Gatekeeper
Adds role-based access control to Payload CMS v3 with wildcard permissions, auto-generated permissions per collection, and a managed Roles collection.
Installation
pnpm add payload-gatekeeper About
Payload Gatekeeper is an access control plugin for Payload CMS v3 that adds role-based authorization across collections. It creates a managed Roles collection where administrators define roles as lists of permission strings, then attaches a role relationship field to the user collections you choose. Permissions follow a dotted namespace convention such as `users.read` or `media.*`, with `*` matching everything, so a super admin role can be expressed as a single wildcard. The plugin generates the full permission set for every collection automatically, so you do not hand-maintain a permission registry. It also separates UI visibility from CRUD access: a `collection.manage` permission controls whether the collection appears in the admin panel, while `collection.read|create|update|delete` govern the data operations. Non-authenticated requests fall back to a configurable public role that defaults to read access on non-auth collections, and auth collections like users are always protected from public access regardless of the public role settings. Configuration is per collection. You can place the role field in a named tab, the sidebar, or a numeric position, set a default role for new signups, and have the first user in an admin collection automatically receive the `super_admin` role. Roles can be marked `protected` to prevent edits, scoped with `visibleFor` so they only appear on relevant user collections, and synced on init during development or when explicitly enabled. Custom application permissions such as `event-management.export` can be registered alongside the generated ones and are organized into groups in the role editor. The plugin targets Payload v3 with React 19 and ships dual ESM/CJS builds. It does not enforce row-level ownership, so patterns like "users can only edit their own profile" need separate handling. Permission checks can be skipped entirely via a config flag, which is useful for seeding and migration runs.
Package info
- Package name
payload-gatekeeper- Latest version
1.1.0- Unpacked size
- 404 kB
- License
- MIT
- Weekly downloads
- 112
- Last publish
- Aug 18, 2025
Similar plugins
More in AuthSubscribers
Manage subscribers and channels with magic link authentication.
TOTP
Add an extra layer of security with Time-based One-time Passwords (TOTP).
payload-auth
Integrates Better Auth for enhanced authentication in Payload CMS.
RBAC permissions UI
Adds a permissions management UI for roles in Payload CMS.
OAuth2
OAuth2 plugin for Payload CMS, enabling integration with various providers.
Auth WorkOS
Integrates WorkOS for OAuth-based user authentication in Payload CMS.