openapi: 3.1.0 info: title: Strapi Admin Panel API description: >- The Strapi Admin Panel API powers the back-office interface used to manage content-types, content entries, media assets, and administrator accounts. It provides endpoints for the Content-Type Builder, Content Manager, Media Library, and role-based access control configuration. The API supports three default administrator roles (Super Admin, Editor, and Author) with granular permission management, allowing organizations to control which administrative functions each role can access. version: '5.0.0' contact: name: Strapi Support url: https://strapi.io/support termsOfService: https://strapi.io/terms externalDocs: description: Strapi Admin Panel Documentation url: https://docs.strapi.io/cms/features/admin-panel servers: - url: https://{host} description: Strapi Server variables: host: default: localhost:1337 description: The hostname and port of your Strapi instance tags: - name: Admin Authentication description: >- Authentication endpoints for administrator accounts used to access the Strapi admin panel. - name: Admin Roles description: >- Endpoints for managing administrator roles (Super Admin, Editor, Author) and their associated permissions. - name: Admin Users description: >- Endpoints for managing administrator user accounts that have access to the Strapi admin panel. - name: API Tokens description: >- Endpoints for managing API tokens used to authenticate REST and GraphQL API requests. - name: Content Manager description: >- Endpoints for managing content entries through the admin panel Content Manager interface. - name: Content Types description: >- Endpoints for managing content-type definitions through the Content-Type Builder. - name: Transfer Tokens description: >- Endpoints for managing transfer tokens used for data transfer operations between Strapi instances. - name: Webhooks description: >- Endpoints for managing webhook configurations from the admin panel. security: - adminBearerAuth: [] paths: /admin/login: post: operationId: adminLogin summary: Login to admin panel description: >- Authenticates an administrator with their email and password. Returns a JWT token for accessing admin panel API endpoints. tags: - Admin Authentication security: [] requestBody: required: true content: application/json: schema: type: object required: - email - password properties: email: type: string format: email description: >- The administrator's email address password: type: string format: password description: >- The administrator's password responses: '200': description: Authentication successful content: application/json: schema: $ref: '#/components/schemas/AdminAuthResponse' '400': $ref: '#/components/responses/BadRequest' /admin/renew-token: post: operationId: adminRenewToken summary: Renew admin JWT token description: >- Renews the admin JWT token using a valid refresh token to extend the admin session without requiring re-authentication. tags: - Admin Authentication security: [] requestBody: required: true content: application/json: schema: type: object required: - token properties: token: type: string description: >- The refresh token obtained during login responses: '200': description: Token renewed successfully content: application/json: schema: $ref: '#/components/schemas/AdminAuthResponse' '400': $ref: '#/components/responses/BadRequest' /admin/forgot-password: post: operationId: adminForgotPassword summary: Request admin password reset description: >- Sends a password reset email to the specified administrator email address. tags: - Admin Authentication security: [] requestBody: required: true content: application/json: schema: type: object required: - email properties: email: type: string format: email description: >- The administrator's email address responses: '200': description: Password reset email sent content: application/json: schema: type: object properties: ok: type: boolean '400': $ref: '#/components/responses/BadRequest' /admin/reset-password: post: operationId: adminResetPassword summary: Reset admin password description: >- Resets an administrator's password using the code received via the forgot-password email. tags: - Admin Authentication security: [] requestBody: required: true content: application/json: schema: type: object required: - resetPasswordToken - password properties: resetPasswordToken: type: string description: >- The reset token received in the password reset email password: type: string format: password description: >- The new admin password responses: '200': description: Password reset successful content: application/json: schema: $ref: '#/components/schemas/AdminAuthResponse' '400': $ref: '#/components/responses/BadRequest' /admin/register-admin: post: operationId: registerFirstAdmin summary: Register the first administrator description: >- Registers the initial Super Admin account during Strapi setup. This endpoint is only available when no administrator accounts exist in the system. tags: - Admin Authentication security: [] requestBody: required: true content: application/json: schema: type: object required: - firstname - lastname - email - password properties: firstname: type: string description: >- The administrator's first name lastname: type: string description: >- The administrator's last name email: type: string format: email description: >- The administrator's email address password: type: string format: password description: >- The administrator's password responses: '200': description: First admin registered successfully content: application/json: