How to Add and Remove Users in Strapi

Comprehensive guide for creating, managing, and removing user accounts in Strapi CMS, covering both Admin Panel and API approaches.

Prerequisites

To manage users, you must have:

• Super Admin role in Strapi
• Access to Strapi Admin Panel
• Understanding of Strapi roles and permissions
• For API access: Authentication token

Required permissions:

• admin::users.create - Create users
• admin::users.read - View users
• admin::users.update - Edit users
• admin::users.delete - Remove users

Strapi versions covered:

• Strapi v4 (primary focus)
• Strapi v3 (legacy, basic coverage)

Understanding Strapi User Structure

Admin Users vs. End Users

Strapi distinguishes between two user types:

Admin Users (Content Creators):

• Access Strapi Admin Panel
• Manage content and settings
• Defined by Admin Panel roles
• Located in admin::user collection

End Users (Application Users):

• Frontend application users
• Access via API only
• Defined by custom roles
• Located in plugin::users-permissions.user collection

This guide covers: Admin Users (content management team)

User Components

Admin User
├── Basic Info (name, email)
├── Credentials (password)
├── Role (permissions)
├── Active Status
└── Profile (optional fields)

Adding Admin Users to Strapi

Method 1: Admin Panel (GUI)

Best for: Adding individual administrators and editors

Step 1: Access User Management

Strapi v4:

Settings → Administration Panel → Users

Or:

Settings (gear icon) → Users

Step 2: Create New User

1. Click "Add new user" button (top right)

2. Enter user information:

Required fields:

• First name: User's first name
  • Example: John
• Last name: User's last name
  • Example: Doe
• Email: Unique email address
  • Example: john.doe@company.com
  • Used for login
• Password: Initial password
  • Min 8 characters
  • Strong password recommended
  • User can change later

Optional fields:

• Username: Display name (defaults to email)
• Active: Enable/disable account (check to activate)

3. Assign Role:

Select from dropdown:

• Super Admin - Full system access
• Editor - Content management
• Author - Create own content
• Custom roles - Organization-specific

See Roles & Permissions for details.

4. Click "Save" to create user

Step 3: User Notification

Email notification:

• Strapi does NOT automatically email new users
• Manually share credentials
• Or configure email plugin for invitations

Best practice: Enable email plugin and send invitation:

// Custom email invitation (requires email plugin)
await strapi.plugins['email'].services.email.send({
  to: 'john.doe@company.com',
  from: 'admin@yourapp.com',
  subject: 'Welcome to Strapi CMS',
  text: `Your account has been created.
         Email: john.doe@company.com
         Password: [provided separately]
         Login: ${process.env.ADMIN_URL}/admin`
});

Method 2: Programmatic User Creation (API)

Best for: Bulk user creation, automation, custom registration

Using Strapi API (Authenticated)

// Create admin user via API
async function createAdminUser() {
  const response = await fetch('http://localhost:1337/admin/users', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${adminToken}`
    },
    body: JSON.stringify({
      firstname: 'John',
      lastname: 'Doe',
      email: 'john.doe@company.com',
      password: 'SecurePassword123!',
      roles: [roleId], // Role ID from admin::role
      isActive: true
    })
  });

  const user = await response.json();
  console.log('User created:', user);
  return user;
}

Using Strapi Entity Service

// Create user programmatically (in Strapi backend)
const newUser = await strapi.entityService.create('admin::user', {
  data: {
    firstname: 'John',
    lastname: 'Doe',
    email: 'john.doe@company.com',
    password: 'SecurePassword123!',
    roles: [roleId],
    isActive: true
  }
});

console.log('Created user:', newUser.id);

Bulk User Creation Script

// Bulk create admin users
const users = [
  { firstname: 'John', lastname: 'Doe', email: 'john@company.com', role: 'Editor' },
  { firstname: 'Jane', lastname: 'Smith', email: 'jane@company.com', role: 'Author' },
  { firstname: 'Bob', lastname: 'Johnson', email: 'bob@company.com', role: 'Editor' }
];

async function bulkCreateUsers(users) {
  for (const userData of users) {
    // Get role ID
    const role = await strapi.db.query('admin::role').findOne({
      where: { name: userData.role }
    });

    if (!role) {
      console.error(`Role not found: ${userData.role}`);
      continue;
    }

    // Create user
    try {
      const user = await strapi.entityService.create('admin::user', {
        data: {
          firstname: userData.firstname,
          lastname: userData.lastname,
          email: userData.email,
          password: 'TempPassword123!', // Should be changed on first login
          roles: [role.id],
          isActive: true
        }
      });

      console.log(`Created: ${user.email}`);
    } catch (error) {
      console.error(`Failed to create ${userData.email}:`, error.message);
    }
  }
}

// Run bulk creation
bulkCreateUsers(users);

Method 3: Command Line (strapi CLI)

Creating super admin via CLI:

# During initial setup
npm run strapi admin:create-user

# Follow prompts:
# - Email
# - Password
# - First name
# - Last name

Note: This creates a Super Admin. For other roles, use Admin Panel or API.

