Using the Payload Auth Middleware

Because Payload uses your existing Express server, you are free to add whatever logic you need to your app through endpoints of your own. However, Payload does not add its middleware to your Express app itself—instead, ist scopes all of its middleware to Payload-specific routers.

This approach has a ton of benefits - it's great for isolation of concerns and limiting scope, but it also means that your additional routes won't have access to Payload's user authentication.

Example in server.js:

import express from 'express';
import payload from 'payload';
const app = express();
mongoURL: 'mongodb://localhost/payload',
express: app,
const router = express.Router();
router.get('/', (req, res) => {
if (req.user) {
return res.send(`Authenticated successfully as ${}.`);
return res.send('Not authenticated');
app.use('/some-route-here', router);
app.listen(3000, async () => {`listening on ${3000}...`);

Access Control