Payload is now part of Figma! Learn More
Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlogGuides & Tutorials
Community
RoadmapDiscordCommunity Help
Resources for Developers

Get the resources you need to start building today

Guides & TutorialsExplore Docs
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Recommended pattern for proxying current user to Local API

default discord avatar
sacramonetlast year
2

Hi all,



I've really been enjoying building with Payload 3.0 the past few months and am excited about making it a core part of my web agency's tech stack, but have recently run into an issue when trying to configure Live Preview for the first time.



I've been using the Local API to populate all my routes in the Next App Router, but once I got drafts working for live preview, I realized that I had overlooked the

overrideAccess

flag and was not conforming to the access rules I had set up for drafts to be restricted to admin users.



This led me to a broader issue when I tried to find a way to provide the correct user scope to the Local API and realized that the JWT token is insufficient for that field - leading me to the following (anti-)pattern:



const cookieStore = cookies()
const token = cookieStore.get('payload-token')
const userRes = await fetch(process.env.NEXT_PUBLIC_SERVER_URL + '/api/users/me', {
    headers: {
      Authorization: `JWT ${token?.value}`,
    },
})
const userJson = await userRes.json()

const data = await payload.findGlobal({
      draft: true,
      slug: 'extras',
      depth: 2,
      user: userJson?.user,
      overrideAccess: false,
      pagination: false
    })


Is it simply not recommended to use the Local API versus the REST API for access-restricted tasks or is there a better pattern for storing/accessing user data to be used with the Local API that ideally doesn't require a separate round trip to the server?



Thank you for the help!

  • default discord avatar
    mobeigilast year

    Where exactly is this code being executed? If its in some custom Next.js route then Payload has no knowledge of what is happening and you need to handle the authentication yourself.


    I had a similar usecase where I had to perform a

    fetch

    and authenticate it myself to download a private file.



    There is the

    payload.login()

    that can help you login with user/pass/apiKey and

    payload.auth()

    which takes in

    headers

    or a

    req

    to give you a

    AuthResult

    . Both are better than doing a

    fetch

    to

    /api/users/me

    .



    However, I think what you might want is a custom endpoint:


    https://payloadcms.com/docs/beta/rest-api/overview

    With custom endpoints the request arrives with the headers and a

    payload

    object you can use which will respect

    Access Controls

    for free. It should be a good fit for your issue.

  • default discord avatar
    sacramonetlast year

    Thank you for your response

    @356003102169759755

    ! The payload.auth() call was exactly what I was looking for, but that is certainly helpful information about the custom endpoints to keep in mind as well!

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.