#How can i hide the API keys from users based on access control?

3 messages · Page 1 of 1 (latest)

jolly plover Feb 23, 2026, 3:33 PM

I have a users collection and i have api keys enabled. Is there a way i can apply access control to the apiKey field?

I've got a role that i've given read only access to the entire user collection, but they can still click the api key checkbox on any user and view the api key for that readonly user. I want to try and lock that down more

fallow merlinBOT Feb 23, 2026, 3:33 PM

New Community-Help Thread Created!

Help is on the way! To mark it as solved, use the /solve command. In the meantime, here are some existing threads that may help you:

Documentation:

API Key Strategy - HTTP Authentication
Access Control - The Access Operation
Respecting Access Control with Local API Operations - Default Behavior: Access Control Skipped

Community-Help:

How to secure the Payload API
Payload w/ Supabase Auth
How to download / fetch a file bypassing access controls as the server?
Filtering documents returned from localAPI using beforeRead hook.

radiant quarry Feb 23, 2026, 5:00 PM

What you could do is set an access control on your API field using Access control on the field, and make the condition that the logged in user can only see there own API key.

https://payloadcms.com/docs/access-control/fields#config-options