kapsys logo
CMS authentication
Back to blog
  • User Experience

CMS Authentication and Permissions: Setting Up User Roles And Security Measures In Strapi

03 October 2023 by Sara Wahba

Regarding content management systems (CMS), Strapi has gained significant popularity for its flexibility, customization options, and developer-friendly approach. However, like any web application, ensuring robust CMS authentication and permission management is crucial to maintaining the security and integrity of your Strapi CMS.

Join Kapsys to explore Strapi CMS authentication and permissions and how to set up user roles and security measures effectively.

Sign up to our blog to stay tuned about the latest industry news.

What is Strapi CMS?


Before we dive into CMS authentication and permissions, let's clarify what Strapi CMS is. Strapi is an open-source headless content management system with a flexible and decoupled approach. It empowers developers to create, manage, and deliver content via APIs, making it ideal for modern web and mobile app development. 

Built on Node.js, Strapi controls the presentation layer while offering a structured content management system on the backend. With this understanding, let's secure Strapi through CMS authentication and permissions.

What Do You Need? 

Ensure these critical prerequisites before setting up CMS authentication in Strapi:

  • Node.jsStrapi CLI: Install Node.js and the Strapi CLI for project management.

  • Database: Choose and configure your database (SQLitePostgreSQLMySQL, or MongoDB).

  • User Content Type: If using Strapi's user authentication, set up a "User" content type with essential fields.

  • JWT Secret: Generate a secure JWT secret for authentication.

  • HTTPS (Recommended): Implement HTTPS with an SSL/TLS certificate for enhanced security.

These essentials lay the foundation for a secure CMS authentication setup in your Strapi project. For detailed configurations, refer to Strapi's documentation.

CMS Authentication in Strapi

Authentication is the process of verifying the identity of a user, ensuring they are who they claim to be. Strapi provides robust CMS authentication mechanisms to safeguard your CMS and control access to its features.

JWT (JSON Web Tokens) authentication

JWT is a popular method for securing API endpoints. Strapi can be configured to use JWT for CMS authentication, ensuring that users who log in receive a token that must be included in subsequent API requests. This token validates the user's identity and permissions.

  • How it works: Strapi generates a JWT token that includes user information and a signature when a user logs in. This token is then sent to the client and should be included in subsequent requests to protected endpoints. The server can verify the token's signature and extract user data to ensure its authenticity.

  • Configuring JWT in Strapi: You can configure JWT settings in the config/plugins.js file by specifying a secret key, expiration time, and other options.

module.exports = ({ env }) => ({

  // ...

  jwt: {

    secret: env('JWT_SECRET', 'your-secret-key'),

    expires: '1d', // Token expiration time


  // ...


OAuth authentication

Strapi supports OAuth authentication, allowing users to log in using their existing accounts from various third-party providers, such as Google, Facebook, Twitter, and GitHub. OAuth is a convenient user registration and login method because it leverages established CMS authentication systems.

  • How it works: Strapi integrates with OAuth providers by configuring client IDs and secrets obtained from those providers. Users can then log in with their OAuth accounts, and Strapi handles the CMS authentication process with the provider.

  • Configuring in Strapi: To configure OAuth in Strapi, you typically need to set up OAuth apps on the chosen providers' developer platforms and obtain client IDs and secrets. These credentials are then added to your Strapi project's settings.

Local authentication

Local authentication is the traditional username and password-based CMS authentication method. It's the default method for user registration and login in Strapi.

  • How it works: Users create accounts by providing a username and password, and these credentials are stored securely in the Strapi database. Users can log in using their registered username and password.
  • Configuring in Strapi: Local authentication is available by default in Strapi when you create a User Content Type. You can customize the registration and login processes to implement features like password hashing, validation, and account verification.

Role-based authentication

Strapi allows you to define custom user roles and permissions essential for role-based authentication. While this is not an authentication method, it's a critical access control component within your Strapi application.

  • How it works: You can create roles with specific permissions, and users are assigned to them. Users with different functions can access other parts of your application. For example, an "Admin" role may have full access, while a "Guest" role may have limited access.

  • Configuring Role-Based Authentication in Strapi: You can create and configure custom roles and permissions in the Strapi admin panel or programmatically via the Strapi API.

CMS authentication policies

Strapi also offers CMS authentication policies, which allow you to implement specific rules and checks before granting access to resources. You can use guidelines to add an extra layer of security, such as ensuring that only authenticated users can access certain routes or perform specific actions.

So, as we established, CMS authentication is the crucial process of confirming a user's identity, assuring they are indeed who they assert to be. Strapi equips you with powerful authentication methods, fortifying your CMS's security and regulating access to its functionalities. 

Now, let's move to the actionable steps.

what is strap cms

Setting Up User Roles in Strapi

Configuring user roles in Strapi is crucial in securing your CMS authentication. Let's go through the process of setting up user roles and permissions.

Step 1. Create custom roles

To create custom roles in Strapi, follow these steps:

  • Access the Strapi admin panel.

  • Navigate to the "Settings" tab.

  • Click on "User & Permissions Plugin."

  • Under the "Roles" section, click "Add New Role."

You can name your role and define its permissions. For example, you might create a "Writer" role to create and edit blog posts without deleting or accessing user data.

Step 2. Assign roles to users

After creating roles, you need to assign them to users. Here's how:

  • Navigate to the "Users" section in the Strapi admin panel.

  • Select the user you want to give a role to.

  • In the user settings, you can set one or more positions for the user.

This gives you granular control over who can perform specific actions within your Strapi CMS.

Step 3. Test user roles

Testing is crucial in ensuring your roles and permissions are correctly configured. Create test users for each position and thoroughly evaluate their access rights. Adjust permissions as needed to maintain a secure environment.

Configuring user roles in Strapi is essential for securing your CMS authentication, and this involves creating custom roles, assigning them to users, and rigorously testing access rights to maintain a secure environment.

Read: How To Customize Strapi CMS: Adding Plugins And Modifying Configurations

Security Measures for Strapi CMS

In addition to role-based CMS authentication and permissions, there are several security measures you should consider implementing to enhance the overall security of your Strapi CMS.


Ensure your Strapi instance is served over HTTPS to encrypt data in transit, preventing eavesdropping and man-in-the-middle attacks.

2. Strong password policies

Implement password policies that require users to create strong, complex passwords. Strapi provides options for setting password strength rules.

3. Regular updates

Keep your Strapi installation up to date. Updates often include security patches and bug fixes, reducing vulnerabilities.

4. Rate limiting

Implement rate limiting on your API endpoints to prevent brute force attacks and abuse.

5. CORS configuration

Configure Cross-Origin Resource Sharing (CORS) to restrict which domains can access your Strapi APIs.

6. Monitor and Audit

Regularly monitor your Strapi CMS for suspicious activities and conduct security audits to identify and address potential vulnerabilities.

strapi cms


Strapi CMS offers flexibility and customization, but it's crucial to secure it properly. You create a robust and safe environment by implementing strong CMS authentication, defining user roles, and following security best practices. Stay updated on security and best practices for ongoing safety.

With knowledge about Strapi's authentication and permissions, you can confidently enhance security in your content-driven projects.

Take advantage of more information; keep up with Kapsys!