viscid bone
I'm trying to hit my GraphQL endpoint at http://localhost:3000/api/graphql
I can see that the schema is being loaded. But when I try to run a query it says I'm not authorized. I know I usually use a bearer token in the HTTP headers. Is there a bearer token that I need to generate? I could not find that in the docs or in the https://payloadcms.com/cloud admin dashboard.
Thanks in advance for the help!
tepid peakBOT
viscid bone
It seems that a good addition to the docs would be a section called "Authentication" just after the Overview section here: https://payloadcms.com/docs/graphql/overview
viscid bone
Update: I think I have figured out how to do this. Here is what I did:
Enable API Key on my User collection as documented here: https://payloadcms.com/docs/authentication/config#options
const Users: CollectionConfig = {
slug: "users",
auth: {
useAPIKey: true, //
},
...
}
Navigate to User in the admin and hit enable API Key checkbox and then hit save.
Add Authorization HTTP Header to your GraphQL request like this:
Header name Authorization
Header value users API-Key 4c7ed39e-57b3-4b26-bfaa-3270d25819ee
Where users is the slug of your user collection in payload schema (see above).
full citrus
I dont think api key is for that purpose
If you /login it gives a token in return you need to attach that token in headers like Bearer token
In every request to the backend
viscid bone
Do you have documentation for that? The API Key method I showed above does work.
full citrus
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
email: '[email protected]',
password: 'this-is-not-our-password...or-is-it?',
}),
})
const json = await res.json()
in response you will get a token
that token will help your user to pass the access
"message": "Auth Passed",
"user": {
"id": "644b8453cd20c7857da5a9b0",
"email": "[email protected]",
"_verified": true,
"createdAt": "2023-04-28T08:31:15.788Z",
"updatedAt": "2023-04-28T11:11:03.716Z"
},
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",
"exp": 1682689147
}```@open cargo can you weigh in on this? Which method is the intended way to authenticate GraphQL client requests from my NextJS application?
My assumption here was that the token expires so that would not be a good thing to store and use as an API key. Since our site has no user Auth we just need a global key to use.
@full citrus I think your soltuion is right if the requests come from an authenticated users client. But in my case, no users are authenticated and the CMS only powers a marketing website. Our Payload CMS only currently has one user which is just the admin (me).
open cargo
<@360823574644129795> can you weigh in on this? Which method is the intended way...
It depends on where you are making your GraphQL requests!
If it's from the server, you can use either Cookie auth or the API token. API tokens are simpler to use, but you won't get stuff you would usually need if you want users to log in to your app, each user with different permissions, as cookie auth handles stuff like token expiration & log in. If it's just like public facing content which is the same for every user, API tokens are the best option
On the client, you'll always wanna use the Cookie auth (or make a request to an endpoint which has access to your API key)
viscid bone
Yes our site does not have user auth so I think the API token is the way for us.