Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubBlog
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftBlue OriginHello BelloMythical SocietyTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case study
New projectLogin
New projectLogin
Community Help

API endpoint authentication

default discord avatar
Radish Kittenlast year
14

Good morning, we're a bit new to Payload and currently trying to set everything up (only the backend right now in order to migrate data over).



Anyway, we noticed that by default, any API endpoint (i.e: /api/pages/) is publicly viewable. We'd like to prevent this from happening and I've checked out

https://payloadcms.com/docs/authentication/operations

but still not too sure how to do this, unfortunately.



In the meantime, since we're hosting our payload backend on Azure app service, I've added Authentication there so at least that's working for us 🙂

  • default discord avatar
    thisisnotchrislast year

    Hello @Radish Kitten !



    You want to setup up Access Control for your collections



    https://payloadcms.com/docs/access-control/collections


    For instance, if you have your Pages Collection



    const Pages: CollectionConfig = {
  slug: "pages",
  access: {
    create: ({ req: { user } }) => { ... },
    read: ({ req: { user } }) => { ... },
    update: ({ req: { user } }) => { ... },
    delete: ({ req: { user } }) => { ... },
    admin: ({ req: { user } }) => { ... },
  },
};


    Each type of operation in access (create, read, etc) has a function as its value



    The function should return a boolean



    Some folks implement role-based access and have slightly more complex access logic



    If you can elaborate on how you want the access to work, I can suggest a configuration

  • default discord avatar
    noheadphoneslast year

    ^^^



    And if you need helper plugins, I'll shill mine and another one:


    https://github.com/NouanceLabs/payload-simple-rbac
    https://www.npmjs.com/package/payload-rbac
  • default discord avatar
    Radish Kittenlast year

    Oh yeah @noheadphones we definitely used yours at first but then we somewhat copied what payload itself uses, which is defining roles in /access/ and referencing them later on in Pages.ts


    access: { read: (isAdminOrHasSiteAccessOrPublished || isTech), create: (isAdminOrHasSiteAccess('id') || isTech), update: (isAdminOrHasSiteAccess('id') || isTech), delete: isAdmin,
  • default discord avatar
    noheadphoneslast year

    interesting, im up for updating my plugin with further utilities if it stays within the scope of its simplicity...what limitations did you have?

  • default discord avatar
    Radish Kittenlast year

    @noheadphones I think one of my devs just preferred the cleaner look 🙂 No biggie

  • default discord avatar
    noheadphoneslast year

    thats actually the main reason i didnt do anything complex for mine...with payload its much easier to roll your own solution than to have an overengineered plugin that might still not do everything you need

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.