Managing Existing Users

View All Users

Admin Panel:

Settings → Users

Displays:

• User name
• Email address
• Role
• Active status
• Last login (if available)

Filter and search:

• Search by name or email
• Filter by role
• Filter by active/inactive

Edit User Information

Via Admin Panel:

1. Settings → Users
2. Click user to edit
3. Modify fields:
   • First name / Last name
   • Email
   • Username
   • Active status
   • Role assignment
4. Save changes

Via API:

// Update user
await strapi.entityService.update('admin::user', userId, {
  data: {
    firstname: 'Updated Name',
    email: 'newemail@company.com',
    isActive: false, // Disable user
    roles: [newRoleId] // Change role
  }
});

Change User Role

Via Admin Panel:

1. Edit user
2. Roles dropdown
3. Select new role
4. Save

Via API:

// Change user role
const editorRole = await strapi.db.query('admin::role').findOne({
  where: { name: 'Editor' }
});

await strapi.entityService.update('admin::user', userId, {
  data: {
    roles: [editorRole.id]
  }
});

Reset User Password

As administrator:

1. Edit user
2. Enter new password
3. Save

User self-reset:

• Login page → "Forgot password"
• Requires email plugin configured
• Receives reset link via email

Programmatically:

// Reset password
const bcrypt = require('bcryptjs');
const hashedPassword = await bcrypt.hash('NewPassword123!', 10);

await strapi.entityService.update('admin::user', userId, {
  data: {
    password: hashedPassword
  }
});

Activate/Deactivate User

Temporary deactivation (preserve account):

Via Admin Panel:

1. Edit user
2. Uncheck "Active"
3. Save

Effect: User cannot log in, but account preserved.

Via API:

// Deactivate user
await strapi.entityService.update('admin::user', userId, {
  data: { isActive: false }
});

// Reactivate user
await strapi.entityService.update('admin::user', userId, {
  data: { isActive: true }
});

Removing Admin Users from Strapi

Pre-Removal Checklist

Before deleting a user:

• Review content ownership: Content created by user
• Reassign content: If necessary
• Export user data: For records
• Document removal: Reason and date
• Verify no active sessions: Log user out
• Check dependencies: Any automations or integrations using this user

Method 1: Delete via Admin Panel

Step 1: Access Users

Settings → Users

Step 2: Delete User

1. Click user to view/edit
2. Click "Delete" button (bottom right or top)
3. Confirmation dialog:

   Are you sure you want to delete this user?
   This action cannot be undone.
   

4. Click "Confirm" to delete

What gets deleted:

• User account
• User profile data
• User sessions
• Role assignments

What's preserved:

• Content created by user (not deleted)
• Activity logs (if enabled)
• Audit trails

Method 2: Delete via API

// Delete admin user
await strapi.entityService.delete('admin::user', userId);

console.log(`User ${userId} deleted`);

Safe Deletion (Check Dependencies First)

async function safeDeleteUser(userId) {
  // Check if user exists
  const user = await strapi.entityService.findOne('admin::user', userId);
  if (!user) {
    throw new Error('User not found');
  }

  // Check if it's the only Super Admin (prevent deletion)
  const roles = await strapi.db.query('admin::role').findMany({
    where: { name: 'Super Admin' }
  });

  const superAdminRole = roles[0];
  if (user.roles.some(r => r.id === superAdminRole.id)) {
    // Count super admins
    const superAdmins = await strapi.db.query('admin::user').count({
      where: {
        roles: {
          id: superAdminRole.id
        },
        isActive: true
      }
    });

    if (superAdmins <= 1) {
      throw new Error('Cannot delete the only Super Admin');
    }
  }

  // Safe to delete
  await strapi.entityService.delete('admin::user', userId);
  return true;
}

Method 3: Disable Instead of Delete

Recommended approach for audit trail:

Benefits:

• Preserves user data
• Maintains audit history
• Can be reactivated
• Safer than permanent deletion

Implementation:

// Disable user instead of deleting
await strapi.entityService.update('admin::user', userId, {
  data: {
    isActive: false,
    email: `deleted_${Date.now()}_${user.email}` // Prevent email reuse
  }
});

Special Scenarios

Cannot Delete Super Admin

Strapi prevents deletion of last Super Admin.

