strapi · pwizla · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/docusaurus/docs/cms/configurations/admin-panel.md b/docusaurus/docs/cms/configurations/admin-panel.md
@@ -106,7 +106,7 @@ module.exports = ({ env }) => ({
 </TabItem>
 <TabItem value="ts" label="TypeScript">
 
-```js title="/config/admin.ts"
+```ts title="/config/admin.ts"
 export default ({ env }) => ({
   host: "my-host.com",
   port: 3000,
@@ -208,15 +208,15 @@ module.exports = ({ env }) => ({
 </TabItem>
 <TabItem value="ts" label="TypeScript">
 
-```js title="/config/server.ts"
+```ts title="/config/server.ts"
 export default ({ env }) => ({
   host: env("HOST", "0.0.0.0"),
   port: env.int("PORT", 1337),
   url: "http://yourbackend.com",
 });
 ```
 
-```js title="/config/admin.ts"
+```ts title="/config/admin.ts"
 export default ({ env }) => ({
   /**
    * Note: The administration will be accessible from the root of the domain 
@@ -239,10 +239,14 @@ With this configuration:
 
 The [API tokens](/cms/features/api-tokens) feature can be configured with the following parameters:
 
-| Parameter                         | Description                                                                                                                                                                                        | Type          | Default                                                                                                                             |
-|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-------------------------------------------------------------------------------------------------------------------------------------|
-| `apiToken.salt`                   | Salt used to generate API tokens                                                                                                                            | string        | Random string                                                                                                                       |
-| `apiToken.secrets.encryptionKey`   | Encryption key used to set API tokens visibility in the admin panel | string | Random string |
+| Parameter                          | Description                                                                                                                                                   | Type   | Default       |
+|------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|---------------|
+| `apiToken.salt`                    | Salt used to generate API tokens (applies to both `content-api` and `admin` token kinds).                                                                     | string | Random string |
+| `apiToken.secrets.encryptionKey`   | Encryption key used to set API token visibility in the admin panel. When set, token keys remain viewable at any time by the token's owner.                    | string | Random string |
+
+:::tip
+Admin tokens — the new kind of API token for programmatic access to the Admin API — are configured entirely from the admin panel. No additional code-based configuration is required beyond the parameters above (see [Admin tokens](/cms/features/admin-tokens)).
+:::
 
 ## Audit logs
 
@@ -592,4 +596,4 @@ export default ({ env }) => ({
 
 </Tabs>
 </TabItem>
-</Tabs>
+</Tabs>
diff --git a/docusaurus/docs/cms/configurations/features.md b/docusaurus/docs/cms/configurations/features.md
@@ -20,7 +20,7 @@ The `config/features.js|ts` file is used to enable feature flags. Currently this
 
 Some incoming Strapi features are not yet ready to be shipped to all users, but Strapi still offers community users the opportunity to provide early feedback on these new features or changes. With these experimental features, developers have the flexibility to choose and integrate new features and changes into their Strapi applications as they become available in the current major version as well as assist us in shaping these new features.
 
-Such experimental features are indicated by a <FeatureFlagBadge /> badge throughout the documentation, where the name of the feature flag to use is included in the badge (e.g., <FeatureFlagBadge feature="FeatureFlagName" />). Enabling these features requires enabling the corresponding future flags. Future flags differ from features that are in alpha in that future flags are disabled by default.
+Such experimental features are indicated by a <FeatureFlagBadge /> badge throughout the documentation, where the name of the feature flag to use is included in the badge (e.g., <FeatureFlagBadge feature="FeatureFlagName" noTooltip />). Enabling these features requires enabling the corresponding future flags. Future flags differ from features that are in alpha in that future flags are disabled by default.
 
 :::danger
 Enable future flags at your own risk. Experimental features may be subject to change or removal, may contain breaking changes, may be unstable or not fully ready for use, and some parts may still be under development or using mock data.
@@ -112,3 +112,5 @@ Developers can use the following APIs to interact with future flags:
 | Property name | Related feature | Suggested environment variable name |
 | ------------- | --------------- | ---------------------------------- |
 | `experimental_firstPublishedAt` | [Draft & Publish](/cms/features/draft-and-publish#recording-the-first-publication-date) | `STRAPI_FUTURE_EXPERIMENTAL_FIRST_PUBLISHED_AT` |
+| `adminTokens` | [Admin Tokens](/cms/features/admin-tokens) | `STRAPI_FUTURE_ADMIN_TOKENS` |
+
diff --git a/docusaurus/docs/cms/features/admin-tokens.md b/docusaurus/docs/cms/features/admin-tokens.md
@@ -0,0 +1,126 @@
+---
+title: Admin Tokens
+description: Learn how to use Admin tokens to authenticate programmatic access to the Strapi Admin API.
+toc_max_heading_level: 4
+displayed_sidebar: cmsSidebar
+tags:
+  - admin tokens
+  - admin panel
+  - authentication
+  - RBAC
+  - features
+---
+
+# Admin Tokens
+<FeatureFlagBadge feature="adminTokens" /> 
+
+<Tldr>
+Admin tokens authenticate programmatic access to the Strapi Admin API. Each token is scoped to a subset of its owner's permissions and is designed for automation workflows such as MCP agents, CI/CD pipelines, and scripts.
