diff --git a/packages/core/admin/server/bootstrap.js b/packages/core/admin/server/bootstrap.js
index 61d335e4a4..bdd07e1a78 100644
--- a/packages/core/admin/server/bootstrap.js
+++ b/packages/core/admin/server/bootstrap.js
@@ -1,6 +1,7 @@
 'use strict';
 
-const { merge } = require('lodash/fp');
+const { merge, map, difference, uniq } = require('lodash/fp');
+const { pipeAsync } = require('@strapi/utils');
 const { getService } = require('./utils');
 const adminActions = require('./config/admin-actions');
 const adminConditions = require('./config/admin-conditions');
@@ -52,6 +53,22 @@ const syncAuthSettings = async () => {
   await adminStore.set({ key: 'auth', value: newAuthSettings });
 };
 
+const syncAPITokensPermissions = async () => {
+  const validPermissions = strapi.contentAPI.permissions.providers.action.keys();
+  const permissionsInDB = await pipeAsync(
+    strapi.query('admin::api-token-permission').findMany,
+    map('action')
+  )();
+
+  const unknownPermissions = uniq(difference(permissionsInDB, validPermissions));
+
+  if (unknownPermissions.length > 0) {
+    await strapi
+      .query('admin::api-token-permission')
+      .deleteMany({ where: { action: { $in: unknownPermissions } } });
+  }
+};
+
 module.exports = async () => {
   await registerAdminConditions();
   await registerPermissionActions();
@@ -73,6 +90,7 @@ module.exports = async () => {
   await userService.displayWarningIfUsersDontHaveRole();
 
   await syncAuthSettings();
+  await syncAPITokensPermissions();
 
   apiTokenService.checkSaltIsDefined();
   tokenService.checkSecretIsDefined();
diff --git a/packages/core/strapi/lib/Strapi.js b/packages/core/strapi/lib/Strapi.js
index f7c9c37357..33e15aec04 100644
--- a/packages/core/strapi/lib/Strapi.js
+++ b/packages/core/strapi/lib/Strapi.js
@@ -451,11 +451,10 @@ class Strapi {
     await this.server.initMiddlewares();
     await this.server.initRouting();
 
-    await this.runLifecyclesFunctions(LIFECYCLES.BOOTSTRAP);
-
-    // TODO: is this the best place for this?
     await this.contentAPI.permissions.registerActions();
 
+    await this.runLifecyclesFunctions(LIFECYCLES.BOOTSTRAP);
+
     this.cron.start();
 
     return this;