Can't make any public requests

Hi, I’m still quite new to Strapi and have been stuck on an issue for several days now.

Everything seemed to be working fine last week but then my Strapi API seemed to stop accepting any unauthorised requests including a login (POST /auth/local). It returns a 401 or 403 when I try to login or send images the /upload route. I’ve restarted the project and deleted the user, permission, role mongodb collections but it doesn’t seem to have any impact.

Is there any reason why the API would be sending back 401s and 403s when trying to log in or upload files on routes that have been made public?

That issue can be causes by the database connection. Make sure that your connection is configured properly. As the Login page opens even without database connection and when you try to login without DB connection it will respond with Unauthorized. Same applies to the public APIs, as the files exists and you can call them, but strapi can’t retrieve permissions from DB so it will also respond with Unauthorized.

1 Like

Do you think that would be the case even if I can log in through the Strapi UI and make protected requests via API with a valid token?

It sounds like something is preventing it from checking permissions when a public request comes in but I can’t think of what it could be as the DB credentials definitely work for all Strapi UI actions and authorized client requests (I’ve just done this to test with a valid token).

Just for clarity the issue is when I send an Axios request from a react client to the Strapi backend

BTW, what version do you use? That’s a clean install or you migrated from an older version?

A key thing to keep in mind, if you have an authorization header with a bearer JWT value, your request is no longer public (regardless of the public permissions). If that JWT belongs to a user assigned to a role or that JWT is invalid you will get a 4xx error.


@sunnyson Currently on 3.2.3. I’ve done quite a few fresh installs and one where I moved back to 3.0.6. I also restored a backup of my db but nothing seems to do the trick.

@DMehaffy That had not dawned on me

I hadn’t been sending any header with the request but just added this with an empty authorization header and now it’s giving me back a 404, so that’s new.

This is the axios function I’m using to login:

 export const loginStrapi = () => {
  return async (dispatch, getState) => {
        const email = getState();
        const password = getState().login.loginFormData.password;
        try {
          const config = {
            headers: {
              'Content-Type': `application/json`,
              'Authorization': ''
          const { data } = await'http://localhost:1337/auth/local', {
            identifier: email,
            password: password,
          }, config);
          localStorage.setItem('tokenStrapi', 'Bearer ' + data.jwt);
        } catch (error) {
        } finally {


To determine if the issue is Strapi or your code, try testing logging in and requesting the same routes via something like Postman (REST GUI Client)

Will do. Thank you both very much for your help!

1 Like

Finally, Yeah you are right I have set up postman so that once the user logs in the bearer token get reflected in all the route whenever. I was making request to public endpoint the logged in user’s JWT was getting attached to it and I was getting forbidden error

is there a way to bypass this behavior? I’m doing the authorization in an API gateway, strapi should not be concerned about the token