API configuration#
`/config/api` centralizes response privacy, REST defaults (prefix, pagination limits, max request size), and strict parameter validation for both the REST Content API and the Document Service.General settings for API calls can be set in the ./config/api.js (or ./config/api.ts) file. Both rest and documents options live in this single config file.
| Property | Description | Type | Default |
|---|---|---|---|
responses | Global API response configuration | Object | - |
responses.privateAttributes | Set of globally defined attributes to be treated as private. | String array | [] |
rest | REST API configuration | Object | - |
rest.prefix | The API prefix | String | /api |
rest.defaultLimit | Default limit parameter used in API calls (see REST API documentation) | Integer | 25 |
rest.maxLimit | Maximum allowed number that can be requested as limit (see REST API documentation). | Integer | 100 |
rest.strictParams | When true, only allowed query and body parameters are accepted on Content API routes; unknown top-level keys are rejected. Add allowed parameters via Custom Content API parameters in register. | Boolean | - |
documents | Document Service configuration | Object | - |
documents.strictParams | When true, Document Service methods reject parameters with unrecognized root-level keys (e.g., invalid status, locale). When false or unset, unknown parameters are ignored. See Document Service API. | Boolean | - |
Example:
module.exports = ({ env }) => ({
responses: {
privateAttributes: ['_v', 'id', 'created_at'],
},
rest: {
prefix: '/v1',
defaultLimit: 100,
maxLimit: 250,
strictParams: true, // only allow parameters defined on routes or added via contentAPI.addQueryParams/addInputParams
},
documents: {
strictParams: true, // reject unrecognized root-level parameters in strapi.documents() calls
},
});
export default ({ env }) => ({
responses: {
privateAttributes: ['_v', 'id', 'created_at'],
},
rest: {
prefix: '/v1',
defaultLimit: 100,
maxLimit: 250,
strictParams: true, // only allow parameters defined on routes or added via contentAPI.addQueryParams/addInputParams
},
documents: {
strictParams: true, // reject unrecognized root-level parameters in strapi.documents() calls
},
});