Add Payload to a Next.js app with code-first collections, admin UI, database adapters, access control, Local API usage, uploads, migrations, and production CMS safety review.
The download URL is Payload's external source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows., Payload installation can add backend routes, an admin panel, database adapters, generated types, migrations, REST/GraphQL APIs, uploads, and auth surfaces; review the resulting route map before merging., Do not commit `PAYLOAD_SECRET`, database URLs, S3-compatible storage keys, email provider credentials, webhook secrets, OAuth secrets, or copied dashboard values., Run migrations, schema changes, seed scripts, collection rewrites, file moves, and adapter changes only against the intended environment after backup and rollback review., The Payload Local API can bypass network boundaries and has access-control options that must be set deliberately; do not use `overrideAccess` casually in user-facing routes., Admin users, access rules, field visibility, upload permissions, live preview URLs, and draft/publish workflows are authorization surfaces that need tests., If GraphQL or REST APIs are exposed, review depth, select/populate behavior, relationship traversal, hidden fields, rate limits, and authentication before production use., Uploads and image processing can read local files, write object storage, generate derivatives, and expose media URLs; validate file types, sizes, access rules, and storage retention.
Privacy notes
Payload can store editor accounts, customer content, drafts, versions, media files, metadata, auth records, access-control context, API responses, and admin activity., Local API calls, seed scripts, build logs, migration logs, previews, screenshots, issue reports, and AI prompts can expose private content, hidden fields, user records, upload paths, or database details., Use synthetic content, fake users, and non-production media for examples, demos, bug reports, screenshots, and AI-assisted troubleshooting., Avoid sending full documents, unpublished drafts, user records, media binaries, access tokens, object-storage keys, or production exports into prompts or public issues., Review Payload, database, storage, deployment, analytics, email-provider, and AI-assistant retention policies before using real editor or customer content.
Current risk score 16/100. Use staged verification before broader rollout.
Risk 16
Pre-adoption checks
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Done
Confirm metadata review state
Listing has review metadata.
Done
Verify install payload
Install/config payload exists and can be inspected.
Done
Security checks
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Done
Review privacy notesRequired
Privacy notes are present.
Done
Verify package integrity metadata
No package verification/checksum metadata.
Pending
Rollout
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Pending
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Pending
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Pending
Evidence readiness
Evidence readiness matrix · balanced
Required evidence gates are covered (5/6 signals complete).
Risk 15
Source provenance
Present
Source repository/provenance is listed.
Required in this preset
Metadata review
Present
Review metadata is present.
Required in this preset
Safety notes
Present
Safety notes are present.
Required in this preset
Privacy notes
Present
Privacy notes are present.
Optional in this preset
Package integrity
Missing
Package integrity metadata is missing.
Optional in this preset
Install payload
Present
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
Decision timeline · balanced
5/6 steps complete with no blocking gaps for this preset.
Risk 14
triage
Confirm source provenanceRequired
Source/provenance metadata is available.
Done
triage
Check metadata review statusRequired
Review metadata is available.
Done
verify
Review safety notesRequired
Safety notes are available.
Done
verify
Review privacy notes
Privacy notes are available.
Done
verify
Validate package integrity metadata
Package integrity metadata is missing.
Pending
rollout
Verify install payload and commandsRequired
Install payload is available.
Done
No required blockers for this timeline preset.
Prerequisite readiness
Prerequisite readiness
7 prerequisites to line up before setup. Have accounts and credentials ready first.
0/7 ready
Account & credentials2Network & hosting2General3
Safety & privacy surface
Safety & privacy surface
8 safety and 5 privacy notes across 6 risk areas. Review closely: credentials & tokens, permissions & scopes, network access, third-party handling.
6 areas
SafetyNetwork accessThe download URL is Payload's external source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
SafetyPermissions & scopesPayload installation can add backend routes, an admin panel, database adapters, generated types, migrations, REST/GraphQL APIs, uploads, and auth surfaces; review the resulting route map before merging.
SafetyLocal filesRun migrations, schema changes, seed scripts, collection rewrites, file moves, and adapter changes only against the intended environment after backup and rollback review.
