BuildWithMatija
  1. Home
  3. Blog
  5. Payload
  7. Mastering Payload CMS API: Authentication & Queries Explained

Mastering Payload CMS API: Authentication & Queries Explained

Unlock the power of Payload CMS with our guide to REST API authentication and efficient data querying techniques.

5th November 2025·Updated on:3rd June 2026··
Payload
Mastering Payload CMS API: Authentication & Queries Explained

Need Help Making the Switch?

Moving to Next.js and Payload CMS? I offer advisory support on an hourly basis.

Book Hourly Advisory

📚 Comprehensive Payload CMS Guides

Detailed Payload guides with field configuration examples, custom components, and workflow optimization tips to speed up your CMS development process.

No spam. Unsubscribe anytime.

Related Posts:

  • •How to Speed Up Your Payload CMS Site With unstable_cache
  • •When to Use Deep vs Shallow Queries in Payload CMS: A Server-Side Rendering Strategy
  • •Render Payload CMS Rich Text with Tailwind v4 — Quick Guide
📄View markdown version
5

About the author

Matija Žiberna

Matija Žiberna

Full-stack developer, co-founder

AboutResume

Self-taught full-stack developer sharing lessons from building software and startups.

I'm Matija Žiberna, a self-taught full-stack developer and co-founder passionate about building products, writing clean code, and figuring out how to turn ideas into businesses. I write about web development with Next.js, lessons from entrepreneurship, and the journey of learning by doing. My goal is to provide value through code—whether it's through tools, content, or real-world software.

You might be interested in

How to Speed Up Your Payload CMS Site With unstable_cache
How to Speed Up Your Payload CMS Site With unstable_cache

12th June 2025

When to Use Deep vs Shallow Queries in Payload CMS: A Server-Side Rendering Strategy
When to Use Deep vs Shallow Queries in Payload CMS: A Server-Side Rendering Strategy

24th September 2025

Render Payload CMS Rich Text with Tailwind v4 — Quick Guide
Render Payload CMS Rich Text with Tailwind v4 — Quick Guide

13th December 2025

Contents

  • Understanding Payload's Built-In REST API
  • Setting Up API Key Authentication
  • Understanding Access Control Impact
  • Making Your First Authenticated Request
  • Using the Where Parameter for Filtering
  • Filtering Date Fields Correctly
  • Populating Relationships with Depth
  • Selecting Specific Fields with Select
  • Other Useful Query Parameters
  • Implementing in n8n
  • Conclusion
On this page:
  • Understanding Payload's Built-In REST API
  • Setting Up API Key Authentication
  • Understanding Access Control Impact
  • Making Your First Authenticated Request
  • Using the Where Parameter for Filtering
Build with Matija logo

Build with Matija

Modern websites, content systems, and AI workflows built for long-term growth.

Services

  • Headless CMS Websites
  • Next.js & Headless CMS Advisory
  • AI Systems & Automation
  • Website & Content Audit

Resources

  • Case Studies
  • How I Work
  • Blog
  • CMS Hub
  • E-commerce Hub
  • Dashboard

Headless CMS

  • Payload CMS Developer
  • CMS Migration
  • Multi-Tenant CMS
  • Payload vs Sanity
  • Payload vs WordPress
  • Payload vs Contentful

Get in Touch

Ready to modernize your stack? Let's talk about what you're building.

Book a discovery callContact me →
© 2026Build with Matija•All rights reserved•Privacy Policy•Terms of Service
BuildWithMatija
Get In Touch

I was setting up an n8n automation to generate delivery reports from our Payload CMS database when I hit a wall. The API kept returning "Nimate dovoljenja za izvedbo tega dejanja" (You don't have permission to perform this action), even though I was using a valid API key from a super admin account. After digging through logs and documentation, I discovered the issue wasn't my permissions—it was how I was authenticating.

Payload CMS provides REST API endpoints for every collection automatically, but the authentication format is specific and easy to get wrong. This guide shows you exactly how to authenticate with Payload's API and use its powerful query parameters to fetch exactly the data you need.

