by another user, a read-only **Owner** field appears in the token details panel. The permissions panel shows only the checkboxes within the token owner's permission scope, not the super-admin's unrestricted access.
+
+Removing a permission from a role causes admin tokens owned by users of that role to have the corresponding permission deleted automatically.
+
+:::caution Owner account deactivation and deletion
+
+* If the token owner's account is deleted, all Admin tokens owned by that user are automatically deleted along with their associated permissions. There is no recovery path. Rotate and replace Admin tokens before offboarding a team member who owns them.
+* If the token owner's account is deactivated or blocked, any request authenticated with that owner's Admin token is rejected. The token itself is not deleted. Re-activating or unblocking the owner restores token functionality.
+:::
+
+#### Regenerating an Admin token
+
+The **Regenerate** button is only visible to the token's owner. Other users, including super-admins, do not see this button for tokens they do not own.
+
+To regenerate an Admin token:
+
+1. Click on the Admin token's edit button.
+2. Click on the **Regenerate** button.
+3. Click on the **Regenerate** button to confirm in the dialog.
+4. Copy the new Admin token displayed at the top of the interface.
+
+## Usage
+
+Using Admin tokens allows executing a request on Strapi's admin routes as an authenticated user.
+
+Admin tokens can be helpful to give access to people or applications without managing a user account, for instance to connect an MCP server or a CI/CD pipeline.
+
+When performing a request to Strapi's admin routes, the Admin token should be added to the request's `Authorization` header with the following syntax: `bearer your-admin-token`.
+
+:::caution
+Never expose Admin tokens in client-side code. Store them in a secrets manager or environment variable.
+:::
\ No newline at end of file
diff --git a/docusaurus/docs/cms/features/api-tokens.md b/docusaurus/docs/cms/features/api-tokens.md
index 8a5258ac99..aad4adbee9 100644
--- a/docusaurus/docs/cms/features/api-tokens.md
+++ b/docusaurus/docs/cms/features/api-tokens.md
@@ -1,6 +1,7 @@
---
title: API Tokens
-description: Learn how you can use API tokens to manage end-users authentication.
+description: Learn how to use content-api tokens to authenticate REST and GraphQL API requests in Strapi.
+displayed_sidebar: cmsSidebar
sidebar_position: 2
toc_max_heading_level: 5
tags:
@@ -14,28 +15,27 @@ tags:
# API Tokens
-API tokens provide scoped authentication for REST and GraphQL requests without exposing user credentials. This documentation explains token types, creation, expiration, and secure usage within the admin panel.
+API tokens authenticate external requests to the Strapi Content API without exposing user credentials. Each token is scoped to a set of permissions and expires after a configurable duration.
-API tokens allow users to authenticate REST and GraphQL API queries (see [APIs introduction](/cms/api/content-api)).
+API tokens allow external clients to authenticate requests to the Strapi [Content API](/cms/api/content-api). For programmatic access to the Admin API, see [Admin Tokens](/cms/features/admin-tokens).
+
+API tokens and Admin tokens are strictly separated: a Content API token is rejected on admin routes, and an admin token is rejected on Content API routes.
:::caution Security
-Prefer read‑only tokens for public access, scope server tokens to only what you need, rotate long‑lived tokens, and store them in a secrets manager. Never expose admin tokens in client‑side code.
+Prefer read-only tokens for public access, scope tokens to only what you need, rotate long-lived tokens, and store them in a secrets manager.
:::
Free feature
-
-
+
Minimum "Access the API tokens settings page" in Roles > Settings - API tokens
-
Available by default
-
Available in both Development & Production environment
@@ -57,12 +57,12 @@ Most configuration options for API tokens are available in the admin panel, and
**Path to configure the feature:** _Settings > Global settings > API Tokens_
-The _API Tokens_ interface displays a table listing all of the created API tokens. More specifically, it displays each API token's name, description, date of creation, and date of last use.
+The _API Tokens_ interface displays a table listing all created content-api tokens.
From there, you have the possibility to:
-- click on the to edit an API token's name, description, type, duration or [regenerate the token](#regenerating-an-api-token).
-- click on the to delete an API token.
+- click on the to edit a token's name, description, type, duration or [regenerate the token](#regenerating-an-api-token).
+- click on the to delete a token.
:::note
Strapi pre-generates 2 API tokens for you, a Full access one and a Read-only one. Since tokens can be only seen once without encryption configured, you may want to [regenerate](#regenerating-an-api-token) them after setting up an encryption key to make them permanently viewable.
@@ -72,6 +72,7 @@ Strapi pre-generates 2 API tokens for you, a Full access one and a Read-only one
1. Click on the **Create new API Token** button.
2. In the API token edition interface, configure the new API token:
+
| Setting name | Instructions |
| -------------- | ------------------------------------------------------------------------ |
| Name | Write the name of the API token. |
@@ -135,7 +136,7 @@ module.exports = ({ env }) => ({
-```js title="/config/admin.ts"
+```ts title="/config/admin.ts"
export default ({ env }) => ({
// other config parameters
secrets: {
@@ -149,6 +150,10 @@ export default ({ env }) => ({
This key is used to encrypt and decrypt token values. Without this key, tokens remain usable, but will not be viewable after initial display. New Strapi projects will have this key automatically generated.
+:::tip
+For automation workflows that need to call the Admin API programmatically, use admin tokens instead. See [Admin Tokens](/cms/features/admin-tokens) for the full documentation.
+:::
+
## Usage
Using API tokens allows executing a request on [REST API](/cms/api/rest) or [GraphQL API](/cms/api/graphql) endpoints as an authenticated user.
diff --git a/docusaurus/docs/cms/features/rbac.md b/docusaurus/docs/cms/features/rbac.md
index 4705e08da0..983c1cd396 100644
--- a/docusaurus/docs/cms/features/rbac.md
+++ b/docusaurus/docs/cms/features/rbac.md
@@ -156,13 +156,14 @@ Settings permissions can be configured for all settings accessible from *General
| Email | - General
- "Access the Email settings page" - gives access to Email settings
👉 Path reminder to Email settings:
*General > Settings > Users & Permissions plugin - Email templates* |
| Media Library | - General
- "Access the Media Library settings page" - gives access to Media Library settings
👉 Path reminder to Media Library settings:
*General > Settings > Global Settings - Media Library* |
| Internationalization | - Locales
- "Create" - allows to create new locales
- "Read" - allows to see available locales
- "Update" - allows to edit available locales
- "Delete" - allows to delete locales
👉 Path reminder to the Internationalization settings:
*General > Settings > Global Settings - Internationalization* |
-| Review Workflows | - "Create" - allows to create workflows
- "Read" - allows to see created workflows
- "Update" - allows to edit workflows
- "Delete" - allows to delete workflows
👉 Path reminder to Review workflows settings:
*General > Settings > Global Settings - Review workflows* |
-| Single sign on | - Options
- "Read" - allows to access the SSO settings
- "Update" - allows to edit the SSO settings
👉 Path reminder to the SSO settings:
*General > Settings > Global Settings - Single Sign-On* |
+| Review Workflows | - "Create" - allows to create workflows
- "Read" - allows to see created workflows
- "Update" - allows to edit workflows
- "Delete" - allows to delete workflows
👉 Path reminder to Review workflows settings:
*General > Settings > Global Settings - Review workflows* |
+| Single sign on | - Options
- "Read" - allows to access the SSO settings
- "Update" - allows to edit the SSO settings
👉 Path reminder to the SSO settings:
*General > Settings > Global Settings - Single Sign-On* |
| Audit Logs | - Options
- "Read" - allows to access the Audit Logs settings
👉 Path reminder to the Audit Logs settings:
*General > Settings > Admin Panel - Audit Logs* |
| Plugins and Marketplace | - Marketplace
- "Access the Marketplace" - gives access to the Marketplace
|
| Webhooks | - General
- "Create" - allows to create webhooks
- "Read" - allows to see created webhooks
- "Update" - allows to edit webhooks
- "Delete" - allows to delete webhooks
👉 Path reminder to Webhook settings:
*General > Settings > Global Settings - Webhook* |
| Users and Roles | - Users
- "Create (invite)" - allows to create administrator accounts
- "Read" - allows to see existing administrator accounts
- "Update" - allows to edit administrator accounts
- "Delete" - allows to delete administrator accounts
- Roles
- "Create" - allows to create administrator roles
- "Read" - allows to see created administrator roles
- "Update" - allows to edit administrator roles
- "Delete" - allows to delete administrator roles
👉 Path reminder to the RBAC feature:
*General > Settings > Administration Panel* |
