useApiKey for the entire collection

[gotleg]

Hello,

I'm testing payloadcms for a few hours and so far, everything is pretty straight forward. Nice job :)

I read the doc about enabling api-key auth on a collection, but once it's done, I have to generate an api-key for each document !?!
Is there a way to generate an api-key for one user but on an entire collection and even better for multiple collections ?

I want to be able to list all items in a collection (ex: /api/menu)

Can't find a way to do so in the docs. Do I miss something ?

Thanks for your help

[jmikrut]

Hey @gotleg — thank you for the compliments!

I am not sure I understand your questions. You do have to generate an API key for each user that requires one, but I am not sure why you'd need each user to instantly have an API key. Users can log in via JWT without generating an API key, which is the normal way for users to authenticate, and API keys are more of a way for your third-party apps and integrations to be able to auth with Payload directly without having to log in before making requests. Typically you only have a small handful of API keys (maybe one for each service that is integrating with Payload).

But, if you wanted to auto-generate an API key for each user in a collection (or multiple collections), you could by simply writing a Node script that uses Payload's Local API to update all users with enableAPIKey: true and then a generated API key that you set.

Let me know if I am misunderstanding here. Thanks again!

[JarrodMFlesch]

@gotleg it would actually be

Authorization: User API-Key xxxxxxxxxxxxxxxxxxxxxxx

Assuming your auth collections Singular Label is User

You could also have other api keys on other collections,

Authorization: Admin API-Key xxxxxxxxxxxxxxxxxxxxxxx

Assuming this auth collections Singular Label is Admin

[gotleg]

Perfect thank you

[akanshSirohi]

@gotleg can you please tell how you generated api-key for each collection and integrated it..?
As there is no such example or steps in the documentation.

[gotleg]

@akanshSirohi So the process is pretty simple.
You have to activate api-key authentication on your user collection to enable api-key auth instead of JWT auth.
const Users: CollectionConfig = { slug: 'users', auth: { useAPIKey: true }, ...

Then you can activate api-key auth on a user and generate the api-key :

[akanshSirohi]

@gotleg Thanks for saving my day! 😄

[drewbo]

This pattern still seems a bit off to me but please feel free to correct my understanding if I'm way off-base (I'm testing using the website template):

• setting useAPIKey: true at the collection level adds a new component to the admin panel for each collection element, where I can add an API token for a given user
• that token is visible to all users with admin access (even if it doesn't match their email)
• the token doesn't show up in other elements of the same collection (i.e. it seems element specific)
• the token isn't visible in the User collection as being associated with a single user

A more common pattern I've seen with API tokens (tailored to this situation):

• assigned to a single-user (still potentially an "integration user" as suggested by the docs)
• the token is assigned permissions (e.g. read/write access to posts, read only to users)
• the token wouldn't necessarily be visible at the collection level or individual element level, especially not for users whose email it doesn't match (or gate to a certain level of access) but it should be seen for a given user.