What are the differences between read-only and full access API tokens in Strapi v4?

Hi. I was creating custom routes for my api through a generated API token the other day and kept getting 403 forbidden error. At first I suspected it was due to the permission not being set up correctly but there were more to it.

Long story short, I managed to get it working by changing the API token type from “read-only” to “full access”. I’m confused as to what they really do, since the custom route I was writing was only a simple GET, which makes sense with the “read-only” spirit of the API token.

Can someone tell me how the two token types behave?


The documentation states: “Read-only API tokens can only access the find and findOne functions.”

See this reference: API tokens - Strapi Developer Docs

1 Like