DIRECTUS_SERVER_TOKEN has no effect? #125
Description
It seems that setting DIRECTUS_SERVER_TOKEN in .env is not used and has no effect. (Or I don't understand how it is meant to be used.)
Some background: I am running Directus 11.2.1 with the Agency OS template and the latest frontend in docker containers. I installed the agency-os template under directus:10.11 and then upgraded sequentially to the latest directus. This worked great.
After upgrading to directus v11 permissions were restructured into roles and policies, as expected. I now have a Public role with the Public policy applied. There is also a Website API role and Website API policy with no permissions applied. I created a token for Website API to be used as DIRECTUS_SERVER_TOKEN.
Building the frontend works mostly as expected, with or without having a DIRECTUS_SERVER_TOKEN set in .env. I gather this is because the Public role has all the permissions.
For security in production, I would like to limit public access to the API by moving most permissions to the Website API user/role/policy. So I configured the Website API role to have the 'Public' policy, and then I limited the Public role to have only the required access to directus_files.
However with this setup there are access errors during build and the frontend returns a 404 error.
I am expecting that setting DIRECTUS_SERVER_TOKEN would provide the required access, but it doesn't seem to.
Any help or clarification would be appreciated ...