Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlog
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftBlue OriginHello BelloMythical SocietyTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case study
LoginGet Started

JWT Strategy

Payload offers the ability to Authenticate via JSON Web Tokens (JWT). These can be read from the responses of login, logout, refresh, and me auth operations.

Identifying Users Via The Authorization Header

In addition to authenticating via an HTTP-only cookie, you can also identify users via the Authorization header on an HTTP request.

Example:

1
const user = await fetch('http://localhost:3000/api/users/login', {
2
method: 'POST',
3
body: JSON.stringify({
4
email: 'dev@payloadcms.com',
5
password: 'password',
6
})
7
}).then(req => await req.json())
8
9
const request = await fetch('http://localhost:3000', {
10
headers: {
11
Authorization: `JWT ${user.token}`,
12
},
13
})

Omitting The Token

In some cases you may want to prevent the token from being returned from the auth operations. You can do that by setting removeTokenFromResponse to true like so:

1
import type { CollectionConfig } from 'payload'
2
3
export const UsersWithoutJWTs: CollectionConfig = {
4
slug: 'users-without-jwts',
5
auth: {
6
removeTokenFromRepsonse: true,
7
},
8
}
Next

API Key Strategy