Skip to main content

Admin panel configuration

The ./config/admin.js is used to define admin panel configuration for the Strapi application.

Available options

The ./config/admin.js file can include the following parameters:

apiToken.saltSalt used to generate API tokensstringRandom string
auditLogs.enabledEnable or disable the Audit Logs featurebooleantrue
auditLogs.retentionDaysHow long Audit Logs are kept, in days.

The behavior differs for self-hosted vs. Strapi Cloud customers, see the note under the table.
authAuthentication configurationobject-
auth.secretSecret used to encode JWT tokensstringundefined
auth.optionsOptions object passed to jsonwebtokenobject-
auth.options.expiresInJWT expire time used in jsonwebtokenobject30d
auth.eventsRecord of all the events subscribers registered for the authenticationobject{} called when an admin user log in successfully to the administration panelfunctionundefined called when an admin user fails to log in to the administration panelfunctionundefined
urlUrl of your admin panel. Default value: /admin. Note: If the url is relative, it will be concatenated with url.string/admin
autoOpenEnable or disable administration opening on start.booleantrue
watchIgnoreFilesAdd custom files that should not be watched during development. See more here (property ignored).array(string)[]
hostUse a different host for the admin panel. Only used along with strapi develop --watch-adminstringlocalhost
portUse a different port for the admin panel. Only used along with strapi develop --watch-adminstring8000
serveAdminPanelIf false, the admin panel won't be served. Note: the index.html will still be served, see defaultIndex optionbooleantrue
forgotPasswordSettings to customize the forgot password email (see Forgot Password Email)object{}
forgotPassword.emailTemplateEmail template as defined in email pluginobjectDefault template
forgotPassword.fromSender mail addressstringDefault value defined in
your provider configuration
forgotPassword.replyToDefault address or addresses the receiver is asked to reply tostringDefault value defined in
your provider configuration
rateLimitSettings to customize the rate limiting of the admin panel's authentication endpoints, additional configuration options come from koa2-ratelimitobject{}
rateLimit.enabledEnable or disable the rate limiterbooleantrue
rateLimit.intervalTime window for requests to be considered as part of the same rate limiting bucketobject{ min: 5 }
rateLimit.maxMaximum number of requests allowed in the time windowinteger5
rateLimit.delayAfterNumber of requests allowed before delaying responsesinteger1
rateLimit.timeWaitTime to wait before responding to a request (in milliseconds)integer3000
rateLimit.prefixKeyPrefix for the rate limiting keystring${userEmail}:${ctx.request.path}:${ctx.request.ip}
rateLimit.whitelistArray of IP addresses to whitelist from rate limitingarray(string)[]
rateLimit.storeRate limiting storage location (Memory, Sequelize, or Redis) and for more information please see the koa2-ratelimit documentationobjectMemoryStore
transfer.token.saltSalt used to generate Transfer tokens.
If no transfer token salt is defined, transfer features will be disabled.
stringRandom string
✏️ Retention days for self-hosted vs. Strapi Cloud users

For Strapi Cloud customers, the auditLogs.retentionDays value stored in the license information is used, unless a smaller retentionDays value is defined in the config/admin.js|ts configuration file.


The ./config/admin.js file should at least include a minimal configuration with required parameters for authentication and API tokens. Additional parameters can be included for a full configuration.

✏️ Note

Environmental configurations (i.e. using the env() helper) do not need to contain all the values so long as they exist in the default ./config/server.js.

The default configuration created with any new project should at least include the following:


module.exports = ({ env }) => ({
apiToken: {
salt: env('API_TOKEN_SALT', 'someRandomLongString'),
auditLogs: { // only accessible with an Enterprise plan
enabled: env.bool('AUDIT_LOGS_ENABLED', true),
auth: {
secret: env('ADMIN_JWT_SECRET', 'someSecretKey'),
transfer: {
token: {
salt: env('TRANSFER_TOKEN_SALT', 'anotherRandomLongString'),