schema: $ref: '#/components/schemas/AdminAuthResponse' '400': $ref: '#/components/responses/BadRequest' /admin/users: get: operationId: listAdminUsers summary: List administrator users description: >- Returns a paginated list of all administrator accounts with their roles and metadata. tags: - Admin Users parameters: - name: page in: query description: The page number schema: type: integer default: 1 - name: pageSize in: query description: The number of results per page schema: type: integer default: 25 responses: '200': description: A list of admin users content: application/json: schema: type: object properties: data: type: object properties: results: type: array items: $ref: '#/components/schemas/AdminUser' pagination: $ref: '#/components/schemas/AdminPagination' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' post: operationId: createAdminUser summary: Create an administrator user description: >- Creates a new administrator account with specified roles. An invitation email is sent to the new administrator. tags: - Admin Users requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AdminUserCreateRequest' responses: '201': description: Admin user created successfully content: application/json: schema: $ref: '#/components/schemas/AdminUser' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' /admin/users/{id}: get: operationId: getAdminUser summary: Get an administrator user description: >- Returns a single administrator account by its ID. tags: - Admin Users parameters: - $ref: '#/components/parameters/AdminUserId' responses: '200': description: The admin user details content: application/json: schema: $ref: '#/components/schemas/AdminUser' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: updateAdminUser summary: Update an administrator user description: >- Updates an administrator account's details including name, email, password, active status, and role assignments. tags: - Admin Users parameters: - $ref: '#/components/parameters/AdminUserId' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AdminUserUpdateRequest' responses: '200': description: Admin user updated successfully content: application/json: schema: $ref: '#/components/schemas/AdminUser' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' delete: operationId: deleteAdminUser summary: Delete an administrator user description: >- Deletes an administrator account by its ID. This action is irreversible. tags: - Admin Users parameters: - $ref: '#/components/parameters/AdminUserId' responses: '200': description: Admin user deleted successfully content: application/json: schema: $ref: '#/components/schemas/AdminUser' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' /admin/roles: get: operationId: listAdminRoles summary: List administrator roles description: >- Returns a list of all administrator roles. Default roles include Super Admin, Editor, and Author. tags: - Admin Roles responses: '200': description: A list of admin roles content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/AdminRole' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' post: operationId: createAdminRole summary: Create an administrator role description: >- Creates a new custom administrator role with specified permissions. tags: - Admin Roles requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AdminRoleRequest' responses: '201': description: Admin role created successfully content: application/json: schema: $ref: '#/components/schemas/AdminRole' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' /admin/roles/{id}: get: operationId: getAdminRole summary: Get an administrator role description: >- Returns a single administrator role by its ID, including its associated permissions. tags: - Admin Roles parameters: - $ref: '#/components/parameters/AdminRoleId' responses: '200': description: The admin role details content: application/json: schema: $ref: '#/components/schemas/AdminRole' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: updateAdminRole summary: Update an administrator role description: >- Updates an administrator role's name, description, and permissions. tags: - Admin Roles parameters: - $ref: '#/components/parameters/AdminRoleId' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AdminRoleRequest' responses: '200': description: Admin role updated successfully content: application/json: schema: $ref: '#/components/schemas/AdminRole' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' delete: operationId: deleteAdminRole summary: Delete an administrator role description: >- Deletes an administrator role by its ID. Default roles cannot be deleted. tags: - Admin Roles parameters: - $ref: '#/components/parameters/AdminRoleId' responses: '200': description: Admin role deleted successfully '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' /admin/content-type-builder/content-types: get: operationId: listContentTypes summary: List content types description: >- Returns a list of all content-types defined in the Strapi application, including their schemas, attributes, and configuration. tags: - Content Types responses: '200': description: A list of content types content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/ContentType' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' /admin/content-type-builder/content-types/{uid}: get: operationId: getContentType summary: Get a content type description: >- Returns a single content-type definition by its UID, including its full schema with all attributes, relations, and configuration. tags: - Content Types parameters: - name: uid in: path required: true description: >- The unique identifier of the content-type (e.g., api::article.article) schema: type: string responses: '200': description: The content type definition content: application/json: schema: $ref: '#/components/schemas/ContentType' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /admin/content-manager/collection-types/{contentType}: get: operationId: listCollectionEntries summary: List collection type entries description: >- Returns a paginated list of entries for a collection type through the admin Content Manager interface. tags: - Content Manager parameters: - name: contentType in: path required: true description: >- The UID of the collection type (e.g., api::article.article) schema: type: string - name: page in: query description: The page number schema: type: integer - name: pageSize in: query description: The number of results per page schema: type: integer responses: '200': description: A list of collection entries content: application/json: schema: type: object properties: results: type: array items: type: object additionalProperties: true pagination: $ref: '#/components/schemas/AdminPagination' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' /admin/webhooks: get: operationId: listWebhooks summary: List webhooks description: >- Returns a list of all configured webhooks in the Strapi admin panel. tags: - Webhooks responses: '200': description: A list of webhooks content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/Webhook' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' post: operationId: createWebhook summary: Create a webhook description: >- Creates a new webhook configuration with the specified URL, events, and headers. tags: - Webhooks requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/WebhookRequest' responses: '201': description: Webhook created successfully content: application/json: schema: $ref: '#/components/schemas/Webhook' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' /admin/webhooks/{id}: get: operationId: getWebhook summary: Get a webhook description: >- Returns a single webhook configuration by its ID. tags: - Webhooks parameters: - name: id in: path required: true description: The ID of the webhook schema: type: string responses: '200': description: The webhook details content: application/json: schema: $ref: '#/components/schemas/Webhook' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: updateWebhook summary: Update a webhook description: >- Updates a webhook configuration by its ID. tags: - Webhooks parameters: - name: id in: path required: true description: The ID of the webhook schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/WebhookRequest' responses: '200': description: Webhook updated successfully content: application/json: schema: $ref: '#/components/schemas/Webhook' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' delete: operationId: deleteWebhook summary: Delete a webhook description: >- Deletes a webhook configuration by its ID. tags: - Webhooks parameters: - name: id in: path required: true description: The ID of the webhook schema: type: string responses: '200': description: Webhook deleted successfully '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /admin/api-tokens: get: operationId: listApiTokens summary: List API tokens description: >- Returns a list of all API tokens configured in the Strapi admin panel. API tokens allow authenticating REST and GraphQL API requests without managing user accounts. tags: - API Tokens responses: '200': description: A list of API tokens content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/ApiToken' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' post: operationId: createApiToken summary: Create an API token description: >- Creates a new API token with specified permissions. The full token value is only returned once upon creation and cannot be retrieved again. tags: - API Tokens requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ApiTokenRequest' responses: '201': description: API token created successfully content: application/json: schema: $ref: '#/components/schemas/ApiToken' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' /admin/api-tokens/{id}: get: operationId: getApiToken summary: Get an API token description: >- Returns a single API token's metadata by its ID. The full token value is not returned. tags: - API Tokens parameters: - name: id in: path required: true description: The ID of the API token schema: type: string responses: '200': description: The API token details content: application/json: schema: $ref: '#/components/schemas/ApiToken' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' put: operationId: updateApiToken summary: Update an API token description: >- Updates an API token's name, description, type, or permissions. tags: - API Tokens parameters: - name: id in: path required: true description: The ID of the API token schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ApiTokenRequest' responses: '200': description: API token updated successfully content: application/json: schema: $ref: '#/components/schemas/ApiToken' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' delete: operationId: deleteApiToken summary: Delete an API token description: >- Deletes an API token by its ID. Any requests using this token will fail after deletion. tags: - API Tokens parameters: - name: id in: path required: true description: The ID of the API token schema: type: string responses: '200': description: API token deleted successfully '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' /admin/transfer/tokens: get: operationId: listTransferTokens summary: List transfer tokens description: >- Returns a list of all transfer tokens configured for data transfer operations between Strapi instances. tags: - Transfer Tokens responses: '200': description: A list of transfer tokens content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/TransferToken' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' post: operationId: createTransferToken summary: Create a transfer token description: >- Creates a new transfer token for data transfer operations. The full token value is only returned once upon creation. tags: - Transfer Tokens requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/TransferTokenRequest' responses: '201': description: Transfer token created successfully content: application/json: schema: $ref: '#/components/schemas/TransferToken' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' /admin/transfer/tokens/{id}: delete: operationId: deleteTransferToken summary: Delete a transfer token description: >- Deletes a transfer token by its ID. tags: - Transfer Tokens parameters: - name: id in: path required: true description: The ID of the transfer token schema: type: string responses: '200': description: Transfer token deleted successfully '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' components: securitySchemes: adminBearerAuth: type: http scheme: bearer bearerFormat: JWT description: >- Admin JWT token obtained from the /admin/login endpoint. Include as Authorization: Bearer {token}. parameters: AdminUserId: name: id in: path required: true description: The unique ID of the administrator user schema: type: string AdminRoleId: name: id in: path required: true description: The unique ID of the administrator role schema: type: string schemas: AdminAuthResponse: type: object properties: data: type: object properties: token: type: string description: >- The JWT token for authenticating admin API requests user: $ref: '#/components/schemas/AdminUser' AdminUser: type: object properties: id: type: integer description: The unique ID of the administrator firstname: type: string description: The administrator's first name lastname: type: string description: The administrator's last name email: type: string format: email description: The administrator's email address isActive: type: boolean description: Whether the administrator account is active blocked: type: boolean description: Whether the administrator account is blocked preferedLanguage: type: string description: The administrator's preferred admin panel language roles: type: array items: $ref: '#/components/schemas/AdminRole' description: The roles assigned to the administrator createdAt: type: string format: date-time description: The timestamp when the account was created updatedAt: type: string format: date-time description: The timestamp when the account was last updated AdminUserCreateRequest: type: object required: - firstname - lastname - email - roles properties: firstname: type: string description: The administrator's first name lastname: type: string description: The administrator's last name email: type: string format: email description: The administrator's email address roles: type: array items: type: integer description: An array of role IDs to assign to the administrator AdminUserUpdateRequest: type: object properties: firstname: type: string description: The updated first name lastname: type: string description: The updated last name email: type: string format: email description: The updated email address password: type: string format: password description: A new password for the administrator isActive: type: boolean description: Whether to activate or deactivate the account roles: type: array items: type: integer description: Updated array of role IDs AdminRole: type: object properties: id: type: integer description: The unique ID of the role name: type: string description: The display name of the role code: type: string description: >- The unique code identifier for the role (e.g., strapi-super-admin, strapi-editor, strapi-author) description: type: string description: A description of the role's purpose and access level usersCount: type: integer description: The number of administrators assigned to this role AdminRoleRequest: type: object required: - name - description properties: name: type: string description: The display name of the role description: type: string description: A description of the role's purpose permissions: type: array items: type: object properties: action: type: string description: The permission action identifier subject: type: string nullable: true description: The subject the permission applies to description: An array of permission objects to assign to the role ContentType: type: object properties: uid: type: string description: >- The unique identifier of the content-type (e.g., api::article.article) plugin: type: string nullable: true description: The plugin that owns this content-type, if applicable apiID: type: string description: The API identifier used in REST endpoints schema: type: object description: The full schema definition of the content-type properties: displayName: type: string description: The human-readable display name singularName: type: string description: The singular name used in the API pluralName: type: string description: The plural name used in REST API routes kind: type: string enum: - collectionType - singleType description: >- Whether this is a collection type or single