JWT Strategy
Payload offers the ability to Authenticate via JSON Web Tokens (JWT). These can be read from the responses of login
, logout
, refresh
, and me
auth operations.
Identifying Users Via The Authorization Header
In addition to authenticating via an HTTP-only cookie, you can also identify users via the Authorization
header on an HTTP request.
Example:
1
const user = await fetch('http://localhost:3000/api/users/login', {
2
method: 'POST',
3
body: JSON.stringify({
4
email: 'dev@payloadcms.com',
5
password: 'password',
6
})
7
}).then(req => await req.json())
8
9
const request = await fetch('http://localhost:3000', {
10
headers: {
11
Authorization: `JWT ${user.token}`,
12
},
13
})
Omitting The Token
In some cases you may want to prevent the token from being returned from the auth operations. You can do that by setting removeTokenFromResponse
to true
like so:
1
import type { CollectionConfig } from 'payload'
2
3
export const UsersWithoutJWTs: CollectionConfig = {
4
slug: 'users-without-jwts',
5
auth: {
6
removeTokenFromResponse: true,
7
},
8
}
Next