#Authenticate user by API Key on custom endpoints

I have created some custom endpoints but they are unprotected by default. How can I use Payload auth or user API keys to protect them?

I have gone through the following but they don't cover a custom endpoint case:
https://payloadcms.com/docs/authentication/config#doc <-- only Collection based, not custom endpoint.

https://payloadcms.com/docs/authentication/overview#token-based-auth <-- covers how to authenticate using JWT token, not API Key.

I have custom endpoints both on App level and Collection level. Neither seem to play nice with Payload authenticate middlewares when using API Keys.

You can use middleware:
https://payloadcms.com/docs/authentication/using-middleware

I tried using middleware as in the examples, but putting API Key in the Authorization header as shown will not produce Payload to inject User object into the http request.

you can get the user directly from mongodb

create your own middleware to do this

Using the API Key? In this case, is it known what hashing algorithm Payload uses for Api keys?

did you are using the API Key generated by admin panel, or jwt token?

It is only the custom endpoints that are missing the req.user?
custom endpoints should hit the same middleware unless you have the root: true added and that is only an option outside of collections.

I would verify that your requests work for the built-in collection endpoints to rule out that it is in fact an issue with the custom endpoints if you haven't already.

You shouldn't have to write your own middleware. At worst you can import Payload's middleware but since that should already be running before your endpoint handler gets called, that won't fix your problem anyways.

One common mistake with the authorization header is that payload recognizes:
"Authorization: "JWT {token}" and not "Authorization: "bearer {token}"

You can diagnose by comparing the admin UI requests in the network tab with how your app is calling Payload to find differences.
@sullen frost I hope some of this will help.

in addition, to authenticate via API key, here are the docs:

https://payloadcms.com/docs/authentication/config#api-keys

need a header like this:

Authorization: MyCollectionSingularLabel API-Key 4iwj34li43jltij4

This does not work on custom endpoints. Adding the API-Key to the headers does not attach User object to HTTP request object on custom endpoints. At least that is my experience. Should it ?

I am using the API Key not the token

Yeah that is supposed to work. Do you want to create an issue on GitHub? I'd like to dig into this tomorrow.

Noted, will triple check this today before posting. Thank you.

Nice, let me know. Happy to help

Perhaps the issue is with version. What is the latest stable Payload version?

1.2.5

I'm not aware of any recent changes on this though

Also as a note, my Collection does not have any auth params defined.

Yes just tested again.
Collection (non auth)

    {
      path: '/testing',
      method: 'post',
      handler: [
        async (req, res, next) => {
          console.log("/testing | user: ", req.user)
          if (req.user) next()
          else res.status(401).send({ error: "unauthorized" });
        }
      ]
    }

Request

http://localhost:3000/api/assets/testing
Headers: Authorization: Asset API-Key <USER_API_KEY>

req.user is undefined.

Wait, what collection are you using for auth? in headers it looks like Asset instead of your users collection

I am requesting Assets not User.
Flow:

1. Create new user (enable API key) - this is a "system service" user.
2. Create new collection "Assets"
3. Put User API key to 3rd party service (Moralis)
4. Have Moralis call Payload on the behalf of the user (using his API keys) to interact with Assets collection.

Your flow makes sense, but that header needs to tell Payload what user collection the the API key belongs to, not what you're trying to query.

it works now, I'm stupid.

Hahaha, no worries. Your not stupid

Thank for the help again 🙂

Very welcome!

i love it when things work out

haha