Understanding Payload's Built-In REST API

When you create a collection in Payload, the CMS automatically generates REST endpoints for you. No custom endpoint creation needed. For a collection with slug delivery-dates, you immediately get:

  • GET /api/delivery-dates - List all documents
  • GET /api/delivery-dates/:id - Get single document
  • POST /api/delivery-dates - Create document
  • PATCH /api/delivery-dates/:id - Update document
  • DELETE /api/delivery-dates/:id - Delete document

The challenge isn't the endpoints themselves—they're already there. The challenge is understanding how to authenticate properly and how to filter data using Payload's query parameters.

Setting Up API Key Authentication

Before you can fetch data externally, you need to enable API keys in your Payload configuration. In your collection config where authentication is enabled (typically your users collection), you need this setting:

typescript
// File: src/collections/Users.ts
export const Users: CollectionConfig = {
  slug: 'users',
  auth: {
    useAPIKey: true,  // This enables API key authentication
    // ... other auth settings
  },
  // ... rest of configuration
}

Once enabled, navigate to your Payload admin panel, go to Users, and edit a super admin user. You'll see an API Key field where you can generate a new key. This is a long string like 77c9b8b0-1b81-46a1-ab62-86f76f427eed. Copy this key—you'll need it for every API request.

The critical piece that took me hours to figure out is the authentication header format. Payload requires a very specific structure that's different from typical Bearer token authentication. The format is:

code
Authorization: {collection-slug} API-Key {your-api-key}

Notice the space between "API-Key" and your key, and the exact capitalization. For a users collection, your header looks like this:

code
Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed

This tells Payload to authenticate the request using the API key from the users collection, and Payload's middleware will populate req.user with your user document, allowing access control to work properly.

Understanding Access Control Impact

Access control in Payload directly affects what your API requests can retrieve. Here's an example from an orders collection:

typescript
// File: src/collections/Orders.ts
access: {
  read: ({ req }) => {
    if (req.user) {
      // Super admin can read all
      if (isSuperAdmin(req.user)) return true;

      // Customer can only read their own orders
      if (req.user.collection === 'customers') {
        return {
          customer: {
            equals: req.user.id,
          },
        };
      }
    }
    return false;
  },
  
  create: () => true,  // Public order creation for checkout
  
  update: superAdminOrTenantAdminAccess,
  delete: superAdminOrTenantAdminAccess,
}

This access control means unauthenticated requests will fail. A customer's API key will only return their own orders. Only a super admin's API key can retrieve all orders. This is why getting authentication right is crucial—without req.user being populated, Payload returns permission errors even for valid requests.

Compare this with a publicly readable collection:

typescript
// File: src/collections/DeliveryDates.ts
access: {
  read: () => true,  // Anyone can read delivery dates
  create: superAdminOrTenantAdminAccess,
  update: superAdminOrTenantAdminAccess,
  delete: superAdminOrTenantAdminAccess,
}

Delivery dates can be fetched without authentication because read returns true for everyone. But you still need authentication to create, update, or delete records.

Making Your First Authenticated Request

Let's fetch delivery dates with proper authentication. Using cURL:

bash
curl -g 'https://www.kmetijamehak.si/api/delivery-dates' \
  -H 'Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed'

The -g flag tells cURL to disable URL globbing, which prevents issues with square brackets in query parameters we'll use later.

In Postman, set up the request like this:

  1. Method: GET
  2. URL: https://www.kmetijamehak.si/api/delivery-dates
  3. Headers tab:
    • Key: Authorization
    • Value: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed

For n8n or other automation tools, use the HTTP Request node with a custom header. The header name is Authorization and the value follows the same format: users API-Key {your-key}.

Using the Where Parameter for Filtering

Payload's where parameter lets you filter documents using a MongoDB-style query syntax. The key is understanding how to structure these queries in URL parameters.

Let's say you want to fetch orders for a specific delivery date. Your delivery date has an ID of 5. The query looks like this:

bash
curl -g 'https://www.kmetijamehak.si/api/orders?where[deliveryDate][equals]=5' \
  -H 'Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed'

The where[deliveryDate][equals]=5 syntax tells Payload to filter orders where the deliveryDate relationship equals the ID 5. This returns only orders associated with that specific delivery date.