+</Tldr>
+
+Admin tokens allow automated clients to authenticate requests to the Strapi Admin API. For authenticating requests to the Content API, see [API Tokens](/cms/features/api-tokens).
+
+Admin tokens and API tokens are strictly separated: each is rejected on the other's routes.
+
+<IdentityCard>
+  <IdentityCardItem icon="credit-card" title="Plan">
+    Free feature
+  </IdentityCardItem>
+  <IdentityCardItem icon="user" title="Role & permission">
+    Activated by default for Super Admin. Each lower-level role needs an explicit permission grant in Roles > Settings - Admin tokens.
+  </IdentityCardItem>
+  <IdentityCardItem icon="toggle-right" title="Activation">
+    Requires enabling the corresponding future flag,<br/>see [Features configuration](/cms/configurations/features)
+  </IdentityCardItem>
+  <IdentityCardItem icon="desktop" title="Environment">
+    Available in both Development & Production environment
+  </IdentityCardItem>
+</IdentityCard>
+
+<!-- TODO: Update screenshot once admin tokens UI is finalized behind the feature flag -->
+<ThemedImage
+  alt="Admin tokens in the admin panel"
+  sources={{
+      light: '/img/assets/settings/settings_admin-tokens-overview.png',
+      dark: '/img/assets/settings/settings_admin-tokens-overview_DARK.png',
+    }}
+/>
+
+## Configuration
+
+Admin tokens are configured entirely from the admin panel. No code-based configuration is specific to Admin tokens. The shared salt and encryption key that apply to all token kinds are set via `apiToken.salt` and `apiToken.secrets.encryptionKey` in your `/config/admin` file (see [API tokens](/cms/features/api-tokens#code-based-configuration)).
+
+**Path to configure the feature:** <Icon name="gear-six" /> _Settings > Administration Panel > Admin Tokens_
+
+### Creating a new Admin token
+
+1. Click on the **Create new Admin Token** button.
+2. In the token creation form, configure the new Admin token:
+
+   | Setting name | Instructions |
+   | --- | --- |
+   | Name | Write the name of the token. |
+   | Description | (optional) Write a description for the token. |
+   | Token duration | Choose a duration: _7 days_, _30 days_, _90 days_, or _Unlimited_. |
+3. Define which admin actions this token can perform:
+   - Click the tabs below the form to browse permission categories.
+   - Use the checkboxes to enable or disable individual permissions.
+
+    :::note
+    Permissions that the current user does not hold appear disabled and cannot be selected. Conditions applied to the owner's role are shown as read-only and apply automatically to the token.
+    :::
+4. Click on the **Save** button. The new Admin token will be displayed at the top of the interface, along with a copy button <Icon name="copy" />.
+
+<!-- TODO: Update screenshot once admin tokens UI is finalized behind the feature flag -->
+<ThemedImage
+alt="Admin token permissions"
+sources={{
+    light: '/img/assets/settings/settings_admin-token-creation.png',
+    dark: '/img/assets/settings/settings_admin-token-creation_DARK.png',
+  }}
+/>
+
+:::caution
+The plaintext token key is shown only once, immediately after creation or regeneration. The `admin.secrets.encryptionKey` configuration that makes Content API token keys persistently viewable does not apply to Admin tokens. Admin token keys are always restricted to the token owner, regardless of encryption configuration.
+:::
+
+### Managing Admin tokens
+
+Admin tokens have a dedicated settings page at <Icon name="gear-six" /> _Settings > Administration Panel > Admin Tokens_. Admin tokens and API tokens are stored in the same database table (differentiated by a `kind` field) but are managed through independent interfaces in the admin panel.
+
+The Admin Tokens page displays an **Owner** column showing the display name of each token's owner.
+
+Any user with access to the Admin Tokens settings page can view Admin tokens. A token can only be edited or deleted by its owner or a super-admin.
+
+When a super-admin views an Admin token owned by another user, a read-only **Owner** field appears in the token details panel. The permissions panel shows only the checkboxes within the token owner's permission scope, not the super-admin's unrestricted access.
+
+Removing a permission from a role causes admin tokens owned by users of that role to have the corresponding permission deleted automatically.
+
+:::caution Owner account deactivation and deletion
+
+* If the token owner's account is deleted, all Admin tokens owned by that user are automatically deleted along with their associated permissions. There is no recovery path. Rotate and replace Admin tokens before offboarding a team member who owns them.
+* If the token owner's account is deactivated or blocked, any request authenticated with that owner's Admin token is rejected. The token itself is not deleted. Re-activating or unblocking the owner restores token functionality.
+:::
+
+#### Regenerating an Admin token
+
+The **Regenerate** button is only visible to the token's owner. Other users, including super-admins, do not see this button for tokens they do not own.
+
+To regenerate an Admin token:
+
+1. Click on the Admin token's edit button.
+2. Click on the **Regenerate** button.
+3. Click on the **Regenerate** button to confirm in the dialog.
+4. Copy the new Admin token displayed at the top of the interface.
