With a brand new v4 install, I generated a dummy route using
strapi generate - I then created an API token.
When I attempt to call that dummy route I get a 403 Forbidden error. The API token works though, when I call a core route for an entity, I get a 200 and data
So my question - How do I grant my API token access to a custom route?
I think you have to set the permissions via the ‘users permission’ plugin.
Tried it - ticked the box, no change.
Wouldn’t have thought this would be the solution since a) user authentication is done via providers, not explicit token, and b) Users + Permissions is a plugin, while API tokens are part of core admin package
After stepping through Strapi code I found out what’s going on…
The comment from the source code explains it (far better than the Admin UI)
* If you don't have `full-access` you can only access `find` and `findOne`
* scopes. If the route has no scope, then you can't get access to it.
Given a custom route has the following scope
api::routeName::routeName::actionName - API tokens which are set to read-only will throw a 403…
Thus - you must use a Full Access token, or, add the following config to your custom route:
@daniel.j, adding scope make it accessible for custom routes with read-only Api Token but it returns a 403 error when using a Authenticated user token ( authenticated user role has permission for that custom route ).
Were you able to find some solution for this.
P.S can share some resource regarding route scopes I tried to find something but there is no material available.
I am getting same issue on version : 4.3.3, after adding below code api is accessable by Api Token, but it returns a 403 error for a Authenticated user token ( authenticated user has permission to access custom route. )
is there any way to give access permission for “custom route” to both api token as well as authenticated user?