Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlog
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Forbidden 403

default discord avatar
benslerlast year
2

Hello,



I am having some trouble fetching data from Payload, in a NextJS

client component

.


I have no problems fetching my data in

server components

, but in

client components

i am getting a 403 forbidden error.



I have tried useeffect, swr and tanstack query, all with the same result.



The error message reads like this:


{message: 'You are not allowed to perform this action.'}

Which i dont understand cause i am doing exactly the same as in my server component with the same endpoint. 



// SWR example --> Client component

  const fetcher = async (url: string) => {
    try {
      const res = await fetch(url, {
        method: 'GET',
        headers: {
          Authorization: `users API-Key ${process.env.API_KEY}`,
        },
      });
      const data = await res.json();

      return data.docs;
    } catch (err) {
      console.error(err);
    }
  };

  const { data, error, isLoading } = useSWR(
    'https://myurl.com', // my 
    fetcher
  );
  console.log(data);

  if (error) return <div>failed to load</div>;
  if (isLoading) return <div>loading...</div>;
  return <div>hello {data}!</div>;
  • default discord avatar
    imcorfitzlast year

    Do note that

    process.env.API_KEY

    won't work client side. Next.js only allows for environment variables prefixed

    NEXT_PUBLIC_

    to be included client-side.



    E.g.

    ${process.env.NEXT_PUBLIC_API_KEY}

    - however the obvious question remains: Is this secure? - Answer: no.



    Client side, should NEVER fetch data from an API passing persistent secure credentials. If you initialise a session on the client and pass a temporary access token, it can be argued to be more secure as the token is temporary, but the API key is not.



    If the data you are trying to fetch is supposed to be publicly available, you could update your access control in Payload to allow public read of your records - but if they are supposed to be securely accessed only by your service, I would advice adding an API proxy on your Next.js site.



    I.e. Create an API route in Next.js which you can call from your client-side without any credentials, and then execute the secure API call passing API keys from your server-side code to your CMS and return the response back to the client.

  • default discord avatar
    benslerlast year

    Ah i see, makes sense and it works now. Thanks a lot for the detailed explanation.

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.