Payload CMS

Payload is the first headless CMS designed to run natively inside a Next.js application, installing directly into your existing /app folder rather than as a separate service. It eliminates the need to sign up for another SaaS platform by giving developers a full TypeScript backend, an auto-generated admin panel, and direct database access through React Server Components — all in one codebase.

The framework supports multiple databases out of the box, including PostgreSQL, MongoDB, SQLite, and Cloudflare D1, with adapters powered by Drizzle ORM and native MongoDB drivers. Its configuration-driven architecture means REST and GraphQL endpoints, admin routes, and TypeScript types are all generated automatically from your collection and field definitions — reducing boilerplate to near zero.

Payload ships with a comprehensive plugin ecosystem covering multi-tenancy, SEO, e-commerce, cloud storage (S3, R2, Azure, Vercel Blob), form building, search, and nested document trees. One-click deployment to Vercel (with Neon and Vercel Blob) and Cloudflare (with D1 and R2) make it practical for teams that want zero infrastructure overhead while retaining full ownership of their code and data.

What You Get

• Next.js Native /app Folder Integration - Installs directly into your existing Next.js project as part of the /app directory, enabling React Server Components to query your database without any REST or GraphQL round-trips.
• Auto-Generated TypeScript Types - Generates fully typed interfaces for every collection, global, and field from your schema definition, ensuring end-to-end type safety from database to admin UI to frontend.
• Lexical Rich Text Editor - A feature-rich, block-based editor built on Meta’s Lexical engine with support for custom blocks, embeds, inline formatting, mentions, and full markdown conversion.
• Block-Based Layout Builder - Define reusable content blocks with typed fields; editors drag-and-drop them to compose complex page layouts without any custom frontend code.
• Granular Access Control - Define read, create, update, and delete permissions at the collection, document, and individual field level using async functions with full request context.
• Built-In Authentication System - Full auth out of the box with email/password, API keys, JWT tokens stored in HTTP-only cookies, and CSRF protection — extensible with custom OAuth strategies.
• Versions, Drafts, and Localization - Document-level version history with rollback, draft/publish workflows, and multi-locale content management built into the core data model.
• Swappable Database Adapters - Choose from PostgreSQL, MongoDB, SQLite, Vercel Postgres, or Cloudflare D1 — all supported through interchangeable adapters without changing your application code.
• MCP Plugin (Stable) - A production-ready Model Context Protocol plugin that exposes your Payload collections as MCP tools, letting AI agents create, read, and update content programmatically.
• One-Click Cloud Deployments - Deploy to Vercel with Neon DB and Vercel Blob, or Cloudflare Workers with D1 and R2, using a single button — no manual infrastructure configuration needed.

Common Use Cases

• Building a marketing site with a visual layout builder - A development team defines custom block types (hero, testimonials, pricing, CTA) in TypeScript, then hands the admin panel to the marketing team who composes pages by dragging and reordering blocks without touching code.
• Running a multilingual publication with editorial workflows - A media company uses Payload’s localization and versioning features to manage articles in multiple languages, with editors submitting drafts and editors-in-chief publishing approved versions.
• Developing a SaaS product with multi-tenant content isolation - A startup uses the multi-tenant plugin to give each customer an isolated admin workspace with separate data access, while sharing the same deployment and database.
• Creating a headless e-commerce store with custom product logic - A retailer uses the official e-commerce template to manage products, variants, inventory, and orders, extending it with custom hooks and access rules to implement their specific pricing and fulfillment logic.
• Powering a developer-facing API with auto-generated endpoints - A backend team defines collections in code and immediately gets REST and GraphQL APIs with filtering, pagination, depth control, and access control without writing any route handlers.
• Integrating AI tools with content via the MCP plugin - A product team exposes their Payload collections as Model Context Protocol tools, allowing LLM agents to autonomously draft, review, and publish content through the API.

