API endpoint authentication

default discord avatar
Radish Kittenlast year

Good morning, we're a bit new to Payload and currently trying to set everything up (only the backend right now in order to migrate data over).

Anyway, we noticed that by default, any API endpoint (i.e: /api/pages/) is publicly viewable. We'd like to prevent this from happening and I've checked out


but still not too sure how to do this, unfortunately.

In the meantime, since we're hosting our payload backend on Azure app service, I've added Authentication there so at least that's working for us 🙂

  • default discord avatar
    thisisnotchrislast year

    Hello @Radish Kitten !

    You want to setup up Access Control for your collections


    For instance, if you have your Pages Collection

    const Pages: CollectionConfig = {
      slug: "pages",
      access: {
        create: ({ req: { user } }) => { ... },
        read: ({ req: { user } }) => { ... },
        update: ({ req: { user } }) => { ... },
        delete: ({ req: { user } }) => { ... },
        admin: ({ req: { user } }) => { ... },

    Each type of operation in access (create, read, etc) has a function as its value

    The function should return a boolean

    Some folks implement role-based access and have slightly more complex access logic

    If you can elaborate on how you want the access to work, I can suggest a configuration

  • default discord avatar
    noheadphoneslast year


    And if you need helper plugins, I'll shill mine and another one:

  • default discord avatar
    Radish Kittenlast year

    Oh yeah @noheadphones we definitely used yours at first but then we somewhat copied what payload itself uses, which is defining roles in /access/ and referencing them later on in Pages.ts

    access: { read: (isAdminOrHasSiteAccessOrPublished || isTech), create: (isAdminOrHasSiteAccess('id') || isTech), update: (isAdminOrHasSiteAccess('id') || isTech), delete: isAdmin,
  • default discord avatar
    noheadphoneslast year

    interesting, im up for updating my plugin with further utilities if it stays within the scope of its simplicity...what limitations did you have?

  • default discord avatar
    Radish Kittenlast year

    @noheadphones I think one of my devs just preferred the cleaner look 🙂 No biggie

  • default discord avatar
    noheadphoneslast year

    thats actually the main reason i didnt do anything complex for mine...with payload its much easier to roll your own solution than to have an overengineered plugin that might still not do everything you need

Star on GitHub


Chat on Discord



Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.