+
+## Usage
+
+Using Admin tokens allows executing a request on Strapi's admin routes as an authenticated user.
+
+Admin tokens can be helpful to give access to people or applications without managing a user account, for instance to connect an MCP server or a CI/CD pipeline.
+
+When performing a request to Strapi's admin routes, the Admin token should be added to the request's `Authorization` header with the following syntax: `bearer your-admin-token`.
+
+:::caution
+Never expose Admin tokens in client-side code. Store them in a secrets manager or environment variable.
+:::
diff --git a/docusaurus/docs/cms/features/api-tokens.md b/docusaurus/docs/cms/features/api-tokens.md
@@ -1,6 +1,7 @@
 ---
 title: API Tokens
-description: Learn how you can use API tokens to manage end-users authentication.
+description: Learn how to use content-api tokens to authenticate REST and GraphQL API requests in Strapi.
+displayed_sidebar: cmsSidebar
 sidebar_position: 2
 toc_max_heading_level: 5
 tags:
@@ -14,28 +15,27 @@ tags:
 # API Tokens
 
 <Tldr>
-API tokens provide scoped authentication for REST and GraphQL requests without exposing user credentials. This documentation explains token types, creation, expiration, and secure usage within the admin panel.
+API tokens authenticate external requests to the Strapi Content API without exposing user credentials. Each token is scoped to a set of permissions and expires after a configurable duration.
 </Tldr>
 
-API tokens allow users to authenticate REST and GraphQL API queries (see [APIs introduction](/cms/api/content-api)).
+API tokens allow external clients to authenticate requests to the Strapi [Content API](/cms/api/content-api). For programmatic access to the Admin API, see [Admin Tokens](/cms/features/admin-tokens).
+
+API tokens and Admin tokens are strictly separated: a Content API token is rejected on admin routes, and an admin token is rejected on Content API routes.
 
 :::caution Security
-Prefer read‑only tokens for public access, scope server tokens to only what you need, rotate long‑lived tokens, and store them in a secrets manager. Never expose admin tokens in client‑side code.
+Prefer read-only tokens for public access, scope tokens to only what you need, rotate long-lived tokens, and store them in a secrets manager.
 :::
 
 <IdentityCard>
   <IdentityCardItem icon="layout" title="Plan">
     Free feature
   </IdentityCardItem>
-
-  <IdentityCardItem icon="user" title="Role and permission">
+  <IdentityCardItem icon="user" title="Role & permission">
     Minimum "Access the API tokens settings page" in Roles > Settings - API tokens
   </IdentityCardItem>
-
   <IdentityCardItem icon="toggle-right" title="Activation">
     Available by default
   </IdentityCardItem>
-
   <IdentityCardItem icon="desktop" title="Environment">
     Available in both Development & Production environment
   </IdentityCardItem>
@@ -57,12 +57,12 @@ Most configuration options for API tokens are available in the admin panel, and
 
 **Path to configure the feature:** <Icon name="gear-six" /> _Settings > Global settings > API Tokens_
 
-The _API Tokens_ interface displays a table listing all of the created API tokens. More specifically, it displays each API token's name, description, date of creation, and date of last use.
+The _API Tokens_ interface displays a table listing all created content-api tokens.
 
 From there, you have the possibility to:
 
-- click on the <Icon name="pencil-simple" /> to edit an API token's name, description, type, duration or [regenerate the token](#regenerating-an-api-token).
-- click on the <Icon name="trash" /> to delete an API token.
+- click on the <Icon name="pencil-simple" /> to edit a token's name, description, type, duration or [regenerate the token](#regenerating-an-api-token).
+- click on the <Icon name="trash" /> to delete a token.
 
 :::note
 Strapi pre-generates 2 API tokens for you, a Full access one and a Read-only one. Since tokens can be only seen once without encryption configured, you may want to [regenerate](#regenerating-an-api-token) them after setting up an encryption key to make them permanently viewable.
@@ -72,6 +72,7 @@ Strapi pre-generates 2 API tokens for you, a Full access one and a Read-only one
 
 1. Click on the **Create new API Token** button.
 2. In the API token edition interface, configure the new API token:
+
    | Setting name | Instructions |
    | -------------- | ------------------------------------------------------------------------ |
    | Name | Write the name of the API token. |
@@ -135,7 +136,7 @@ module.exports = ({ env }) => ({
 
 <TabItem label="TypeScript" value="ts">
 
-```js title="/config/admin.ts"
+```ts title="/config/admin.ts"
 export default ({ env }) => ({
   // other config parameters
   secrets: {
@@ -149,6 +150,10 @@ export default ({ env }) => ({
 
 This key is used to encrypt and decrypt token values. Without this key, tokens remain usable, but will not be viewable after initial display. New Strapi projects will have this key automatically generated.
 
+:::tip
+For automation workflows that need to call the Admin API programmatically, use admin tokens instead. See [Admin Tokens](/cms/features/admin-tokens) for the full documentation.
+:::
+
 ## Usage
 
 Using API tokens allows executing a request on [REST API](/cms/api/rest) or [GraphQL API](/cms/api/graphql) endpoints as an authenticated user.