# Policies

Policies are functions that execute specific logic on each request before it reaches the controller. They are mostly used for securing business logic.

Each route of a Strapi project can be associated to an array of policies. For example, a policy named is-admin could check that the request is sent by an admin user, and restrict access to critical routes.

Policies can be global or scoped. Global policies can be associated to any route in the project. Scoped policies only apply to a specific API or plugin.

# Implementation

A new policy can be implemented:

  • with the interactive CLI command strapi generate
  • or manually by creating a JavaScript file in the appropriate folder (see project structure):
    • ./src/policies/ for global policies
    • ./src/api/[api-name]/policies/ for API policies
    • ./src/plugins/[plugin-name]/policies/ for plugin policies

Global policy implementation example:

policyContext is a wrapper arround the controller context. It adds some logic that can be useful to implement a policy for both REST and GraphQL.

Policies can be configured using a config object:

# Usage

To apply policies to a route, add them to its configuration object (see routes documentation).

Policies are called different ways depending on their scope:


To list all the available policies, run yarn strapi policies:list.

# Global policies

Global policies can be associated to any route in a project.

# Plugin policies

Plugins can add and expose policies to an application. For example, the Users & Permissions plugin comes with policies to ensure that the user is authenticated or has the rights to perform an action:

# API policies

API policies are associated to the routes defined in the API where they have been declared.

To use a policy in another API, reference it with the following syntax: api::[apiName].[policyName]: