REST API GET Collection via API-Key

default discord avatar
danielkraemer
last month
86

Hi together,



we want to use Payloadcms as a headless cms for our 11ty based webpage. So before building the page, I need to get the posts from our cms.



As I don't want to perform a login every time, I want to use the useAPIKey functionality.



Imagine you have a collection "news" which is the one I want to get my page content from.



As the docs said, I added the following code block to my collection config



auth: {
    useAPIKey: true,
  },

https://payloadcms.com/docs/authentication/config#api-keys

But when I now refresh my page, I got also a field "E-Mail" and I need an API-Key per User.



Also when trying to use the generated key, I got the error "You are not allowed to perform this action."



Yes, added "Authorization" to my GET request header

COLLECTION-SLUG API-Key KEYSTRING

Can you please help me?

  • default discord avatar
    thisisnotchris
    last month

    Hello @danielkraemer, maybe I can help



    So you want to use the api key per-user functionality, right?

  • default discord avatar
    danielkraemer
    last month

    yes, this is my first problem πŸ˜„

  • default discord avatar
    thisisnotchris
    last month

    Is there an issue with enabling that feature?



    I dont understand this part

    But when I now refresh my page, I got also a field "E-Mail" and I need an API-Key per User.
  • default discord avatar
    danielkraemer
    last month

    Yes, I'm not sure how/where to enable the api-key per user.


    If I add it to my (for example "news") "content" collection, I have the same API key for each user.


    If I add it to the "User" collection I have a key per user but cannot access my content collection with this API key πŸ™ˆ

  • default discord avatar
    thisisnotchris
    last month

    The api keys are generated per-use i believe in the collection



    To enable API keys on a collection, set the useAPIKey auth option to true. From there, a new interface will appear in the Admin panel for each document within the collection that allows you to generate an API key for each user in the Collection.


    The second sentence



    Any luck with that?

  • default discord avatar
    danielkraemer
    last month

    Ok, seems to be correct



    But I have the field "E-Mail" above πŸ€”

    image.png
  • default discord avatar
    thisisnotchris
    last month

    Ooo nice, that is what you wanted right?

  • default discord avatar
    danielkraemer
    last month

    Yes, I now have an api key per user but why do have this E-Mail field?



    And second part is, that I cannot authenticate using the API-Key when trying to perform a request e.g. using ThunderClient



    okay. sorry. I re-checked it and saw, that the same API-Key is display for two users as I told before

  • default discord avatar
    thisisnotchris
    last month

    Can I see the collection code?

  • default discord avatar
    danielkraemer
    last month
    const TestCollection: CollectionConfig = {
      slug: 'testcollection',
      labels: {
        singular: '"Testcollection"-Entry',
        plural: 'Testcollection-Entries'
      },
      auth: {
        useAPIKey: true,
      },
      admin: {
        useAsTitle: 'title',
        defaultColumns: [
          'title',
          'category',
          'publishDate'
        ],
        group: 'Content',
        listSearchableFields: [
          'title',
          'category',
        ],
        disableDuplicate: true,
      },
      access: {
        create: hasCreateAccessToPosts,
        read: hasReadAccessToPosts,
        update: hasUpdateDeleteAccessToPosts,
        delete: hasUpdateDeleteAccessToPosts,
      },
      versions: {
        drafts: true,
      },
  • default discord avatar
    thisisnotchris
    last month

    hmm



    and in the photo you posted, that is of this collection?



    (sorry, im english hehe)

  • default discord avatar
    danielkraemer
    last month

    Yes, this is correct.


    I just renamed it within the example code. But functionality is the same.



    I cutted before starting with "fields"

  • default discord avatar
    thisisnotchris
    last month

    My guess is that because you have API key enabled for the collection ,it also shows the user email the key is generated for



    If you remove API key from the collection config, does it go away?

  • default discord avatar
    danielkraemer
    last month

    Yep. As I remove the block "auth" from my config file for the content collection, E-Mail and "API-Key" will be removed from the frontend.


    But which API-Key should I use instead? πŸ€”



    I also think so. But why is the E-Mail the same when I sign in with another user?

  • default discord avatar
    thisisnotchris
    last month

    Hmm it should not be



    How are your users logging in?

  • default discord avatar
    danielkraemer
    last month

    Currently using E-Mail and password.

  • default discord avatar
    thisisnotchris
    last month

    Through the front end or directly into the Payload control panel?

  • default discord avatar
    danielkraemer
    last month

    directly into payload control panel

  • default discord avatar
    thisisnotchris
    last month

    And how are you using the api keys then?

