Simplify your stack and build anything. Or everything.
Build tomorrow’s web with a modern solution you truly own.
Code-based nature means you can build on top of it to power anything.
It’s time to take back your content infrastructure.

REST API GET Collection via API-Key

default discord avatar
dnl.krmr2 years ago
47

Hi together,



we want to use Payloadcms as a headless cms for our 11ty based webpage. So before building the page, I need to get the posts from our cms.



As I don't want to perform a login every time, I want to use the useAPIKey functionality.



Imagine you have a collection "news" which is the one I want to get my page content from.



As the docs said, I added the following code block to my collection config



auth: {
    useAPIKey: true,
  },

https://payloadcms.com/docs/authentication/config#api-keys

But when I now refresh my page, I got also a field "E-Mail" and I need an API-Key per User.



Also when trying to use the generated key, I got the error "You are not allowed to perform this action."



Yes, added "Authorization" to my GET request header

COLLECTION-SLUG API-Key KEYSTRING

Can you please help me?

  • default discord avatar
    notchr2 years ago

    Hello

    @775820309730557982

    , maybe I can help



    So you want to use the api key per-user functionality, right?

  • default discord avatar
    dnl.krmr2 years ago

    yes, this is my first problem πŸ˜„

  • default discord avatar
    notchr2 years ago

    Is there an issue with enabling that feature?



    I dont understand this part

    But when I now refresh my page, I got also a field "E-Mail" and I need an API-Key per User.
  • default discord avatar
    dnl.krmr2 years ago

    Yes, I'm not sure how/where to enable the api-key per user.


    If I add it to my (for example "news") "content" collection, I have the same API key for each user.


    If I add it to the "User" collection I have a key per user but cannot access my content collection with this API key πŸ™ˆ

  • default discord avatar
    notchr2 years ago

    The api keys are generated per-use i believe in the collection



    To enable API keys on a collection, set the useAPIKey auth option to true. From there, a new interface will appear in the Admin panel for each document within the collection that allows you to generate an API key for each user in the Collection.


    The second sentence



    Any luck with that?

  • default discord avatar
    dnl.krmr2 years ago

    Ok, seems to be correct



    But I have the field "E-Mail" above πŸ€”

  • default discord avatar
    notchr2 years ago

    Ooo nice, that is what you wanted right?

  • default discord avatar
    dnl.krmr2 years ago

    Yes, I now have an api key per user but why do have this E-Mail field?



    And second part is, that I cannot authenticate using the API-Key when trying to perform a request e.g. using ThunderClient



    okay. sorry. I re-checked it and saw, that the same API-Key is display for two users as I told before

  • default discord avatar
    notchr2 years ago

    Can I see the collection code?

  • default discord avatar
    dnl.krmr2 years ago
    const TestCollection: CollectionConfig = {
      slug: 'testcollection',
      labels: {
        singular: '"Testcollection"-Entry',
        plural: 'Testcollection-Entries'
      },
      auth: {
        useAPIKey: true,
      },
      admin: {
        useAsTitle: 'title',
        defaultColumns: [
          'title',
          'category',
          'publishDate'
        ],
        group: 'Content',
        listSearchableFields: [
          'title',
          'category',
        ],
        disableDuplicate: true,
      },
      access: {
        create: hasCreateAccessToPosts,
        read: hasReadAccessToPosts,
        update: hasUpdateDeleteAccessToPosts,
        delete: hasUpdateDeleteAccessToPosts,
      },
      versions: {
        drafts: true,
      },
  • default discord avatar
    notchr2 years ago

    hmm



    and in the photo you posted, that is of this collection?



    (sorry, im english hehe)

  • default discord avatar
    dnl.krmr2 years ago

    Yes, this is correct.


    I just renamed it within the example code. But functionality is the same.



    I cutted before starting with "fields"

  • default discord avatar
    notchr2 years ago

    My guess is that because you have API key enabled for the collection ,it also shows the user email the key is generated for



    If you remove API key from the collection config, does it go away?

  • default discord avatar
    dnl.krmr2 years ago

    Yep. As I remove the block "auth" from my config file for the content collection, E-Mail and "API-Key" will be removed from the frontend.


    But which API-Key should I use instead? πŸ€”



    I also think so. But why is the E-Mail the same when I sign in with another user?

  • default discord avatar
    notchr2 years ago

    Hmm it should not be



    How are your users logging in?

  • default discord avatar
    dnl.krmr2 years ago

    Currently using E-Mail and password.

  • default discord avatar
    notchr2 years ago

    Through the front end or directly into the Payload control panel?

  • default discord avatar
    dnl.krmr2 years ago

    directly into payload control panel

  • default discord avatar
    notchr2 years ago

    And how are you using the api keys then?

