strapi · pwizla · May 12, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
@@ -54,6 +54,10 @@ Heading Conventions
 - Use H2 for major sections (Configuration, Usage); H3 for subsections.
 - Keep headings action‑oriented and specific (e.g., “Admin panel configuration”, not “Configuration details”).
 
+Sidebar
+- Feature pages use flat `type: 'doc'` entries in `sidebars.js`. Never create, replace, or convert them to `type: 'category'` entries.
+- If a feature has sub-pages (e.g., API references), link to them from the page content using `<CustomDocCardsWrapper>` and `<CustomDocCard>` components — not via sidebar nesting.
+
 Cross‑linking
 - Link to related features (e.g., Content‑type Builder, Content Manager) and relevant API references.
 - Prefer relative links within `/cms/` and use the consistent link text used across docs.

@@ -191,13 +191,14 @@ Beyond the 12 rules, also check for:
 - **Severity:** warning
 - **Note:** Strapi documentation always uses absolute-style paths starting with `/`. The `./` relative prefix should not appear in documentation prose or code examples referencing project file paths.
 
-### Em dashes
-- **Detect:** Em dashes (—) anywhere in prose
+### Em dashes and double hyphens
+- **Detect:** Em dashes (—) and double hyphens used as dashes ( -- ) anywhere in prose
 - **Severity:** error
-- **Note:** Em dashes are not used in Strapi technical documentation. They are a common signal of AI-generated text. Replace with a colon, a period, or restructure the sentence.
+- **Note:** Neither em dashes nor double hyphens are used as dashes in Strapi technical documentation. They are a common signal of AI-generated text. Replace with a colon, a period, parentheses, or restructure the sentence.
   - `"Status — shows the current state"` → `"Status: shows the current state"`
   - `"The button — visible only to admins — opens the panel"` → `"The button opens the panel. It is only visible to admins."`
-- **Exception:** Em dashes inside HTML comments (`<!-- ... -->`) and inside hyperlink text that references an external page title should NOT be flagged.
+  - `"the token -- received by email"` → `"the token (received by email)"`
+- **Exception:** Em dashes and double hyphens inside HTML comments (`<!-- ... -->`), code fences, and inside hyperlink text that references an external page title should NOT be flagged.
 
 ### Consistency
 - **Detect:** Inconsistent terminology within the same document (e.g., "admin panel" vs "Admin Panel" vs "administration panel"); inconsistent heading capitalization

diff --git a/docusaurus/docs/cms/backend-customization/examples/authentication.md b/docusaurus/docs/cms/backend-customization/examples/authentication.md
@@ -6,12 +6,8 @@ pagination_prev: cms/backend-customization/examples
 pagination_next: cms/backend-customization/examples/services-and-controllers
 ---
 
-import NotV5 from '/docs/snippets/_not-updated-to-v5.md'
-
 # Examples cookbook: Authentication flow with JWT
 
-<NotV5/>
-
 :::prerequisites
 This page is part of the back end customization examples cookbook. Please ensure you've read its [introduction](/cms/backend-customization/examples).
 :::
@@ -99,7 +95,8 @@ const Login = () => {
         body: JSON.stringify(values),
       });
       /**
-       * Gets the JWT from the server response
+       * Gets the JWT from the server response.
+       * The actual response is { jwt, user }, but we only need the JWT here.
        */
       const { jwt } = await res.json();
       /**
@@ -145,7 +142,7 @@ const Login = () => {
 export default Login;
 ```
 
-## Enhanced Authentication with Session Management
+## Enhanced authentication with session management
 
 The above example uses the traditional JWT approach. For enhanced security, you can enable session management mode in your Users & Permissions configuration, which provides shorter-lived access tokens and refresh token functionality.
 
@@ -159,16 +156,18 @@ module.exports = ({ env }) => ({
     config: {
       jwtManagement: 'refresh',
       sessions: {
-        accessTokenLifespan: 604800, // 1 week (default)
-        maxRefreshTokenLifespan: 2592000, // 30 days
-        idleRefreshTokenLifespan: 604800, // 7 days
+        accessTokenLifespan: 600, // 10 minutes (default)
+        maxRefreshTokenLifespan: 2592000, // 30 days (default)
+        idleRefreshTokenLifespan: 1209600, // 14 days (default)
+        maxSessionLifespan: 86400, // 1 day (default)
+        idleSessionLifespan: 7200, // 2 hours (default)
       },
     },
   },
 });
 ```
 
-### Enhanced Login Component
+### Enhanced login component
 
 Here's an updated login component that handles both JWT and refresh tokens:
 
