"turn off the API"

default discord avatar
3 months ago

Morning all,

I've been tasked with "turning off the [rest] API" as our application does not require a valid session identifier or other credentials to access portions of the application. So we're looking to restrict access to Global's URLs however inspecting the documentation I'm unable to find anything about "turning off the API"

any help would be appreciated

  • default discord avatar
    3 months ago

    Morning @jamesryan - I think the REST api is used in interal requests, right?

    I've been able to overwrite default REST routes for a collection with something more specific

    Otherwise I would change the permissions of the collection

    But disabling the whole REST api? Not sure about that one

    It's a good question though

  • discord user avatar
    Payload Team
    3 months ago

    It would only make sense if you want to disable the admin panel as well

    Cause yea, the admin panel does make rest api requests

  • default discord avatar
    3 months ago

    BTW to add to this with a scenario

    (And this probably could have been built better on my end)

    We had a "Resume" collection to allow people to upload documents

    We didn't want them to have accounts, but we did want them to be able to return to their submission and make edits if needed

    So they fill out a form and upload a document, this creates a Resume record

    Then using an email hook, we send them their unique resume ID via email. They click a link to confirm their email is legit, and they can then use that ID to access their resume again online

    The issue is, we dont want people to hit /resumes and get a list of everyone's resume

    But we also dont want to overwrite the main /get call for that collection (admin panel would bug out)

    So the option was to restrict access, and create a custom endpoint that stepped over the permissions where needed

  • default discord avatar
    3 months ago

    Thanks all for this BTW

    the query was about blocking public, non-authenticated users access to the api endpoints

    changing the permissions of a collection is something i will look into

    const apiPathRegex = /^\/api(\/|$)/i;
    const disallowedPathsRegex = /^\/api\/globals\/[^/?]+$/i;
    const isApiUrl = (req: any) => apiPathRegex.test(req.url);
    const isDisallowedUrl = (req: any) => disallowedPathsRegex.test(req.url);
    export const accessApiMiddleware = (req: any, res: any, next: any): void => {
        console.log('req.url', req.url);
        if (isApiUrl(req) && isDisallowedUrl(req)) {
            console.log('banned Url --> req.url', req.url);
            res.send(401, 'Unauthorized');

    in the end this worked as the regex /^/api/globals/[^/?]+$/i matches URLs that start with "/api/globals/", followed by one or more characters that are not a slash ("/") or a question mark ("?"), and then end. This means it will match any URL that is exactly "/api/globals/<anything>", but not URLs that have additional paths or query parameters.

    With this solution, URLs such as "/api/globals/publicaccess" or "/api/globals/public-access" would be blocked, but "/api/globals/footerMenu?locale=en&fallback-locale=null&depth=0&draft=true" or "/api/globals/footerMenu/access" would not be blocked.

    @alessiogr and @notchr thanks for answering my query, even getting replies was encouraging and supportive

    maybe its our payload system but


    as an example is publically available

    so we needed to redirect the user

Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!


Connect with the Payload Community on Discord



Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.