In Next.js, server functions (previously called server actions ) are special functions that run exclusively on the server, enabling secure backend logic execution while being callable from the frontend. These functions bridge the gap between client and server, allowing frontend components to perform backend operations without exposing sensitive logic.
Executing Backend Logic from the Frontend : The Local API is designed for server environments and cannot be directly accessed from client-side code. Server functions enable frontend components to trigger backend operations securely.Security Benefits : Instead of exposing a full REST or GraphQL API, server functions restrict access to only the necessary operations, reducing potential security risks.Performance Optimizations : Next.js handles server functions efficiently, offering benefits like caching, optimized database queries, and reduced network overhead compared to traditional API calls.Simplified Development Workflow : Rather than setting up full API routes with authentication and authorization checks, server functions allow for lightweight, direct execution of necessary operations.Use server functions whenever you need to call Local API operations from the frontend. Since the Local API is only accessible from the backend, server functions act as a secure bridge, eliminating the need to expose additional API endpoints.
All Local API operations can be used within server functions, allowing you to interact with Payload's backend securely.
For a full list of available operations, see the Local API overview.
In the following examples, we'll cover some common use cases, including:
Creating a document Updating a document Handling file uploads when creating or updating a document Authenticating a user First, let's create our server function. Here are some key points for this process:
Begin by adding 'use server' at the top of the file. You can still use utilities such as getPayload(). Once the function structure is in place, call the Local API operation payload.create() and pass in the relevant data. It's good practice to wrap this in a try...catch block for error handling. Finally, make sure to return the created document (don't just run the operation). 3 import { getPayload } from 'payload'
4 import config from '@payload-config'
6 export async function createPost ( data ) {
7 const payload = await getPayload ( { config } )
10 const post = await payload . create ( {
16 throw new Error ( ` Error creating post: ${ error . message } ` )
Now, let's look at how to call the createPost function we just created from the frontend in a React component when a user clicks a button:
3 import React , { useState } from 'react' ;
4 import { createPost } from '../server/actions' ;
6 export const PostForm : React . FC = ( ) => {
7 const [ result , setResult ] = useState < string > ( '' ) ;
15 onClick = { async ( ) => {
17 const newPost = await createPost ( { title : 'Sample Post' } ) ;
18 setResult ( 'Post created: ' + newPost . title ) ;
The key points from the previous example also apply here.
To update a document instead of creating one, you would use payload.update() with the relevant data and passing the document ID.
Here's how the server function would look:
3 import { getPayload } from 'payload'
4 import config from '@payload-config'
6 export async function updatePost ( id , data ) {
7 const payload = await getPayload ( { config } )
10 const post = await payload . update ( {
17 throw new Error ( ` Error updating post: ${ error . message } ` )
Here is how you would call the updatePost function from a frontend React component:
3 import React , { useState } from 'react' ;
4 import { updatePost } from '../server/actions' ;
6 export const UpdatePostForm : React . FC = ( ) => {
7 const [ result , setResult ] = useState < string > ( '' ) ;
15 onClick = { async ( ) => {
17 const updatedPost = await updatePost ( 'your-post-id-123' , { title : 'Updated Post' } ) ;
18 setResult ( 'Post updated: ' + updatedPost . title ) ;
In this example, we will check if a user is authenticated using Payload's authentication system. Here's how it works:
First, we use the headers function from next/headers to retrieve the request headers. Next, we pass these headers to payload.auth() to fetch the user's authentication details. If the user is authenticated, their information is returned. If not, handle the unauthenticated case accordingly. Here's the server function to authenticate a user:
3 import { headers as getHeaders } from 'next/headers'
4 import config from '@payload-config'
5 import { getPayload } from 'payload'
7 export const authenticateUser = async ( ) => {
8 const payload = await getPayload ( { config } )
9 const headers = await getHeaders ( )
10 const { user } = await payload . auth ( { headers } )
13 return { hello : user . email }
16 return { hello : 'Not authenticated' }
Here's a basic example of how to call the authentication server function from the frontend to test it:
3 import React , { useState } from 'react' ;
5 import { authenticateUser } from '../server/actions' ;
7 export const AuthComponent : React . FC = ( ) => {
8 const [ userInfo , setUserInfo ] = useState < string > ( '' ) ;
16 onClick = { async ( ) => {
18 const result = await authenticateUser ( ) ;
19 setUserInfo ( result . hello ) ;
This example demonstrates how to write a server function that creates a document with a file upload. Here are the key steps:
Pass two arguments: data for the document content and upload for the file Merge the upload file into the document data as the media field Use payload.create() to create a new post document with both the document data and file 3 import { getPayload } from 'payload'
4 import config from '@payload-config'
6 export async function createPostWithUpload ( data , upload ) {
7 const payload = await getPayload ( { config } )
16 const post = await payload . create ( {
23 throw new Error ( ` Error creating post: ${ error . message } ` )
Here is how you would use the server function we just created in a frontend component to allow users to submit a post along with a file upload:
The user enters the post title and selects a file to upload. When the form is submitted, the handleSubmit function checks if a file has been chosen. If a file is selected, it passes both the title and the file to the createPostWithFile server function. And you are done! 3 import React , { useState } from 'react' ;
4 import { createPostWithUpload } from '../server/actions' ;
6 export const PostForm : React . FC = ( ) => {
7 const [ title , setTitle ] = useState < string > ( '' ) ;
8 const [ file , setFile ] = useState < File | null > ( null ) ;
9 const [ result , setResult ] = useState < string > ( '' ) ;
11 const handleFileChange = ( e : React . ChangeEvent < HTMLInputElement > ) => {
13 setFile ( e . target . files [ 0 ] ) ;
17 const handleSubmit = async ( e : React . FormEvent ) => {
20 setResult ( 'Please upload a file.' ) ;
26 const newPost = await createPostWithUpload ( { title } , file ) ;
27 setResult ( 'Post created with file: ' + newPost . title ) ;
29 setResult ( 'Error: ' + error . message ) ;
34 < form onSubmit = { handleSubmit } >
38 onChange = { ( e ) => setTitle ( e . target . value ) }
39 placeholder = " Post Title "
41 < input type = " file " onChange = { handleFileChange } />
42 < button type = " submit " > Create Post </ button >
Managing authentication with the Local API can be tricky as you have to handle cookies and tokens yourself, and there aren't built-in logout or refresh functions since these only modify cookies. To make this easier, we provide login, logout, and refresh as ready-to-use server functions. They take care of the underlying complexity so you don't have to.
