Limit access of API token via policy

System Information
  • Strapi Version: v4.1.7
  • Operating System: macOS X 10.15.7
  • Database: mysql
  • Node Version: v14.18.2
  • NPM Version: 6.14.15
  • Yarn Version: 1.22.17

Hey all!

I am trying to write a policy which will pass through authenticated users or limit access to a known API token.
Therefore, I created a API token with the name development in the administration panel.

The policy looks like this:

"use strict";

 * `is-dev-or-authenticated` policy.

module.exports = (policyContext, config, { strapi }) => {"In is-dev-or-authenticated policy.");

  if (policyContext.state.user) {
    // if a session is open
    // go to next policy or reach the controller's action
    return true;

  const authHeader = policyContext.request.header.authorization;

  if (!authHeader) {
    return false;

  const token = authHeader.split(" ")[1];


  return true;

As you can see, I am trying to get some information about the used API token in the request.
console.log(token); really returns the used token.
But console.log(; says { payload: null, isValid: false }

How can I get the information if the used token is the one with the name development?

Not sure if you’ve moved beyond this since it’s been over a year since you posted, but I found a way to do this.

You don’t need to decode the token at all, the policyContext has a property, which is the name of the token provided. So in your case you could probably do something like this.

module.exports = (policyContext, config, { strapi }) => {"In is-dev-or-authenticated policy.");
  var tokenName =;

  if (policyContext.state.user || tokenName == "development") 
    return true;

  return false;

You might need to null check the credentials or the auth object, but this kind of solution has worked for me.

1 Like