@@ -257,7 +256,6 @@ const EnhancedLogin = () => {
 
 export default EnhancedLogin;
 ```
-```
 
 <br />
 

diff --git a/docusaurus/docs/cms/configurations/users-and-permissions-providers/auth-zero.md b/docusaurus/docs/cms/configurations/users-and-permissions-providers/auth-zero.md
@@ -3,7 +3,7 @@ title: Auth0 provider setup for Users & Permissions
 description: Learn how to setup the Auth0 provider for the Users & Permissions feature.
 displayed_sidebar: cmsSidebar
 tags:
-- users and permissions
+- users & permissions
 - providers
 - configuration
 - customization
@@ -22,7 +22,7 @@ You have read the [Users & Permissions providers documentation](/cms/configurati
 ## Auth0 configuration
 
 :::note
-AWS Cognito accepts the `localhost` urls. <br/>
+Auth0 accepts the `localhost` URLs. <br/>
 The use of `ngrok` is not needed.
 :::
 

diff --git a/docusaurus/docs/cms/configurations/users-and-permissions-providers/cas.md b/docusaurus/docs/cms/configurations/users-and-permissions-providers/cas.md
@@ -1,9 +1,9 @@
 ---
 title: CAS provider setup for Users & Permissions
-description: Learn how to setup the CAS provider for the Users & Permissions feature.
+description: Learn how to set up the CAS provider for the Users & Permissions feature.
 displayed_sidebar: cmsSidebar
 tags:
-- users and permissions
+- users & permissions
 - providers
 - configuration
 - customization
@@ -13,7 +13,7 @@ import ConfigDone from '/docs/snippets/u-and-p-provider-config-done.md'
 
 # CAS provider setup for Users & Permissions
 
-The present page explains how to setup the Auth0 provider for the [Users & Permissions feature](/cms/features/users-permissions).
+The present page explains how to set up the CAS provider for the [Users & Permissions feature](/cms/features/users-permissions).
 
 :::prerequisites
 You have read the [Users & Permissions providers documentation](/cms/configurations/users-and-permissions-providers).
@@ -58,7 +58,7 @@ The use of `ngrok` is not needed.
 
 ## Strapi configuration
 
-1. Visit the User & Permissions provider settings page at <ExternalLink to="http://localhost:1337/admin/plugins/users-permissions/providers" text="http://localhost:1337/admin/plugins/users-permissions/providers"/>
+1. Visit the User & Permissions provider settings page at <ExternalLink to="http://localhost:1337/admin/settings/users-permissions/providers" text="http://localhost:1337/admin/settings/users-permissions/providers"/>
 2. Click on the **CAS** provider
 3. Fill the information:
    - **Enable**: `ON`

diff --git a/docusaurus/docs/cms/configurations/users-and-permissions-providers/instagram.md b/docusaurus/docs/cms/configurations/users-and-permissions-providers/instagram.md
@@ -3,7 +3,7 @@ title: Instagram provider setup for Users & Permissions
 description: Learn how to setup the Instagram provider for the Users & Permissions feature.
 displayed_sidebar: cmsSidebar
 tags:
-- users and permissions
+- users & permissions
 - providers
 - configuration
 - customization
@@ -19,6 +19,10 @@ The present page explains how to setup the Instagram provider for the [Users & P
 You have read the [Users & Permissions providers documentation](/cms/configurations/users-and-permissions-providers).
 :::
 
+:::caution Deprecated provider
+The Instagram Basic Display API was shut down by Meta on December 4, 2024. Strapi's built-in Instagram provider relies on this API and **no longer works**. Meta's replacement is the [Instagram Business Login](https://developers.facebook.com/docs/instagram-business-login), which requires a different authentication flow. Until Strapi updates the provider implementation, Instagram authentication is not available out of the box. The setup steps below are kept for reference only.
+:::
+
 ## Instagram configuration
 
 :::note

diff --git a/docusaurus/docs/cms/configurations/users-and-permissions-providers/linkedin.md b/docusaurus/docs/cms/configurations/users-and-permissions-providers/linkedin.md
@@ -3,7 +3,7 @@ title: LinkedIn provider setup for Users & Permissions
 description: Learn how to setup the LinkedIn provider for the Users & Permissions feature.
 displayed_sidebar: cmsSidebar
 tags:
-- users and permissions
+- users & permissions
 - providers
 - configuration
 - customization
@@ -19,6 +19,10 @@ The present page explains how to setup the LinkedIn provider for the [Users & Pe
 You have read the [Users & Permissions providers documentation](/cms/configurations/users-and-permissions-providers).
 :::
 
+:::caution Deprecated scopes
+LinkedIn has migrated to "Sign In with LinkedIn using OpenID Connect," deprecating the `r_liteprofile` and `r_emailaddress` scopes. Strapi's built-in LinkedIn provider still uses these deprecated scopes and the legacy Profile API. The provider **may stop working** when LinkedIn fully removes legacy support. The setup steps below reflect the current Strapi implementation but the LinkedIn developer portal steps (product selection, scopes) should follow LinkedIn's [OpenID Connect documentation](https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2).
+:::
+
 ## LinkedIn configuration
 
 :::note
@@ -37,7 +41,7 @@ The use of `ngrok` is not needed.
 6. Fill the information:
    - **Authorized redirect URL**: `http://localhost:1337/api/connect/linkedin/callback`
 7. On the app page click on **Products** tab.
-8. Select `Sign In with LinkedIn` from the product list to enable it.
+8. Select `Sign In with LinkedIn using OpenID Connect` from the product list to enable it.
 
 ## Strapi configuration
 

diff --git a/docusaurus/docs/cms/configurations/users-and-permissions-providers/twitter.md b/docusaurus/docs/cms/configurations/users-and-permissions-providers/twitter.md
@@ -3,7 +3,7 @@ title: Twitter provider setup for Users & Permissions
 description: Learn how to setup the Twitter provider for the Users & Permissions feature.
 displayed_sidebar: cmsSidebar
 tags:
-- users and permissions
+- users & permissions
 - providers
 - configuration
 - customization
@@ -19,6 +19,10 @@ The present page explains how to setup the Twitter provider for the [Users & Per
 You have read the [Users & Permissions providers documentation](/cms/configurations/users-and-permissions-providers).
 :::
 
+:::caution Paid API access required
+Twitter (now X) restructured its API access in 2023. Strapi's built-in Twitter provider uses the v1.1 API (`account/verify_credentials`), which is **no longer available on the free tier**. You need a [Basic or Pro plan](https://developer.x.com/en/portal/products) on the X Developer Portal to use this provider. The developer portal URLs and setup flow have also changed since the rebranding.
+:::
+
 ## Twitter configuration
 
 :::note