JWT Strategy

Payload offers the ability to Authenticate via JSON Web Tokens (JWT). These can be read from the responses of login, logout, refresh, and me auth operations.

Identifying Users Via The Authorization Header

In addition to authenticating via an HTTP-only cookie, you can also identify users via the Authorization header on an HTTP request.

Example:

1const user = await fetch('http://localhost:3000/api/users/login', {
2  method: 'POST',
3  headers: {
4    'Content-Type': 'application/json',
5  },
6  body: JSON.stringify({
7    email: 'dev@payloadcms.com',
8    password: 'password',
9  }),
10}).then((req) => await req.json())
11
12const request = await fetch('http://localhost:3000', {
13  headers: {
14    Authorization: `JWT ${user.token}`,
15  },
16})

Omitting The Token

In some cases you may want to prevent the token from being returned from the auth operations. You can do that by setting removeTokenFromResponses to true like so:

1import type { CollectionConfig } from 'payload'
2
3export const UsersWithoutJWTs: CollectionConfig = {
4  slug: 'users-without-jwts',
5  auth: {
6    removeTokenFromResponses: true, 
7  },
8}

External JWT Validation

When validating Payload-generated JWT tokens in external services, use the processed secret rather than your original secret key:

1import crypto from 'node:crypto'
2
3const secret = crypto
4  .createHash('sha256')
5  .update(process.env.PAYLOAD_SECRET)
6  .digest('hex')
7  .slice(0, 32)

See what others are building with Payload.

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Get the resources you need to start building today

Microsoft chose Payload to tell the world about AI.

JWT Strategy

Identifying Users Via The Authorization Header

Omitting The Token

External JWT Validation

Cookie Strategy

JWT Strategy

Identifying Users Via The Authorization Header

Omitting The Token

External JWT Validation