API Key issues

[swordsreversed]

Hi, i hope someone can help. Payload looks amazing but I can't get apikeys to work. Coming from strapi i had no issues setting up a token and then using it to hit an endpoint. With payload i keep getting this error: 'You are not allowed to perform this action'.

I've got the key correct and my model looks like this:

import { CollectionConfig } from 'payload'

export const Accessories: CollectionConfig = {
  slug: 'accessories',
  admin: {
    useAsTitle: 'name',
  },
  auth: { useAPIKey: true },
  fields: [
    {
      name: 'name',
      type: 'text',
      required: true,
    },
    {
      name: 'description',
      type: 'text', 
      required: false,
    }
}

In the admin panel-> Accessories I have to add an email and password which seem odd, but ok, it then gives me a key. When add another accessory it again asks me to add a user and password? Also i tried putting in email/pass that didn't exist in the Users and it accepted them?

I've obviously tried googling etc and have found other people with the problem, but no one ever lists a solution.

If any one can help, i would appreciate it. This is blocking me from using it in production.

User entered for APIkey

Have to add another user adding a second item?

[jacobsfletch]

It sounds to me like you may be confusing the purpose of the API key, but I can help clear things up for you quick. When setting auth to any truthy value on a collection, such as auth: true or auth: { ... }, this collection is now "authentication-enabled". Think "users" or "customers", etc. They can log in to acquire a JSON Web Token (JWT), which is needed to get through Payload's access control which you define. This is why you see email and password fields, each document is essentially a user. They need to send their token through all requests that might require it.

Alternatively, these users can acquire an "API key". This is just another way for them to authenticate. It looks to me like you simply don't have the Authorization header properly formatted in your request. There are some examples of that in our docs here: https://payloadcms.com/docs/authentication/jwt#identifying-users-via-the-authorization-header

That being said, it feels like your "accessories" collection likely doesn't need authentication at all, and simply needs access control. This way you can control who can read, create, etc. based on user making the request. Here are the docs on that: https://payloadcms.com/docs/access-control/overview

Hopefully this helps to clear things up. Otherwise I'm happy to continue elaborating on these concepts for you.

[swordsreversed]

Thanks @jacobsfletch that explanation makes a lot of sense. I've been using Strapi tokens which i find quite useful . It seems payload will not let you authenticate without a user then:

API tokens can be helpful to give access to people or applications without managing a user account

[DanRibbens]

You can add auth to any collections you want. You could have a collection called apiKeys defined independently of any users collection if you wanted.

[swordsreversed]

In the end i decided to use x-API-key withe the beforeRead hook.