Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlogGuides & Tutorials
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

API endpoint authentication

default discord avatar
radishkitten2 years ago
6

Good morning, we're a bit new to Payload and currently trying to set everything up (only the backend right now in order to migrate data over).



Anyway, we noticed that by default, any API endpoint (i.e: /api/pages/) is publicly viewable. We'd like to prevent this from happening and I've checked out

https://payloadcms.com/docs/authentication/operations

but still not too sure how to do this, unfortunately.



In the meantime, since we're hosting our payload backend on Azure app service, I've added Authentication there so at least that's working for us 🙂

  • default discord avatar
    notchr2 years ago

    Hello

    @1019667378960863293

    !



    You want to setup up Access Control for your collections



    https://payloadcms.com/docs/access-control/collections

    For instance, if you have your Pages Collection



    const Pages: CollectionConfig = {
  slug: "pages",
  access: {
    create: ({ req: { user } }) => { ... },
    read: ({ req: { user } }) => { ... },
    update: ({ req: { user } }) => { ... },
    delete: ({ req: { user } }) => { ... },
    admin: ({ req: { user } }) => { ... },
  },
};


    Each type of operation in access (create, read, etc) has a function as its value



    The function should return a boolean



    Some folks implement role-based access and have slightly more complex access logic



    If you can elaborate on how you want the access to work, I can suggest a configuration

  • default discord avatar
    paulpopus2 years ago

    ^^^



    And if you need helper plugins, I'll shill mine and another one:


    https://github.com/NouanceLabs/payload-simple-rbac
    https://www.npmjs.com/package/payload-rbac
  • default discord avatar
    radishkitten2 years ago

    Oh yeah

    @858693520012476436

    we definitely used yours at first but then we somewhat copied what payload itself uses, which is defining roles in /access/ and referencing them later on in Pages.ts


    access: { read: (isAdminOrHasSiteAccessOrPublished || isTech), create: (isAdminOrHasSiteAccess('id') || isTech), update: (isAdminOrHasSiteAccess('id') || isTech), delete: isAdmin,
  • default discord avatar
    paulpopus2 years ago

    interesting, im up for updating my plugin with further utilities if it stays within the scope of its simplicity...what limitations did you have?

  • default discord avatar
    radishkitten2 years ago
    @858693520012476436

    I think one of my devs just preferred the cleaner look 🙂 No biggie

  • default discord avatar
    paulpopus2 years ago

    thats actually the main reason i didnt do anything complex for mine...with payload its much easier to roll your own solution than to have an overengineered plugin that might still not do everything you need

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.