Skip to content

Strapi Admin JWT Secret

Service Name: Strapi

Service Description: Strapi is an open-source headless CMS (Content Management System) that allows developers to build, manage and distribute content through APIs. The Admin JWT Secret is used to sign and verify JSON Web Tokens (JWTs) for authentication in the Strapi admin panel.

Service Address: https://strapi.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the application level through middleware, but not directly at the JWT secret level.

Secret Access Scope: This secret grants the ability to generate and validate JWT tokens for Strapi admin authentication, potentially allowing full administrative access to the Strapi instance.

Secret Revokement URL: Does not exist (requires changing the secret in the Strapi configuration)

Secret Example: d7c3d6a0b8e9f4c2a5b6d8e9f7c4a3b2d1e0f9c8b7a6d5e4f3c2b1a0

Suspicious Activity Investigation Instructions:

  • Review Strapi logs for unusual admin login activities or API requests
  • Check for unauthorized content modifications or API endpoint access
  • Monitor for unexpected user account creations or permission changes
  • Examine server logs for unusual traffic patterns to admin endpoints
  • Review audit logs for administrative actions performed during suspicious timeframes

Mitigation Instructions:

  • Change the JWT secret in your Strapi configuration file (typically

config/server.js or environment variables)

  • Update the JWT_SECRET environment variable if using environment

configuration

  • Restart the Strapi application to apply the new secret
  • Force all users to log out and re-authenticate with the new secret
  • Review and potentially revoke admin user accounts that may have been

compromised

  • Consider implementing additional security measures like two-factor

authentication if available

  • Update any services that might be using the JWT secret for integration

purposes