I'm working on a Strapi v5 server and have set up the following tables:
Referrant – has many Agents.
Agent – has many Referrants.
ReferrantToAgent – a conjunction table to handle the many-to-many relationship with extra data on each connection.
I also used the users-permissions plugin to create two end-user roles: Referrant and Agent.
I'm trying to fetch Agents for a specific Referrant — the flow is that a Referrant user logs in and should get a list of their Agents.
The API call looks like this:
GET /api/referrant-to-agent?filters[referrant][documentId][$eq]=SOME_REFERRANT_ID&populate=agent
When the ReferrantToAgent API permissions are set to Public, the request works fine.
However, when I restrict the permissions to the Referrant role (and authenticate with a valid JWT token), the same request fails with:
{
"error": {
"status": 400,
"name": "ValidationError",
"message": "Invalid key referrant",
"details": {
"key": "referrant",
"path": "referrant",
"source": "query",
"param": "filters"
}
}
}
Why does filtering by referrant work when public, but break when authenticated?
Any ideas how to fix this?
The issue happens because when a user is authenticated in Strapi, role-based permissions are enforced.
Specifically:
If the authenticated user's role does not have access to the referrant relation (even just for filtering), Strapi treats the field as non-existent.
As a result, any query trying to filter by referrant will fail with ValidationError - Invalid key referrant.
✅ Solution:
In Strapi Admin, go to:
Referrantrole.Under the permissions for the referrant & referrant-to-agent collections:
Save and try the request again.
You need to give the role access to both:
The referrant-to-agent API AND
The referrant API (because your query filters through a relation — Strapi internally fetches the referrant model too).