Payload supports multiple operators for different field types:

For relationships and basic equality:

code
where[fieldName][equals]=value
where[fieldName][not_equals]=value

For numeric and date fields:

code
where[price][greater_than]=100
where[price][less_than_equal]=500
where[date][greater_than_equal]=2025-11-05T00:00:00.000Z

For text fields:

code
where[status][in]=confirmed,completed
where[region][not_in]=cancelled

You can combine multiple where conditions. To fetch confirmed orders for a specific delivery date:

bash
curl -g 'https://www.kmetijamehak.si/api/orders?where[deliveryDate][equals]=5&where[status][equals]=confirmed' \
  -H 'Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed'

Each additional where condition is added with an ampersand. Payload treats multiple conditions as AND operations by default.

Filtering Date Fields Correctly

Date fields require special attention because they store full timestamps, not just dates. If your delivery date field contains 2025-11-05T12:00:00.000Z, a query for where[date][equals]=2025-11-05 will return nothing because it's not an exact match.

The solution is using range queries. To get all records for November 5th, 2025:

bash
curl -g 'https://www.kmetijamehak.si/api/delivery-dates?where[date][greater_than_equal]=2025-11-05T00:00:00.000Z&where[date][less_than]=2025-11-06T00:00:00.000Z' \
  -H 'Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed'

This query finds all documents where the date is greater than or equal to the start of November 5th and less than the start of November 6th. This captures any time during that day, regardless of the specific timestamp stored.

Alternatively, if you know the exact timestamp stored in your database, you can match it precisely:

bash
curl -g 'https://www.kmetijamehak.si/api/delivery-dates?where[date][equals]=2025-11-05T12:00:00.000Z' \
  -H 'Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed'

The range approach is more flexible when you're filtering by day rather than exact time.

Populating Relationships with Depth

By default, Payload returns relationship fields as just IDs. If your order has a deliveryDate field that references the delivery-dates collection, you'll receive:

json
{
  "id": 123,
  "orderNumber": "ORD-001",
  "deliveryDate": 5,
  "customer": 42
}

To get the full related documents, use the depth parameter:

bash
curl -g 'https://www.kmetijamehak.si/api/orders?where[deliveryDate][equals]=5&depth=2' \
  -H 'Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed'

With depth=2, you get nested relationship data:

json
{
  "id": 123,
  "orderNumber": "ORD-001",
  "deliveryDate": {
    "id": 5,
    "date": "2025-11-05T12:00:00.000Z",
    "region": "primorska",
    "locationTimeSlots": [
      {
        "location": {
          "id": 7,
          "name": "Ljubljana - parkirišče Barje p+r",
          "address": "Parkirišče Barje p+r, Ljubljana"
        },
        "timeStart": "2025-10-31T13:00:00.000Z",
        "timeEnd": "2025-10-31T13:30:00.000Z"
      }
    ]
  },
  "customer": {
    "id": 42,
    "email": "customer@example.com",
    "firstName": "John"
  }
}

The depth value determines how many levels deep to populate. depth=1 populates immediate relationships. depth=2 populates relationships within those relationships. Higher depth values can slow your queries, so use the minimum needed for your use case.

Selecting Specific Fields with Select

When you're building reports or integrations, you often don't need every field from a document. Fetching unnecessary data wastes bandwidth and slows down your queries. Payload's select parameter lets you specify exactly which fields to return.

The select syntax uses bracket notation similar to where clauses. For top-level fields, the format is straightforward:

code
select[fieldName]=true

To fetch only the order number and status from orders:

bash
curl -g 'https://www.kmetijamehak.si/api/orders?select[orderNumber]=true&select[status]=true' \
  -H 'Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed'

For nested fields within groups, you extend the bracket notation to specify the path:

code
select[groupName][fieldName]=true

Here's a real example from an orders collection. The customerData field is a group containing firstName, lastName, email, and other customer information. To select only specific fields from this group along with other top-level fields:

bash
curl -g 'https://www.kmetijamehak.si/api/orders?where[deliveryDate][equals]=33&select[customerData][firstName]=true&select[customerData][email]=true&select[orderNumber]=true&select[deliveryDate][id]=true&select[deliveryDate][date]=true&select[pickupLocation]=true' \
  -H 'Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed'