| API Tokens | - API tokens
- "Access the API tokens settings page" - toggles access to the API tokens page
- General
- "Create (generate)" - allows the creation of API tokens
- "Read" - allows you to see created API tokens (disabling this permission will disable access to the *Global Settings - API Tokens* settings)
- "Update" - allows editing of API tokens
- "Delete (revoke)" - allows deletion of API tokens
- "Regenerate" - allows regeneration of the API token
👉 Path reminder to API Tokens settings:
*General > Settings > Global Settings - API Tokens* |
+| Admin Tokens | - Admin tokens
- "Access the Admin tokens settings page" - toggles access to the Admin Tokens page
- General
- "Create (generate)" - allows the creation of Admin tokens
- "Read" - allows you to see created Admin tokens
- "Update" - allows editing of Admin tokens
- "Delete (revoke)" - allows deletion of Admin tokens
- "Regenerate" - allows regeneration of Admin tokens
👉 Path reminder to Admin Tokens settings:
*General > Settings > Administration Panel - Admin Tokens* |
| Project | - General
- "Update the project level settings" - allows to edit the settings of the project
- "Read the project level settings" - gives access to settings of the project
|
| Transfer Tokens | - Transfer tokens
- "Access the Transfer tokens settings page" - toggles access to the Transfer tokens page
- General
- "Create (generate)" - allows the creation of Transfer tokens
- "Read" - allows you to see created Transfer tokens (disabling this permission will disable access to the *Global Settings - Transfer Tokens* settings)
- "Update" - allows editing of Transfer tokens
- "Delete (revoke)" - allows deletion of Transfer tokens
- "Regenerate" - allows regeneration of the Transfer token
👉 Path reminder to Transfer Tokens settings:
*General > Settings > Global Settings - Transfer Tokens* |
diff --git a/docusaurus/sidebars.js b/docusaurus/sidebars.js
index d56cc90c9f..dceb61b2f0 100644
--- a/docusaurus/sidebars.js
+++ b/docusaurus/sidebars.js
@@ -60,6 +60,7 @@ const sidebars = {
label: 'API Tokens',
id: 'cms/features/api-tokens',
},
+ 'cms/features/admin-tokens',
{
type: 'doc',
label: 'Audit Logs',
diff --git a/docusaurus/static/img/assets/settings/settings_admin-token-creation.png b/docusaurus/static/img/assets/settings/settings_admin-token-creation.png
new file mode 100644
index 0000000000..5fca48d871
Binary files /dev/null and b/docusaurus/static/img/assets/settings/settings_admin-token-creation.png differ
diff --git a/docusaurus/static/img/assets/settings/settings_admin-token-creation_DARK.png b/docusaurus/static/img/assets/settings/settings_admin-token-creation_DARK.png
new file mode 100644
index 0000000000..a707af204c
Binary files /dev/null and b/docusaurus/static/img/assets/settings/settings_admin-token-creation_DARK.png differ
diff --git a/docusaurus/static/img/assets/settings/settings_admin-tokens-overview.png b/docusaurus/static/img/assets/settings/settings_admin-tokens-overview.png
new file mode 100644
index 0000000000..3dda3c7135
Binary files /dev/null and b/docusaurus/static/img/assets/settings/settings_admin-tokens-overview.png differ
diff --git a/docusaurus/static/img/assets/settings/settings_admin-tokens-overview_DARK.png b/docusaurus/static/img/assets/settings/settings_admin-tokens-overview_DARK.png
new file mode 100644
index 0000000000..dc34b7dbed
Binary files /dev/null and b/docusaurus/static/img/assets/settings/settings_admin-tokens-overview_DARK.png differ
diff --git a/docusaurus/static/llms-full.txt b/docusaurus/static/llms-full.txt
index a6c34f3400..5f7f3aa27a 100644
--- a/docusaurus/static/llms-full.txt
+++ b/docusaurus/static/llms-full.txt
@@ -7119,6 +7119,7 @@ Developers can use the following APIs to interact with future flags:
| Property name | Related feature | Suggested environment variable name |
| ------------- | --------------- | ---------------------------------- |
| `experimental_firstPublishedAt` | [Draft & Publish](/cms/features/draft-and-publish#recording-the-first-publication-date) | `STRAPI_FUTURE_EXPERIMENTAL_FIRST_PUBLISHED_AT` |
+| `adminTokens` | [Admin Tokens](/cms/features/admin-tokens) | `STRAPI_FUTURE_ADMIN_TOKENS` |
@@ -7946,15 +7947,100 @@ If you prefer or are required to log in via an SSO provider, please refer to the
+# Admin Tokens
+Source: https://docs.strapi.io/cms/features/admin-tokens
+
+# Admin Tokens
+
+Admin tokens allow automated clients to authenticate requests to the Strapi Admin API. For authenticating requests to the Content API, see [API Tokens](/cms/features/api-tokens).