  • default discord avatar
    dnl.krmr2 years ago

    I want to use the api keys to fetch the content for our webpage using 11ty Fetch

  • default discord avatar
    notchr2 years ago

    Ah okay, I didn't know if you had a setup where you created a login form on your frontend, sent a login request which would generate a cookie the user could authorize with



    Lets try basic



    Can you make a new collection, "Books", with only one field



    and enable API key on it



    Lets make a simple test case to get to the bottom of this

  • default discord avatar
    dnl.krmr2 years ago

    ok. give me a second πŸ˜„



    No, as this will be just a programmatically based request without a login form I cannot use a cookie. I'd have to call /login, get the jwt and then do a request

  • default discord avatar
    notchr2 years ago

    Take your time

  • default discord avatar
    dnl.krmr2 years ago

    ok. I added the collection "books".

  • default discord avatar
    notchr2 years ago

    Nice nice

  • default discord avatar
    dnl.krmr2 years ago
    import { CollectionConfig } from 'payload/types';
    
    // Example Collection - For reference only, this must be added to payload.config.ts to be used.
    const Books: CollectionConfig = {
      slug: 'books',
      auth: {
        useAPIKey: true,
      },
      admin: {
        useAsTitle: 'title',
        defaultColumns: [
          'title',
        ],
        group: 'Content',
        listSearchableFields: [
          'title',
        ],
        disableDuplicate: true,
      },
      versions: {
        drafts: true,
      },
      fields: [
        {
          name: 'title',
          type: 'text',
          required: true,
          unique: true,
          label: 'Titel',
        },
      ],
    }
    
    export default Books;
  • default discord avatar
    notchr2 years ago

    OK looks good, we got a title field

  • default discord avatar
    dnl.krmr2 years ago

    But when I want to create an entry, I also have to provide a username. πŸ€”





  • default discord avatar
    notchr2 years ago

    this seems odd



    @364124941832159242

    Sorry, this also seems odd, any idea why it's asking for user creds on this collection?



    @775820309730557982

    Until they can reply, I'm looking into it as well

  • default discord avatar
    dnl.krmr2 years ago
    @1049775120559898725

    thanks πŸ˜„



    If I add "useAPIKey" to users and try to perform a request to /api/users using ThunderClient and the API-Key I got from the account page, this works. But as you see, it won't work for other collections πŸ™ˆ

  • discord user avatar
    jmikrut
    2 years ago

    by default, enabling auth also enables the local authentication strategy (email / password)



    BUT



    you can disable the local auth strategy, while keeping the api key strategy



    but how come you are enabling auth on a "books" collection?



    generally when we do this we make a collection called "API Keys" and then just enable auth on that collection

  • default discord avatar
    iamlinkus2 years ago
  • default discord avatar
    notchr2 years ago

    I recommended making a basic books collection to try to isolate the issue

  • default discord avatar
    dnl.krmr2 years ago

    Give me just a second, I'll try something

  • discord user avatar
    jmikrut
    2 years ago

    sorry in classic form i am writing a blog post the day of it needing to be released, multitasking. I missed the books convo above

  • default discord avatar
    dnl.krmr2 years ago
    @1049775120559898725

    @688437818019938326

    @364124941832159242

    thank you for your fast help πŸ˜„


    While testing this, I figured out, that I can use "useAPIKey" on my "users" collection. Then I can query the api, e.g. for books with the header


    Authorization: users API-Key KEYSTRING
  • discord user avatar
    jmikrut
    2 years ago

    but yea I'd make an API Keys collection



    or yes that

  • default discord avatar
    dnl.krmr2 years ago

    The docs made me a bit confused πŸ˜… so I thought that I have to enable "useAPIKey" within the auth-block for my content-collection (e.g. books)

  • discord user avatar
    jmikrut
    2 years ago

    nope, api keys authenticate you

    as the user that the api key is tied to

    they are not free-for-all, they respect the permissions and access that the user has



    which is f-ing beautiful

  • default discord avatar
    notchr2 years ago

    That is super nice!



    πŸ˜„



    Glad you got it going

    @775820309730557982

    !!

  • default discord avatar
    dnl.krmr2 years ago

    Yes, this is a very good feature πŸ‘


    But you need to understand it πŸ˜‰

  • discord user avatar
    jmikrut
    2 years ago

    yeah we could put more in our docs about it for sure



    what's the saying



    with great power comes great responsibility



    damn i am a loser



    and what's really special is that this whole thread will be indexed on our website forever



    πŸ€¦β€β™‚οΈ

  • default discord avatar
    iamlinkus2 years ago

    I think adding a "recipes" section for the docs would be πŸ’£



    payloadcms.com/docs/cookbook

  • default discord avatar
    dnl.krmr2 years ago

    In Germany we got a proverb for this thread "You grow with your challenges" 😁


    So sometimes you'll learn more while "trial and error" than while reading the docs πŸ˜‰

  • default discord avatar
    iamlinkus2 years ago

    Love how Kirby did it:

    https://getkirby.com/docs/cookbook
  • default discord avatar
    dnl.krmr2 years ago

    If you want to, just give me a note when the cookbook is ready and then I'd write the recipe πŸ˜‰

  • default discord avatar
    iamlinkus2 years ago

    totally, I'd have some recipes too!

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.