type attributes: type: object description: >- The attribute definitions for the content-type fields additionalProperties: true Webhook: type: object properties: id: type: integer description: The unique ID of the webhook name: type: string description: The display name of the webhook url: type: string format: uri description: The URL where events will be sent headers: type: object description: Custom HTTP headers to include with webhook requests additionalProperties: type: string events: type: array items: type: string description: >- The event types that trigger this webhook (e.g., entry.create, entry.update, entry.delete, entry.publish, entry.unpublish, media.create, media.update, media.delete) isEnabled: type: boolean description: Whether the webhook is currently active WebhookRequest: type: object required: - name - url - events properties: name: type: string description: The display name of the webhook url: type: string format: uri description: The URL where events will be sent headers: type: object description: Custom HTTP headers to include with webhook requests additionalProperties: type: string events: type: array items: type: string description: >- The event types that trigger this webhook isEnabled: type: boolean description: Whether the webhook should be active ApiToken: type: object properties: id: type: integer description: The unique ID of the API token name: type: string description: The display name of the API token description: type: string description: A description of the token's purpose type: type: string enum: - read-only - full-access - custom description: >- The access level of the token. read-only allows only GET operations, full-access allows all operations, and custom allows specifying individual permissions. accessKey: type: string description: >- The truncated access key (full value only returned on creation) lastUsedAt: type: string format: date-time nullable: true description: The timestamp when the token was last used expiresAt: type: string format: date-time nullable: true description: >- The expiration date of the token, or null for tokens that never expire lifespan: type: integer nullable: true description: >- The lifespan of the token in days (7, 30, 90, or null for unlimited) createdAt: type: string format: date-time description: The timestamp when the token was created updatedAt: type: string format: date-time description: The timestamp when the token was last updated ApiTokenRequest: type: object required: - name - type properties: name: type: string description: The display name of the API token description: type: string description: A description of the token's purpose type: type: string enum: - read-only - full-access - custom description: The access level of the token lifespan: type: integer nullable: true enum: - 7 - 30 - 90 - description: >- The lifespan of the token in days, or null for unlimited permissions: type: array items: type: string description: >- An array of permission action identifiers (only for custom type) TransferToken: type: object properties: id: type: integer description: The unique ID of the transfer token name: type: string description: The display name of the transfer token description: type: string description: A description of the token's purpose accessKey: type: string description: The truncated access key lastUsedAt: type: string format: date-time nullable: true description: The timestamp when the token was last used expiresAt: type: string format: date-time nullable: true description: The expiration date of the token lifespan: type: integer nullable: true description: The lifespan of the token in days permissions: type: array items: type: string enum: - push - pull description: The transfer permissions (push, pull, or both) createdAt: type: string format: date-time description: The timestamp when the token was created updatedAt: type: string format: date-time description: The timestamp when the token was last updated TransferTokenRequest: type: object required: - name - permissions properties: name: type: string description: The display name of the transfer token description: type: string description: A description of the token's purpose lifespan: type: integer nullable: true description: The lifespan of the token in days permissions: type: array items: type: string enum: - push - pull description: The transfer permissions to grant AdminPagination: type: object properties: page: type: integer description: The current page number pageSize: type: integer description: The number of results per page pageCount: type: integer description: The total number of pages total: type: integer description: The total number of results Error: type: object properties: data: nullable: true error: type: object properties: status: type: integer description: The HTTP status code name: type: string description: The error name message: type: string description: A human-readable error message details: type: object description: Additional error details responses: BadRequest: description: Bad request - invalid input or validation error content: application/json: schema: $ref: '#/components/schemas/Error' Unauthorized: description: Unauthorized - missing or invalid authentication content: application/json: schema: $ref: '#/components/schemas/Error' Forbidden: description: Forbidden - insufficient permissions content: application/json: schema: $ref: '#/components/schemas/Error' NotFound: description: Not found - the requested resource does not exist content: application/json: schema: $ref: '#/components/schemas/Error'