I’m following the GraphQL guide here and have successfully generated a JWT for my super admin user. I’ve included that token in the “Http Headers” panel as { "Authorization": "Bearer <jwt>" }. However, I’m not able to perform any queries aside from { me }. Requesting, say, { restaurants } returns a 403 Forbidden error.
Have I missed a step somewhere in configuring permissions? Otherwise, Strapi looks very impressive!
You need to enable permissions for the actual queries too. I believe the “me” query is available from the default which is why it worked.
You do this in the roles section of settings.
Thanks for the reply! I’m still baffled by this. My user has a Super Admin permission and it has the following attributed to its role:
I applied the same permissions to the Editor role and gave that role to my user as well. I’m still getting Forbidden errors. As far as I know, I’ve followed the Strapi tutorials verbatim. Any other insight as to what I could be missing?
It’s on the other roles settings (you’re looking at strapi admin permissions but you need the client facing permissions).
It’s a bit confusing 
It’s lower down on the left hand side of the menu
Oh my gosh… yes, having two “Roles” in that menu bar is very confusing. That worked though, thank you! I was pulling my hair out because the roles and permissions system seemed otherwise quite intuitive.
