Authenticated request

    To show you many of the concepts on the roles and permissions part, we will use many users and roles.

    After that we will see the to get a and use it for an API request.

    We will have one group of users that will be able to only fetch Articles and an other group that will be able to fetch, create and update Articles.

    Lets create a new Content Type Article

    • Click on Content Type Builder in the left menu
    • Then + Create new content-type
    • Fill Display name with article
    • Create 2 fields
      • Text short named title
      • Rich text named content
    • And save this new Content Type

    Then create some Articles from the Content Manager.

    We will create 2 new groups to manage available actions for different kind of users.

    • Click on Settings in the left menu
    • Then + Add New Role
    • Fill name with Author
    • Check Select All for the Application Article Content Type.
    • And save the new role

    And repeat the operation for the Reader group and check find, findOne and .

    User 1

    • username: author
    • email: author@strapi.io
    • password: strapi
    • role: Author

    User 2

    • username: reader
    • email: reader@strapi.io
    • password: strapi
    • role: Reader

    To login as a user your will have to follow the login documentation.

    Here is the API route for the authentication /auth/local.

    You have to request it in POST.

    If you are using Postman for example you will have to set the body as raw with the JSON (application/json) type.

    1. {
    2.   "identifier": "reader@strapi.io",
    3.   "password": "strapi"
    4. }

    The API response contains the user’s JWT in the jwt key.

    Let’s fetch Articles you created.

    To do so, you will have to fetch /articles route in GET.

    2. const { data } = await axios.get('http://localhost:1337/articles');
    4. console.log(data);

    Here you should receive a 403 error because you are not allowed, as Public user, to access to the articles.

    You should use the in the request to say that you can access to this data as Reader user.

    And tada you have access to the data.

    To do so, you will have to request the /articles route in POST.

    1. import axios from 'axios';
    3. const {data} = await axios
    4.   .post('http://localhost:1337/articles',  {
    5.     data: {
    6.       title: 'my article'
    7.       content: 'my super article content'
    8.     },
    9.     headers: {
    10.       'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiaWF0IjoxNTc2OTM4MTUwLCJleHAiOjE1Nzk1MzAxNTB9.UgsjjXkAZ-anD257BF7y1hbjuY3ogNceKfTAQtzDEsU'
    11.     }
    12.   });
    13. console.log(data);

    If you request this as a Reader user, you will receive a 403 error. It’s because the Reader role does not have access to the create function of the Article Content Type.

    With that done, you will be able to create an Article.