403 for custom route & API token

With a brand new v4 install, I generated a dummy route using strapi generate - I then created an API token.

When I attempt to call that dummy route I get a 403 Forbidden error. The API token works though, when I call a core route for an entity, I get a 200 and data

So my question - How do I grant my API token access to a custom route?

Hi @daniel.j

I think you have to set the permissions via the ‘users permission’ plugin.

Tried it - ticked the box, no change.

Wouldn’t have thought this would be the solution since a) user authentication is done via providers, not explicit token, and b) Users + Permissions is a plugin, while API tokens are part of core admin package

After stepping through Strapi code I found out what’s going on…

The comment from the source code explains it (far better than the Admin UI)

 * If you don't have `full-access` you can only access `find` and `findOne`
 * scopes. If the route has no scope, then you can't get access to it.

Given a custom route has the following scope api::routeName::routeName::actionName - API tokens which are set to read-only will throw a 403…

Thus - you must use a Full Access token, or, add the following config to your custom route:

auth: {
  scope: ['find']

@daniel.j, adding scope make it accessible for custom routes with read-only Api Token but it returns a 403 error when using a Authenticated user token ( authenticated user role has permission for that custom route ).
Were you able to find some solution for this.
P.S can share some resource regarding route scopes I tried to find something but there is no material available.

I am getting same issue on version : 4.3.3, after adding below code api is accessable by Api Token, but it returns a 403 error for a Authenticated user token ( authenticated user has permission to access custom route. )

auth: {
scope: [‘find’]

is there any way to give access permission for “custom route” to both api token as well as authenticated user?

1 Like