+
+Admin tokens and API tokens are strictly separated: each is rejected on the other's routes.
+
+
+
+## Configuration
+
+Admin tokens are configured entirely from the admin panel. No code-based configuration is specific to Admin tokens. The shared salt and encryption key that apply to all token kinds are set via `apiToken.salt` and `apiToken.secrets.encryptionKey` in your `/config/admin` file (see [API tokens](/cms/features/api-tokens#code-based-configuration)).
+
+**Path to configure the feature:** _Settings > Administration Panel > Admin Tokens_
+
+### Creating a new Admin token
+
+1. Click on the **Create new Admin Token** button.
+2. In the token creation form, configure the new Admin token:
+
+ | Setting name | Instructions |
+ | --- | --- |
+ | Name | Write the name of the token. |
+ | Description | (optional) Write a description for the token. |
+ | Token duration | Choose a duration: _7 days_, _30 days_, _90 days_, or _Unlimited_. |
+3. Define which admin actions this token can perform:
+ - Click the tabs below the form to browse permission categories.
+ - Use the checkboxes to enable or disable individual permissions.
+
+ :::note
+ Permissions that the current user does not hold appear disabled and cannot be selected. Conditions applied to the owner's role are shown as read-only and apply automatically to the token.
+ :::
+4. Click on the **Save** button. The new Admin token will be displayed at the top of the interface, along with a copy button .
+
+:::caution
+The plaintext token key is shown only once, immediately after creation or regeneration. The `admin.secrets.encryptionKey` configuration that makes Content API token keys persistently viewable does not apply to Admin tokens. Admin token keys are always restricted to the token owner, regardless of encryption configuration.
+:::
+
+### Managing Admin tokens
+
+Admin tokens have a dedicated settings page at _Settings > Administration Panel > Admin Tokens_. Admin tokens and API tokens are stored in the same database table (differentiated by a `kind` field) but are managed through independent interfaces in the admin panel.
+
+The Admin Tokens page displays an **Owner** column showing the display name of each token's owner.
+
+Any user with access to the Admin Tokens settings page can view Admin tokens. A token can only be edited or deleted by its owner or a super-admin.
+
+When a super-admin views an Admin token owned by another user, a read-only **Owner** field appears in the token details panel. The permissions panel shows only the checkboxes within the token owner's permission scope, not the super-admin's unrestricted access.
+
+Removing a permission from a role causes admin tokens owned by users of that role to have the corresponding permission deleted automatically.
+
+:::caution Owner account deactivation and deletion
+
+* If the token owner's account is deleted, all Admin tokens owned by that user are automatically deleted along with their associated permissions. There is no recovery path. Rotate and replace Admin tokens before offboarding a team member who owns them.
+* If the token owner's account is deactivated or blocked, any request authenticated with that owner's Admin token is rejected. The token itself is not deleted. Re-activating or unblocking the owner restores token functionality.
+:::
+
+#### Regenerating an Admin token
+
+The **Regenerate** button is only visible to the token's owner. Other users, including super-admins, do not see this button for tokens they do not own.
+
+To regenerate an Admin token:
+
+1. Click on the Admin token's edit button.
+2. Click on the **Regenerate** button.
+3. Click on the **Regenerate** button to confirm in the dialog.
+4. Copy the new Admin token displayed at the top of the interface.
+
+## Usage
+
+Using Admin tokens allows executing a request on Strapi's admin routes as an authenticated user.
+
+Admin tokens can be helpful to give access to people or applications without managing a user account, for instance to connect an MCP server or a CI/CD pipeline.