Ensure:

• At least 2 Super Admins exist
• Or promote another user first
• Then delete

Process:

1. Create new Super Admin
2. Verify they can log in
3. Then delete old Super Admin

Emergency Access Revocation

Security incident:

Immediate steps:

1. Disable user (Settings → Users → Uncheck Active)
2. Change their password to random string
3. Review recent activity:
   • Check content changes
   • Review API token usage
   • Audit admin actions
4. Revoke API tokens (if any)
5. Clear sessions:

   await strapi.admin.services.token.revoke(userId);
   

Post-incident:

• Full security audit
• Review all user permissions
• Update security policies
• Document incident

Bulk User Deletion

// Delete inactive users (inactive for 90+ days)
async function deleteInactiveUsers(daysInactive = 90) {
  const cutoffDate = new Date();
  cutoffDate.setDate(cutoffDate.getDate() - daysInactive);

  const inactiveUsers = await strapi.db.query('admin::user').findMany({
    where: {
      isActive: false,
      updatedAt: {
        $lt: cutoffDate
      }
    }
  });

  for (const user of inactiveUsers) {
    // Skip if Super Admin (safety check)
    const isSuperAdmin = user.roles.some(r => r.name === 'Super Admin');
    if (isSuperAdmin) continue;

    await strapi.entityService.delete('admin::user', user.id);
    console.log(`Deleted inactive user: ${user.email}`);
  }
}

User Registration (End Users)

For frontend/API users (not admin users):

Enable User Registration

Via Admin Panel:

Settings → Users & Permissions Plugin → Advanced Settings

Enable:

• ☑ Enable sign-ups
• ☑ Email confirmation (optional)
• Set default role for new users

API Endpoint for Registration

// Public registration endpoint
POST /api/auth/local/register

// Request body
{
  "username": "john_doe",
  "email": "john@example.com",
  "password": "SecurePassword123!"
}

// Response
{
  "jwt": "eyJhbGciOiJIUzI1NiIsInR...",
  "user": {
    "id": 1,
    "username": "john_doe",
    "email": "john@example.com"
  }
}

Best Practices

Adding Users

Security first:

• ✓ Strong password requirements (min 12 chars)
• ✓ Assign minimum necessary role
• ✓ Enable 2FA (if available)
• ✓ Document user purpose
• ✓ Set review date for temporary access
• ✗ Don't share Super Admin access widely
• ✗ Don't use weak passwords

Onboarding checklist:

• Create user account
• Assign appropriate role
• Send credentials securely
• Provide admin panel training
• Document responsibilities
• Set access review date

Removing Users

Clean offboarding:

• ✓ Disable same day as departure
• ✓ Review their content contributions
• ✓ Revoke API tokens
• ✓ Document removal reason
• ✓ Export data if needed
• ✗ Don't delay deactivation
• ✗ Don't leave inactive accounts

Audit trail:

• Log removal date
• Note who performed removal
• Document reason
• Keep for compliance

Regular Maintenance

Monthly review:

• List all active users
• Verify each still needs access
• Check for inactive accounts (90+ days)
• Review role assignments
• Remove unnecessary users

Troubleshooting

Cannot Create User - Email Exists

Error: "Email already in use"

Solutions:

• Check existing users list
• User may have been deleted but email persists
• Use different email
• Reactivate old account if appropriate

User Cannot Log In After Creation

Check:

1. Active checkbox is checked
2. Password correct (case-sensitive)
3. Email correct
4. User role has admin panel access
5. No browser cache issues

Fix:

• Verify user is active
• Reset password
• Clear browser cache
• Try incognito/private mode

Deleted User's Content Missing

Strapi doesn't delete content when removing users.

If content missing:

• Check content filters
• Verify published status
• Check user ID association
• Review content deletion logs

Cannot Delete Super Admin

Expected: Prevents deletion of sole Super Admin.

Solution:

1. Create additional Super Admin
2. Verify new admin can log in
3. Then delete old Super Admin

Next Steps

• Strapi Roles & Permissions - Understanding roles and access control
• Strapi User Management - Overview
• Strapi Documentation - Official docs

Related Resources

• Strapi Admin Panel
• Strapi API Reference
• Users & Permissions Plugin