This query returns orders for delivery date 33, but only includes:

  • The customer's first name from the customerData group
  • The customer's email from the customerData group
  • The order number
  • The delivery date's ID and date fields
  • The pickup location

The response will look like:

json
{
  "docs": [
    {
      "orderNumber": "ORD-001",
      "customerData": {
        "firstName": "John",
        "email": "john@example.com"
      },
      "deliveryDate": {
        "id": 33,
        "date": "2025-11-05T12:00:00.000Z"
      },
      "pickupLocation": 7
    }
  ]
}

Notice that other fields from customerData like lastName, phone, and address aren't included. Only the fields you explicitly selected are returned. This is particularly valuable when working with large collections or when building specific reports that need a subset of data.

When selecting fields from relationship documents like deliveryDate, you're choosing which fields from that related document to include. If you want the full related document, use the depth parameter instead. If you want specific fields from the relationship, combine select with depth:

bash
curl -g 'https://www.kmetijamehak.si/api/orders?where[deliveryDate][equals]=33&depth=1&select[orderNumber]=true&select[deliveryDate][date]=true&select[deliveryDate][region]=true' \
  -H 'Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed'

This populates the deliveryDate relationship but only includes the date and region fields from it, along with the order number from the order itself.

Other Useful Query Parameters

Beyond where, depth, and select, Payload provides several other query parameters to shape your response:

Limit the number of results:

code
limit=50

Paginate through results:

code
limit=50&page=2

Sort by field (ascending or descending):

code
sort=createdAt
sort=-createdAt

The minus sign indicates descending order. You can sort by any field in your collection. Combine all these parameters together for precise queries:

bash
curl -g 'https://www.kmetijamehak.si/api/orders?where[status][equals]=confirmed&depth=1&limit=20&sort=-createdAt&select[orderNumber]=true&select[customer]=true&select[grandTotal]=true' \
  -H 'Authorization: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed'

This query fetches the 20 most recent confirmed orders with customer details populated, returning only the order number, customer data, and grand total.

Implementing in n8n

To use this in n8n for automated reports or cron jobs, add an HTTP Request node with these settings:

  • Method: GET
  • URL: https://www.kmetijamehak.si/api/orders
  • Add Query Parameters:
    • Name: where[deliveryDate][equals], Value: 33
    • Name: select[orderNumber], Value: true
    • Name: select[customerData][firstName], Value: true
    • Name: select[customerData][email], Value: true
    • Name: select[deliveryDate][date], Value: true
    • Name: depth, Value: 1
  • Add Header:
    • Name: Authorization
    • Value: users API-Key 77c9b8b0-1b81-46a1-ab62-86f76f427eed

The response will be JSON that you can process in subsequent n8n nodes. Parse the docs array to access individual orders, then transform or export the data as needed for your reports. The select parameters ensure you're only fetching the exact data you need, making your automation faster and more efficient.

Conclusion

Fetching data from Payload CMS externally requires understanding two key pieces: the specific authentication header format and how to structure query parameters. Once you know that authentication follows the {collection-slug} API-Key {key} pattern and that where clauses and select statements use bracket notation for nested filtering, you can query any Payload collection from n8n, cron jobs, or any external service.

You now have the foundation to build automated reports, sync data with external systems, or create custom integrations that leverage Payload's built-in REST API without writing a single custom endpoint. The access control you define in your collections will automatically apply to these API requests, keeping your data secure while giving you the flexibility to access it programmatically.

For a deeper look at when to use the REST API versus the Local API versus the GraphQL API, Payload CMS fetching strategy covers the trade-offs for each context. If you're designing the collections you're querying, Payload CMS collection structure best practices covers field design patterns that produce cleaner, more queryable data. And if you need a Payload specialist to audit or build your API layer, I work with a small number of clients at a time.

Let me know in the comments if you have questions, and subscribe for more practical development guides.

Thanks, Matija