+
+When performing a request to Strapi's admin routes, the Admin token should be added to the request's `Authorization` header with the following syntax: `bearer your-admin-token`.
+
+:::caution
+Never expose Admin tokens in client-side code. Store them in a secrets manager or environment variable.
+:::
+
+
+
# API Tokens
Source: https://docs.strapi.io/cms/features/api-tokens
# API Tokens
-API tokens allow users to authenticate REST and GraphQL API queries (see [APIs introduction](/cms/api/content-api)).
+API tokens allow external clients to authenticate requests to the Strapi [Content API](/cms/api/content-api). For programmatic access to the Admin API, see [Admin Tokens](/cms/features/admin-tokens).
+
+API tokens and Admin tokens are strictly separated: a Content API token is rejected on admin routes, and an admin token is rejected on Content API routes.
:::caution Security
-Prefer read‑only tokens for public access, scope server tokens to only what you need, rotate long‑lived tokens, and store them in a secrets manager. Never expose admin tokens in client‑side code.
+Prefer read-only tokens for public access, scope tokens to only what you need, rotate long-lived tokens, and store them in a secrets manager.
:::
@@ -7963,6 +8049,10 @@ Prefer read‑only tokens for public access, scope server tokens to only what yo
This key is used to encrypt and decrypt token values. Without this key, tokens remain usable, but will not be viewable after initial display. New Strapi projects will have this key automatically generated.
+:::tip
+For automation workflows that need to call the Admin API programmatically, use admin tokens instead. See [Admin Tokens](/cms/features/admin-tokens) for the full documentation.
+:::
+
## Usage
Using API tokens allows executing a request on [REST API](/cms/api/rest) or [GraphQL API](/cms/api/graphql) endpoints as an authenticated user.
diff --git a/docusaurus/static/llms.txt b/docusaurus/static/llms.txt
index 6f9e6b4054..878850eb59 100644
--- a/docusaurus/static/llms.txt
+++ b/docusaurus/static/llms.txt
@@ -80,7 +80,8 @@
- [Deployment](https://docs.strapi.io/cms/deployment): Deployment options cover hardware/software prerequisites, environment variable setup, and building the admin panel before launch. In the documentation: links to provider‑specific and advanced guides to help pick the right hosting strategy.
- [Error handling](https://docs.strapi.io/cms/error-handling): Strapi’s APIs return errors in a consistent structure and let backend code throw custom exceptions for controllers, services, policies, or lifecycles. This documentation lists error classes, context helpers, and examples for crafting meaningful responses.
- [Admin panel](https://docs.strapi.io/cms/features/admin-panel): The admin panel acts as Strapi’s back office for managing content types, entries, and both administrator and end‑user accounts. This documentation gives an overview of the admin panel before focusing on profile settings that manage interface language and mode, login and personal information, and logo for branding.
-- [API Tokens](https://docs.strapi.io/cms/features/api-tokens): API tokens provide scoped authentication for REST and GraphQL requests without exposing user credentials. This documentation explains token types, creation, expiration, and secure usage within the admin panel.
+- [Admin Tokens](https://docs.strapi.io/cms/features/admin-tokens): Admin tokens authenticate programmatic access to the Strapi Admin API. Each token is scoped to a subset of its owner's permissions and is designed for automation workflows such as MCP agents, CI/CD pipelines, and scripts.
+- [API Tokens](https://docs.strapi.io/cms/features/api-tokens): API tokens authenticate external requests to the Strapi Content API without exposing user credentials. Each token is scoped to a set of permissions and expires after a configurable duration.
- [Audit Logs](https://docs.strapi.io/cms/features/audit-logs): Audit Logs captures every administrative action in a searchable, filterable history to aid troubleshooting and compliance. In this documentation, examples show viewing payloads and filtering by user or date.
- [Content History](https://docs.strapi.io/cms/features/content-history): Content History stores previous document versions so editors can compare and restore earlier states from the Content Manager. This documentation explains how to browse and restore workflows for quick rollback of mistakes.
- [Content Manager](https://docs.strapi.io/cms/features/content-manager): The Content Manager is Strapi’s interface for browsing and editing entries. This documentation gives an overview of the Content Manager and explains the views and how to write content in fields, components, dynamic zones and relational fields.