Add security tip to API Tokens documentation (#2846)

pwizla · web-flow · actions-user · commit fb9286eb61e5 · 2025-11-20T17:57:20.000Z
* docs(backend): correct TypeScript code fences in TS tabs (controllers, services, middlewares, routes) * docs(bundlers): clarify webpack config example rename and JS/TS filenames * docs(routes): add guidance to prefer fully-qualified handler names in custom routers * docs(api-tokens): add concise security tip (least privilege, rotation, secrets manager) * Limit PR scope based on title; keep only intended doc(s); revert unrelated files * API Tokens docs: change security tip to a caution callout with title (PR #2846) * Apply suggestion from @pwizla --------- Co-authored-by: GitHub Actions <noreply@github.com>
diff --git a/docusaurus/docs/cms/features/api-tokens.md b/docusaurus/docs/cms/features/api-tokens.md
@@ -19,6 +19,10 @@ API tokens provide scoped authentication for REST and GraphQL requests without e
 
 API tokens allow users to authenticate REST and GraphQL API queries (see [APIs introduction](/cms/api/content-api)).
 
+:::caution Security
+Prefer read‑only tokens for public access, scope server tokens to only what you need, rotate long‑lived tokens, and store them in a secrets manager. Never expose admin tokens in client‑side code.
+:::
+
 <IdentityCard>
   <IdentityCardItem icon="layout" title="Plan">
     Free feature