Logs in a user by verifying credentials and setting the authentication cookie. This function allows login via username or email, depending on the collection auth configuration.
login function1 import { login } from '@payloadcms/next/auth'
The login function needs your Payload config, which cannot be imported in a client component. To work around this, create a simple server function like the one below, and call it from your client.
3 import { login } from '@payloadcms/next/auth'
4 import config from '@payload-config'
6 export async function loginAction ( {
14 const result = await login ( {
23 ` Login failed: ${ error instanceof Error ? error . message : 'Unknown error' } ` ,
3 import { useState } from 'react'
4 import { loginAction } from '../loginAction'
6 export default function LoginForm ( ) {
7 const [ email , setEmail ] = useState < string > ( '' )
8 const [ password , setPassword ] = useState < string > ( '' )
11 < form onSubmit = { ( ) => loginAction ( { email , password } ) } >
12 < label htmlFor = " email " > Email </ label >
15 onChange = { ( e : ChangeEvent < HTMLInputElement > ) =>
16 setEmail ( e . target . value )
21 < label htmlFor = " password " > Password </ label >
24 onChange = { ( e : ChangeEvent < HTMLInputElement > ) =>
25 setPassword ( e . target . value )
30 < button type = " submit " > Login </ button >
Logs out the current user by clearing the authentication cookie and current sessions.
logout function1 import { logout } from '@payloadcms/next/auth'
Similar to the login function, you now need to pass your Payload config to this function and this cannot be done in a client component. Use a helper server function as shown below. To ensure all sessions are cleared, set allSessions: true in the options, if you wish to logout but keep current sessions active, you can set this to false or leave it undefined.
3 import { logout } from '@payloadcms/next/auth'
4 import config from '@payload-config'
6 export async function logoutAction ( ) {
8 return await logout ( { allSessions : true , config } )
11 ` Logout failed: ${ error instanceof Error ? error . message : 'Unknown error' } ` ,
3 import { logoutAction } from '../logoutAction'
5 export default function LogoutButton ( ) {
6 return < button onClick = { ( ) => logoutFunction ( ) } > Logout </ button >
Refreshes the authentication token and current session for the logged-in user.
refresh function1 import { refresh } from '@payloadcms/next/auth'
As with login and logout, you need to pass your Payload config to this function. Create a helper server function like the one below. Passing the config directly to the client is not possible and will throw errors.
3 import { refresh } from '@payloadcms/next/auth'
4 import config from '@payload-config'
6 export async function refreshAction ( ) {
13 ` Refresh failed: ${ error instanceof Error ? error . message : 'Unknown error' } ` ,
3 import { refreshAction } from '../actions/refreshAction'
5 export default function RefreshTokenButton ( ) {
6 return < button onClick = { ( ) => refreshFunction ( ) } > Refresh </ button >
When using server functions, proper error handling is essential to prevent unhandled exceptions and provide meaningful feedback to the frontend.
Wrap Local API calls in try/catch blocks to catch potential errors. Log errors on the server for debugging purposes.Return structured error responses instead of exposing raw errors to the frontend. Example of good error handling:
1 export async function createPost ( data ) {
3 const payload = await getPayload ( { config } )
4 return await payload . create ( { collection : 'posts' , data } )
6 console . error ( 'Error creating post:' , error )
7 return { error : 'Failed to create post' }
Using server functions helps prevent direct exposure of Local API operations to the frontend, but additional security best practices should be followed:
Restrict access : Ensure that sensitive actions (like user management) are only callable by authorized users.Avoid passing sensitive data : Do not return sensitive information such as user data, passwords, etc.Use authentication & authorization : Check user roles before performing actions.Example of restricting access based on user role:
1 import { UnauthorizedError } from 'payload'
3 export async function deletePost ( postId , user ) {
4 if ( ! user || user . role !== 'admin' ) {
5 throw new UnauthorizedError ( )
8 const payload = await getPayload ( { config } )
9 return await payload . delete ( { collection : 'posts' , id : postId } )