Under The Hood

Architecture Payload is organized as a monorepo of 44 packages spanning core logic, database adapters, rich text engines, plugins, and storage connectors — each independently versioned and built through Turborepo’s cached pipeline. The architectural backbone is a config-first design pattern: developers declare collections, globals, fields, and plugins in a central payload.config.ts file, and the framework synthesizes REST routes, GraphQL schema, admin UI pages, TypeScript types, and an import map from that single source of truth at build time. Database adapters conform to a BaseDatabaseAdapter interface, enabling the same application code to run against PostgreSQL, MongoDB, SQLite, or Cloudflare D1 without modification. The separation between core, Next.js adapter, and UI package means the business logic layer is runtime-agnostic, while the Next.js integration layer wires it into the App Router through auto-generated route handlers under [...payload].

Tech Stack The codebase is TypeScript-first with strict compiler settings, React 19, and Next.js 16 as the primary frontend runtime. Database access uses Drizzle ORM for relational databases and native MongoDB driver for document storage, with Drizzle Kit handling schema migrations. The rich text layer is built on Meta’s Lexical editor framework. Testing runs on Vitest for unit and integration suites, Playwright with axe-core for end-to-end and accessibility testing, and tstyche for type-level assertions. Build orchestration uses Turborepo with per-package caching. The admin UI is written in SCSS modules alongside React Server and Client components, styled with a custom CSS variable theming system.

Code Quality The codebase demonstrates strong engineering discipline. Authentication, CRUD, and hook operations are each isolated into dedicated operation files with explicit transaction management, typed argument interfaces, and early-exit error handling patterns. The collection of integration tests covering access control, localization, versions, and database adapters is extensive, with Playwright e2e suites testing the admin UI against real browser interactions. ESLint with a custom plugin enforces project-specific patterns, and Prettier handles formatting. Test retry logic in CI and dedicated flakiness fixes indicate the team actively invests in test reliability. Some areas — particularly auto-generated GraphQL schema files — fall outside the lint boundary, and error handling in peripheral packages relies on Sentry for capture rather than structured typed errors.

What Makes It Unique The defining technical choice is the import map generation system: at build time, Payload scans all PayloadComponent references in the config, resolves them to their file system paths, and emits a deterministic import map that Next.js uses to code-split the admin panel. This is what makes the admin UI extensible without ejecting or forking — third-party plugins can inject components anywhere in the admin simply by referencing them in config strings like './components/MyField.tsx#default'. The newly stable TypeScript plugin (@payloadcms/typescript-plugin) extends this further by providing IDE autocomplete and go-to-definition on those component path strings, closing the loop between runtime flexibility and developer experience. Combined with the MCP plugin that exposes all collections as structured AI tool interfaces, Payload represents a CMS architecture genuinely built for the agentic development era.

Self-Hosting

Payload is released under the MIT License, which grants unrestricted rights to use, modify, distribute, and deploy the software for any purpose including commercial applications. There are no copyleft obligations, no contributor license agreements that transfer rights back to the company, and no dual-licensing that reserves features for a paid tier. The entire codebase — including all officially maintained plugins — is MIT-licensed.

Running Payload yourself means you own the full stack: Next.js application, database, file storage, and admin interface. For teams comfortable deploying Node.js applications, the operational burden is manageable — Payload’s one-click Vercel and Cloudflare templates handle infrastructure provisioning automatically, and the serverless deployment model means you don’t manage servers directly. For PostgreSQL or MongoDB deployments, you are responsible for database backups, connection pooling, index management, and major version upgrades. The admin panel runs as part of your Next.js app, so scaling and uptime are handled through your existing hosting setup.

Payload Cloud (the managed hosting product) is a separate commercial offering that adds centralized deployment management, automatic backups, and support SLAs on top of the open-source core. Teams that self-host give up the convenience of managed upgrades, one-click environment provisioning, and direct support from the Payload team. Community support is available through GitHub Discussions and an active Discord server, but there are no guaranteed response times outside of a commercial relationship. Organizations with strict compliance requirements should evaluate whether their hosting provider meets relevant certifications independently, as Payload the framework does not provide these certifications itself.