Disable Rest API? | Payload | Page 1

forest agate May 6, 2026, 8:48 PM

#

I'm using Payload for a mix of traditional content management (blogs, pages with blocks) but also as my backend for a social platform with posts, events and a few other things.

My flow is basically frontend form > server action > Zod check > then using the local api with override access disabled to create it. I'm loving the access control - it's made a lot of my granular permissions very easy to implement!

My issue however is right now I believe that users could technically hit the /api/post for example directly and bypass a lot of my Zod validation / other checks.

I thought I had solved it by endpoints: false in the collection but I guess the dashboard uses the rest api internally and that breaks it.

I don't intend to use the rest api anywhere in this app so disabling it made the most sense in my head, but I'm realizing that might be an anti-pattern for Payload? Is my best bet to just duplicate the validation in a before hook?

Would super appreciate a second opinion.. I think I've confused myself a bit painwithcoffee Thanks!

mint carbonBOT May 6, 2026, 8:48 PM

#

New Community-Help Thread Created!

Help is on the way! To mark it as solved, use the /solve command. In the meantime, here are some existing threads that may help you:

Documentation:

Community-Help:

forest agate May 6, 2026, 9:20 PM

#

While i'd prefer the rest api to not really be accessible, I guess just trying to make the before hook the source of truth is probably the best. Will experiment with that. Will keep this this up for a bit just incase I'm missing something

hybrid echo May 6, 2026, 10:55 PM

#

You can define which user type can do what CRUD control

It’s really simple honestly
Website template has some of this code
Also I’d recommend try use cursor it’ll help you figure this stuff out fast

forest agate May 6, 2026, 11:46 PM

#

hybrid echo You can define which user type can do what CRUD control It’s really simple hon...

Thanks for the reply @hybrid echo! I do have access control functions already setup for various role / permissions checks already, the issue is more so I guess the origin of requests.

Like right now I can technically curl a post request and create a doc directly (still respecting my access control) but id rather disable rest and just use the local api directly

#

I know I'm overthinking a tad, worst case a determined user submits a slightly malformed doc lol

forest agate May 7, 2026, 12:46 AM

#

Hey! So need to test a bit more... but it seems like you can intercept the request type so I can simply check if it's not a local request and then reject it!

In my case... I want the admin panel to still work happypaul so I can just allow it if the user has the admin role

For example:
if (req.payloadAPI !== "local" && !isAdmin(user)) return false

#

Had no idea lol

#Disable Rest API?

Documentation:

Community-Help: