#REST API GET Collection via API-Key

Hi together,

we want to use Payloadcms as a headless cms for our 11ty based webpage. So before building the page, I need to get the posts from our cms.

As I don't want to perform a login every time, I want to use the useAPIKey functionality.

Imagine you have a collection "news" which is the one I want to get my page content from.

As the docs said, I added the following code block to my collection config

auth: {
    useAPIKey: true,
  },

https://payloadcms.com/docs/authentication/config#api-keys

But when I now refresh my page, I got also a field "E-Mail" and I need an API-Key per User.

Also when trying to use the generated key, I got the error "You are not allowed to perform this action."

Yes, added "Authorization" to my GET request header COLLECTION-SLUG API-Key KEYSTRING

Can you please help me?

Hello @nova trellis, maybe I can help

So you want to use the api key per-user functionality, right?

yes, this is my first problem 😄

Is there an issue with enabling that feature?

I dont understand this part But when I now refresh my page, I got also a field "E-Mail" and I need an API-Key per User.

Yes, I'm not sure how/where to enable the api-key per user.
If I add it to my (for example "news") "content" collection, I have the same API key for each user.
If I add it to the "User" collection I have a key per user but cannot access my content collection with this API key 🙈

The api keys are generated per-use i believe in the collection

To enable API keys on a collection, set the useAPIKey auth option to true. From there, a new interface will appear in the Admin panel for each document within the collection that allows you to generate an API key for each user in the Collection.

The second sentence

Any luck with that?

Ok, seems to be correct

But I have the field "E-Mail" above 🤔

Ooo nice, that is what you wanted right?

Yes, I now have an api key per user but why do have this E-Mail field?

And second part is, that I cannot authenticate using the API-Key when trying to perform a request e.g. using ThunderClient

okay. sorry. I re-checked it and saw, that the same API-Key is display for two users as I told before

Can I see the collection code?

const TestCollection: CollectionConfig = {
  slug: 'testcollection',
  labels: {
    singular: '"Testcollection"-Entry',
    plural: 'Testcollection-Entries'
  },
  auth: {
    useAPIKey: true,
  },
  admin: {
    useAsTitle: 'title',
    defaultColumns: [
      'title',
      'category',
      'publishDate'
    ],
    group: 'Content',
    listSearchableFields: [
      'title',
      'category',
    ],
    disableDuplicate: true,
  },
  access: {
    create: hasCreateAccessToPosts,
    read: hasReadAccessToPosts,
    update: hasUpdateDeleteAccessToPosts,
    delete: hasUpdateDeleteAccessToPosts,
  },
  versions: {
    drafts: true,
  },

hmm

and in the photo you posted, that is of this collection?

(sorry, im english hehe)

Yes, this is correct.
I just renamed it within the example code. But functionality is the same.

I cutted before starting with "fields"

My guess is that because you have API key enabled for the collection ,it also shows the user email the key is generated for

If you remove API key from the collection config, does it go away?

Yep. As I remove the block "auth" from my config file for the content collection, E-Mail and "API-Key" will be removed from the frontend.
But which API-Key should I use instead? 🤔

I also think so. But why is the E-Mail the same when I sign in with another user?

Hmm it should not be

How are your users logging in?

Currently using E-Mail and password.

Through the front end or directly into the Payload control panel?

directly into payload control panel

And how are you using the api keys then?

I want to use the api keys to fetch the content for our webpage using 11ty Fetch

Ah okay, I didn't know if you had a setup where you created a login form on your frontend, sent a login request which would generate a cookie the user could authorize with

Lets try basic

Can you make a new collection, "Books", with only one field

and enable API key on it

Lets make a simple test case to get to the bottom of this

ok. give me a second 😄

No, as this will be just a programmatically based request without a login form I cannot use a cookie. I'd have to call /login, get the jwt and then do a request

Take your time

ok. I added the collection "books".

Nice nice

import { CollectionConfig } from 'payload/types';

// Example Collection - For reference only, this must be added to payload.config.ts to be used.
const Books: CollectionConfig = {
  slug: 'books',
  auth: {
    useAPIKey: true,
  },
  admin: {
    useAsTitle: 'title',
    defaultColumns: [
      'title',
    ],
    group: 'Content',
    listSearchableFields: [
      'title',
    ],
    disableDuplicate: true,
  },
  versions: {
    drafts: true,
  },
  fields: [
    {
      name: 'title',
      type: 'text',
      required: true,
      unique: true,
      label: 'Titel',
    },
  ],
}

export default Books;

OK looks good, we got a title field

But when I want to create an entry, I also have to provide a username. 🤔

this seems odd

@harsh badger Sorry, this also seems odd, any idea why it's asking for user creds on this collection?

@nova trellis Until they can reply, I'm looking into it as well

@sharp geyser thanks 😄

If I add "useAPIKey" to users and try to perform a request to /api/users using ThunderClient and the API-Key I got from the account page, this works. But as you see, it won't work for other collections 🙈

by default, enabling auth also enables the local authentication strategy (email / password)

BUT

you can disable the local auth strategy, while keeping the api key strategy

but how come you are enabling auth on a "books" collection?

generally when we do this we make a collection called "API Keys" and then just enable auth on that collection

@nova trellis maybe this might help? https://discord.com/channels/967097582721572934/1093168403147141181

I recommended making a basic books collection to try to isolate the issue

Give me just a second, I'll try something

sorry in classic form i am writing a blog post the day of it needing to be released, multitasking. I missed the books convo above

@sharp geyser @surreal vector @harsh badger thank you for your fast help 😄
While testing this, I figured out, that I can use "useAPIKey" on my "users" collection. Then I can query the api, e.g. for books with the header
Authorization: users API-Key KEYSTRING

but yea I'd make an API Keys collection

or yes that

The docs made me a bit confused 😅 so I thought that I have to enable "useAPIKey" within the auth-block for my content-collection (e.g. books)

nope, api keys authenticate you as the user that the api key is tied to

they are not free-for-all, they respect the permissions and access that the user has

which is f-ing beautiful

That is super nice!

😄

Glad you got it going @nova trellis !!

Yes, this is a very good feature 👏
But you need to understand it 😉

yeah we could put more in our docs about it for sure

what's the saying

with great power comes great responsibility

damn i am a loser

and what's really special is that this whole thread will be indexed on our website forever

🤦‍♂️

I think adding a "recipes" section for the docs would be 💣

payloadcms.com/docs/cookbook

In Germany we got a proverb for this thread "You grow with your challenges" 😁
So sometimes you'll learn more while "trial and error" than while reading the docs 😉

Love how Kirby did it: https://getkirby.com/docs/cookbook

If you want to, just give me a note when the cookbook is ready and then I'd write the recipe 😉