  • default discord avatar
    danielkraemer
    last month

    I want to use the api keys to fetch the content for our webpage using 11ty Fetch

  • default discord avatar
    thisisnotchris
    last month

    Ah okay, I didn't know if you had a setup where you created a login form on your frontend, sent a login request which would generate a cookie the user could authorize with



    Lets try basic



    Can you make a new collection, "Books", with only one field



    and enable API key on it



    Lets make a simple test case to get to the bottom of this

  • default discord avatar
    danielkraemer
    last month

    ok. give me a second πŸ˜„



    No, as this will be just a programmatically based request without a login form I cannot use a cookie. I'd have to call /login, get the jwt and then do a request

  • default discord avatar
    thisisnotchris
    last month

    Take your time

  • default discord avatar
    danielkraemer
    last month

    ok. I added the collection "books".

  • default discord avatar
    thisisnotchris
    last month

    Nice nice

  • default discord avatar
    danielkraemer
    last month
    import { CollectionConfig } from 'payload/types';
    
    // Example Collection - For reference only, this must be added to payload.config.ts to be used.
    const Books: CollectionConfig = {
      slug: 'books',
      auth: {
        useAPIKey: true,
      },
      admin: {
        useAsTitle: 'title',
        defaultColumns: [
          'title',
        ],
        group: 'Content',
        listSearchableFields: [
          'title',
        ],
        disableDuplicate: true,
      },
      versions: {
        drafts: true,
      },
      fields: [
        {
          name: 'title',
          type: 'text',
          required: true,
          unique: true,
          label: 'Titel',
        },
      ],
    }
    
    export default Books;
  • default discord avatar
    thisisnotchris
    last month

    OK looks good, we got a title field

  • default discord avatar
    danielkraemer
    last month

    But when I want to create an entry, I also have to provide a username. πŸ€”





    image.png
    image.png
  • default discord avatar
    thisisnotchris
    last month

    this seems odd



    @jmikrut Sorry, this also seems odd, any idea why it's asking for user creds on this collection?



    @danielkraemer Until they can reply, I'm looking into it as well

  • default discord avatar
    danielkraemer
    last month

    @thisisnotchris thanks πŸ˜„



    If I add "useAPIKey" to users and try to perform a request to /api/users using ThunderClient and the API-Key I got from the account page, this works. But as you see, it won't work for other collections πŸ™ˆ

  • discord user avatar
    jmikrut
    Payload Team
    last month

    by default, enabling auth also enables the local authentication strategy (email / password)



    BUT



    you can disable the local auth strategy, while keeping the api key strategy



    but how come you are enabling auth on a "books" collection?



    generally when we do this we make a collection called "API Keys" and then just enable auth on that collection

  • default discord avatar
    iamlinkus
    last month
  • default discord avatar
    thisisnotchris
    last month

    I recommended making a basic books collection to try to isolate the issue

  • default discord avatar
    danielkraemer
    last month

    Give me just a second, I'll try something

  • discord user avatar
    jmikrut
    Payload Team
    last month

    sorry in classic form i am writing a blog post the day of it needing to be released, multitasking. I missed the books convo above

  • default discord avatar
    danielkraemer
    last month

    @thisisnotchris @iamlinkus @jmikrut thank you for your fast help πŸ˜„


    While testing this, I figured out, that I can use "useAPIKey" on my "users" collection. Then I can query the api, e.g. for books with the header


    Authorization: users API-Key KEYSTRING
  • discord user avatar
    jmikrut
    Payload Team
    last month

    but yea I'd make an API Keys collection



    or yes that

  • default discord avatar
    danielkraemer
    last month

    The docs made me a bit confused πŸ˜… so I thought that I have to enable "useAPIKey" within the auth-block for my content-collection (e.g. books)

  • discord user avatar
    jmikrut
    Payload Team
    last month

    nope, api keys authenticate you

    as the user that the api key is tied to


    they are not free-for-all, they respect the permissions and access that the user has



    which is f-ing beautiful

  • default discord avatar
    thisisnotchris
    last month

    That is super nice!



    πŸ˜„



    Glad you got it going @danielkraemer !!

  • default discord avatar
    danielkraemer
    last month

    Yes, this is a very good feature πŸ‘


    But you need to understand it πŸ˜‰

  • discord user avatar
    jmikrut
    Payload Team
    last month

    yeah we could put more in our docs about it for sure



    what's the saying



    with great power comes great responsibility



    damn i am a loser



    and what's really special is that this whole thread will be indexed on our website forever



    πŸ€¦β€β™‚οΈ

  • default discord avatar
    iamlinkus
    last month

    I think adding a "recipes" section for the docs would be πŸ’£



    payloadcms.com/docs/cookbook

  • default discord avatar
    danielkraemer
    last month

    In Germany we got a proverb for this thread "You grow with your challenges" 😁


    So sometimes you'll learn more while "trial and error" than while reading the docs πŸ˜‰

  • default discord avatar
    iamlinkus
    last month

    Love how Kirby did it:

    https://getkirby.com/docs/cookbook
  • default discord avatar
    danielkraemer
    last month

    If you want to, just give me a note when the cookbook is ready and then I'd write the recipe πŸ˜‰

  • default discord avatar
    iamlinkus
    last month

    totally, I'd have some recipes too!

Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.