Payload Market

Gatekeeper

Adds role-based access control to Payload CMS v3 with wildcard permissions, auto-generated permissions per collection, and a managed Roles collection.

Community 24 112/wk MIT v1.1.0

Installation

pnpm add payload-gatekeeper

About

Payload Gatekeeper is an access control plugin for Payload CMS v3 that adds role-based authorization across collections. It creates a managed Roles collection where administrators define roles as lists of permission strings, then attaches a role relationship field to the user collections you choose. Permissions follow a dotted namespace convention such as `users.read` or `media.*`, with `*` matching everything, so a super admin role can be expressed as a single wildcard. The plugin generates the full permission set for every collection automatically, so you do not hand-maintain a permission registry. It also separates UI visibility from CRUD access: a `collection.manage` permission controls whether the collection appears in the admin panel, while `collection.read|create|update|delete` govern the data operations. Non-authenticated requests fall back to a configurable public role that defaults to read access on non-auth collections, and auth collections like users are always protected from public access regardless of the public role settings. Configuration is per collection. You can place the role field in a named tab, the sidebar, or a numeric position, set a default role for new signups, and have the first user in an admin collection automatically receive the `super_admin` role. Roles can be marked `protected` to prevent edits, scoped with `visibleFor` so they only appear on relevant user collections, and synced on init during development or when explicitly enabled. Custom application permissions such as `event-management.export` can be registered alongside the generated ones and are organized into groups in the role editor. The plugin targets Payload v3 with React 19 and ships dual ESM/CJS builds. It does not enforce row-level ownership, so patterns like "users can only edit their own profile" need separate handling. Permission checks can be skipped entirely via a config flag, which is useful for seeding and migration runs.

Package info

Package name
payload-gatekeeper
Latest version
1.1.0
Unpacked size
404 kB
License
MIT
Weekly downloads
112
Last publish
Aug 18, 2025

More from sSeewald

View profile

Warding

RBAC plugin that generates user and role collections and injects fine-grained access control across Payload collections, globals, fields, and endpoints.

17 5/wk v2 Auth

Similar plugins

More in Auth

Simple RBAC

Enables role-based access control in Payload CMS.

42 24/wk v1 Auth

Magic Login

A Magic Login plugin for Payload CMS that simplifies user authentication.

3 18/wk v2 Auth

RBAC

Adds role-based access control to your Payload CMS.

140 74/wk v1 Auth

reCAPTCHA v3

This plugin protects Payload collection operations using Google reCAPTCHA v3.

35 96/wk v3 Auth

OIDC plugin

Integrate OpenID Connect authentication into Payload CMS.

34 59/wk v2 Auth

Auth0 integration

Integrates Auth0 authentication with Payload CMS.

62 53/wk v2 Auth