Hi together,
we want to use Payloadcms as a headless cms for our 11ty based webpage. So before building the page, I need to get the posts from our cms.
As I don't want to perform a login every time, I want to use the useAPIKey functionality.
Imagine you have a collection "news" which is the one I want to get my page content from.
As the docs said, I added the following code block to my collection config
auth: {
useAPIKey: true,
},
But when I now refresh my page, I got also a field "E-Mail" and I need an API-Key per User.
Also when trying to use the generated key, I got the error "You are not allowed to perform this action."
Yes, added "Authorization" to my GET request header
COLLECTION-SLUG API-Key KEYSTRING
Can you please help me?
Hello @danielkraemer, maybe I can help
So you want to use the api key per-user functionality, right?
yes, this is my first problem 😄
Is there an issue with enabling that feature?
I dont understand this part
But when I now refresh my page, I got also a field "E-Mail" and I need an API-Key per User.
Yes, I'm not sure how/where to enable the api-key per user.
If I add it to my (for example "news") "content" collection, I have the same API key for each user.
If I add it to the "User" collection I have a key per user but cannot access my content collection with this API key 🙈
The api keys are generated per-use i believe in the collection
To enable API keys on a collection, set the useAPIKey auth option to true. From there, a new interface will appear in the Admin panel for each document within the collection that allows you to generate an API key for each user in the Collection.
The second sentence
Any luck with that?
Ok, seems to be correct
But I have the field "E-Mail" above 🤔
Ooo nice, that is what you wanted right?
Yes, I now have an api key per user but why do have this E-Mail field?
And second part is, that I cannot authenticate using the API-Key when trying to perform a request e.g. using ThunderClient
okay. sorry. I re-checked it and saw, that the same API-Key is display for two users as I told before
Can I see the collection code?
const TestCollection: CollectionConfig = {
slug: 'testcollection',
labels: {
singular: '"Testcollection"-Entry',
plural: 'Testcollection-Entries'
},
auth: {
useAPIKey: true,
},
admin: {
useAsTitle: 'title',
defaultColumns: [
'title',
'category',
'publishDate'
],
group: 'Content',
listSearchableFields: [
'title',
'category',
],
disableDuplicate: true,
},
access: {
create: hasCreateAccessToPosts,
read: hasReadAccessToPosts,
update: hasUpdateDeleteAccessToPosts,
delete: hasUpdateDeleteAccessToPosts,
},
versions: {
drafts: true,
},
hmm
and in the photo you posted, that is of this collection?
(sorry, im english hehe)
Yes, this is correct.
I just renamed it within the example code. But functionality is the same.
I cutted before starting with "fields"
My guess is that because you have API key enabled for the collection ,it also shows the user email the key is generated for
If you remove API key from the collection config, does it go away?
Yep. As I remove the block "auth" from my config file for the content collection, E-Mail and "API-Key" will be removed from the frontend.
But which API-Key should I use instead? 🤔
I also think so. But why is the E-Mail the same when I sign in with another user?
Hmm it should not be
How are your users logging in?
Currently using E-Mail and password.
Through the front end or directly into the Payload control panel?
directly into payload control panel
And how are you using the api keys then?
I want to use the api keys to fetch the content for our webpage using 11ty Fetch
Ah okay, I didn't know if you had a setup where you created a login form on your frontend, sent a login request which would generate a cookie the user could authorize with
Lets try basic
Can you make a new collection, "Books", with only one field
and enable API key on it
Lets make a simple test case to get to the bottom of this
ok. give me a second 😄
No, as this will be just a programmatically based request without a login form I cannot use a cookie. I'd have to call /login, get the jwt and then do a request
Take your time
ok. I added the collection "books".
Nice nice
import { CollectionConfig } from 'payload/types';
// Example Collection - For reference only, this must be added to payload.config.ts to be used.
const Books: CollectionConfig = {
slug: 'books',
auth: {
useAPIKey: true,
},
admin: {
useAsTitle: 'title',
defaultColumns: [
'title',
],
group: 'Content',
listSearchableFields: [
'title',
],
disableDuplicate: true,
},
versions: {
drafts: true,
},
fields: [
{
name: 'title',
type: 'text',
required: true,
unique: true,
label: 'Titel',
},
],
}
export default Books;
OK looks good, we got a title field
But when I want to create an entry, I also have to provide a username. 🤔
this seems odd
@jmikrut Sorry, this also seems odd, any idea why it's asking for user creds on this collection?
@danielkraemer Until they can reply, I'm looking into it as well
@thisisnotchris thanks 😄
If I add "useAPIKey" to users and try to perform a request to /api/users using ThunderClient and the API-Key I got from the account page, this works. But as you see, it won't work for other collections 🙈
by default, enabling auth also enables the local authentication strategy (email / password)
BUT
you can disable the local auth strategy, while keeping the api key strategy
but how come you are enabling auth on a "books" collection?
generally when we do this we make a collection called "API Keys" and then just enable auth on that collection
@danielkraemer maybe this might help?
https://discord.com/channels/967097582721572934/1093168403147141181I recommended making a basic books collection to try to isolate the issue
Give me just a second, I'll try something
sorry in classic form i am writing a blog post the day of it needing to be released, multitasking. I missed the books convo above
@thisisnotchris @iamlinkus @jmikrut thank you for your fast help 😄
While testing this, I figured out, that I can use "useAPIKey" on my "users" collection. Then I can query the api, e.g. for books with the header
Authorization: users API-Key KEYSTRING
but yea I'd make an API Keys collection
or yes that
The docs made me a bit confused 😅 so I thought that I have to enable "useAPIKey" within the auth-block for my content-collection (e.g. books)
nope, api keys authenticate you
as the user that the api key is tied to
they are not free-for-all, they respect the permissions and access that the user has
which is f-ing beautiful
That is super nice!
😄
Glad you got it going @danielkraemer !!
Yes, this is a very good feature 👏
But you need to understand it 😉
yeah we could put more in our docs about it for sure
what's the saying
with great power comes great responsibility
damn i am a loser
and what's really special is that this whole thread will be indexed on our website forever
🤦♂️
I think adding a "recipes" section for the docs would be 💣
payloadcms.com/docs/cookbook
In Germany we got a proverb for this thread "You grow with your challenges" 😁
So sometimes you'll learn more while "trial and error" than while reading the docs 😉
Love how Kirby did it:
https://getkirby.com/docs/cookbookIf you want to, just give me a note when the cookbook is ready and then I'd write the recipe 😉
totally, I'd have some recipes too!
Star
Discord
online
Get help straight from the Payload team with an Enterprise License.