# v4.0.x to v4.1.8 migration guide

The Strapi v4.0.x to v4.1.8 migration guide upgrades versions of v4.0.6 through v4.1.7 to v4.1.8. The minimum configuration for config/admin now includes the API token API_TOKEN_SALT. Strapi no longer populates default values for the admin JWT in config/admin. Initial values are generated and stored in the .env file during project creation. Strapi no longer passes secrets to non-development environments, requiring users to set the secrets purposefully. The migration to v4.1.8 consists of 4 steps:

  • adding the API token to config/admin,
  • removing the default ADMIN_JWT_SECRET (recommended for improved security),
  • configuring JWT_SECRET in config/plugins (recommended),
  • setting secrets for non-development environments.

# Modifying the config/admin file

Strapi, by default, creates the environmental variable API_TOKEN_SALT and populates a unique value, stored in /.env at project creation. In order to update config/admin:

  • add the apiToken object,
  • remove the comma and default value from the ADMIN_JWT_SECRET parenthetical.

# Configuring JWT_SECRET

JWT_SECRET is used by the Users and Permissions plugin, and populated in /.env. The property should be stored in config/plugins.js (or config/plugins.ts for a TypeScript project). The plugins file is not created by default in a Strapi application. If the file does not exist, users should create the file and add the follow code snippet.

# Setting secrets for non-development environments

Users are required to set secrets for each unique environment, such as a production environment deployment on a platform. Strapi no longer passes the following secrets to non-development environments:

  • APP_KEYS
  • JWT_SECRET
  • API_TOKEN_SALT
  • ADMIN_JWT_SECRET

There are multiple methods to generate secrets, for example running openssl rand -base64 32 in the terminal (Mac and Linux OS). Generating unique secrets for each environment is recommended for increased security.

✋ CAUTION

The Hosting Provider Guides are being updated to reflect these changes. Community contributions updating the hosting guides are encouraged.