# API tokens
Authentication strategies in Strapi can either be based on the use of the Users & Permissions plugin or on the built-in API token feature.
New API tokens are generated from the admin panel.
When performing a request to Strapi's REST API, the API token should be added to the request's
Authorization header with the following syntax:
Read-only API tokens can only access the
New API tokens are generated using a salt. This salt is automatically generated by Strapi and stored in
The salt can be customized:
- either by updating the string value for
./config/admin.js(see admin panel configuration documentation)
- or by creating an
API_TOKEN_SALTenvironment variable in the
.envfile of the project
Changing the salt invalidates all the existing API tokens.