What token use for client side requests to strapi endpoints?

Hi, how are you?

I have a question

I have some “public” methods that I want the client side (nextjs) to be able to access but which are not public at all. So the idea is to validate them with a JWT token but how can I generate a token that never expires? Or what would be the best way to do this?

Because I tried creating a user and then generating a token with /auth/local but that token expires after 30 days. Once it expires, how do I see this and refresh it from the client side?

thanks @DMehaffy for your response, but are these API tokens secure for client side (react/nextjs app)?

and this API token is any string or a JWT or something else?


They can be as long or complex as needed, you could also build in an automatic generation of them. So long as they are only called from a server side frontend (Next/Nuxt) and not a client side one (React/Vue) then you should be fine.

thanks @DMehaffy! It is very helpful!

I have one question more: This method is the best to authenticate this ““public”” requests? What is your recommendation?

My goal is secures the endpoints from my API and that no one can use my resources or view my application data.

Depends on the technology being used, if you are using a SSR framework then yes, but for CSR style frontends you would need to utilize something like CORs to restrict access.

Keep in mind, if someone really wants to dig at your API endpoints it will be a never ending battle to keep them restricted, with the only “real” solution is to not make them public and require registration / authentication.

1 Like