Security at Payload

Security isn't just a feature—it's foundational to what Payload does as an open-source solution.

The open availability of our source code allows a diverse community of developers to address vulnerabilities, leading to a more secure and battle-tested product compared to SaaS alternatives.

Explore Docs
Payload log in screenPayload log in screen

Optimizing Security in your Payload Environment

Payload provides a comprehensive range of security features designed to safeguard your data effectively. Review Payload Documentation for specifics.


Single Sign-On

Single Sign-On (SSO) integrates with any SAML or OAuth 2.0 identity provider, and meets the requirements the highest enterprise security standards. This is available to Payload enterprise clients.



Payload's comprehensive and customizable user Authentication is built on secure, HttpOnly cookies to protect from MITM (Man in the Middle) and XSS (cross site scripting) attacks. You can also enable API key support for third-party integrations.


Access Control

Deep access control down to the field level allows for granular management of data access and modification rights.


CSRF Prevention

Cross-Site Request Forgery (CSRF) prevention will verify the authenticity of each request to your API to prevent a malicious action from another site from authorized users.


Cross Origin Resource Sharing

You can determine a whitelist array of URLS to allow CORS requests from, or a wildcard string ('*') to accept incoming requests from any domain—required to securely allow headless operation.


IP-Based Rate Limiting

To prevent DDoS, brute-force, and similar attacks, you can set IP-based rate limits via Payload's rateLimit property.

User Authentication

Authentication is used within the Payload Admin panel itself as well as throughout your app(s) themselves however you determine necessary. This can include, but isn't limited to customer accounts for an ecommerce app, SaaS product, or a P2P/social app where users can manage their profiles.

Authentication admin and external loginAuthentication admin and external login
SSO provider logosSSO provider logos

Single Sign-On (SSO)

With Payload’s Single Sign-On solution, enterprise users can securely log in using their corporate credentials. This simplifies the authentication process and aligns seamlessly with stringent compliance requirements for enterprise-level security.

Access Control

Upon the first login with corporate credentials, user profiles are automatically generated, effortlessly mapping permissions across teams, service lines, or entire departments, down to the individual employee. This streamlines user onboarding, enhances security, and ensures dynamic access control.

Access Control

Access Control in Payload

access: {
create: changeDraftsOnly,
update: changeDraftsOnly,
read: ({ req }) => {
if (req.user) return true
return {
_status: {
equals: 'published'
delete: ({ req }) => {
return isAdmin(req.user)
The most innovative companies on earth are turning to Payload for their mission-critical projects. Let us show you why.