SafetyNetwork accessThe Payload Local API can bypass network boundaries and has access-control options that must be set deliberately; do not use `overrideAccess` casually in user-facing routes.
SafetyPermissions & scopesAdmin users, access rules, field visibility, upload permissions, live preview URLs, and draft/publish workflows are authorization surfaces that need tests.
SafetyGeneralIf GraphQL or REST APIs are exposed, review depth, select/populate behavior, relationship traversal, hidden fields, rate limits, and authentication before production use.
SafetyNetwork accessUploads and image processing can read local files, write object storage, generate derivatives, and expose media URLs; validate file types, sizes, access rules, and storage retention.
PrivacyPermissions & scopesPayload can store editor accounts, customer content, drafts, versions, media files, metadata, auth records, access-control context, API responses, and admin activity.
PrivacyNetwork accessLocal API calls, seed scripts, build logs, migration logs, previews, screenshots, issue reports, and AI prompts can expose private content, hidden fields, user records, upload paths, or database details.
PrivacyGeneralUse synthetic content, fake users, and non-production media for examples, demos, bug reports, screenshots, and AI-assisted troubleshooting.
PrivacyCredentials & tokensAvoid sending full documents, unpublished drafts, user records, media binaries, access tokens, object-storage keys, or production exports into prompts or public issues.
PrivacyThird-party handlingReview Payload, database, storage, deployment, analytics, email-provider, and AI-assistant retention policies before using real editor or customer content.
Safety notes
The download URL is Payload's external source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
Payload installation can add backend routes, an admin panel, database adapters, generated types, migrations, REST/GraphQL APIs, uploads, and auth surfaces; review the resulting route map before merging.
Do not commit `PAYLOAD_SECRET`, database URLs, S3-compatible storage keys, email provider credentials, webhook secrets, OAuth secrets, or copied dashboard values.
Run migrations, schema changes, seed scripts, collection rewrites, file moves, and adapter changes only against the intended environment after backup and rollback review.
The Payload Local API can bypass network boundaries and has access-control options that must be set deliberately; do not use `overrideAccess` casually in user-facing routes.
Admin users, access rules, field visibility, upload permissions, live preview URLs, and draft/publish workflows are authorization surfaces that need tests.
If GraphQL or REST APIs are exposed, review depth, select/populate behavior, relationship traversal, hidden fields, rate limits, and authentication before production use.
Uploads and image processing can read local files, write object storage, generate derivatives, and expose media URLs; validate file types, sizes, access rules, and storage retention.
Privacy notes
Payload can store editor accounts, customer content, drafts, versions, media files, metadata, auth records, access-control context, API responses, and admin activity.
Local API calls, seed scripts, build logs, migration logs, previews, screenshots, issue reports, and AI prompts can expose private content, hidden fields, user records, upload paths, or database details.
Use synthetic content, fake users, and non-production media for examples, demos, bug reports, screenshots, and AI-assisted troubleshooting.
Avoid sending full documents, unpublished drafts, user records, media binaries, access tokens, object-storage keys, or production exports into prompts or public issues.
Review Payload, database, storage, deployment, analytics, email-provider, and AI-assistant retention policies before using real editor or customer content.
Prerequisites
Next.js application or migration branch with a supported Next.js version, Node.js runtime, and package manager.
Database adapter decision for MongoDB, Postgres, SQLite, or another currently supported Payload adapter.
Content model plan for collections, globals, fields, relationships, drafts, versions, localization, and editor workflows.
`PAYLOAD_SECRET`, database connection strings, storage credentials, email credentials, and deployment secrets managed through local, preview, staging, and production configuration.
Admin panel route, public site route group, API route, REST/GraphQL exposure, and Local API usage plan.
Access control, authentication, role, tenant, editor, preview, and publishing-workflow requirements.
File upload, image processing, media storage, migration, backup, and rollback plan for production content.
.gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md
cursor
Adapter
.cursor/rules/<skill-name>.mdc
cli
Manual
AGENTS.md or tool-specific context file
Full copyable content
# Trigger
"Apply the Payload Next.js CMS backend skill to this app."
# Required output
1) Current Next.js, database, content model, auth, and file-storage inventory
2) Payload package, app route group, config, collection, adapter, and API plan
3) Access control, Local API, upload, migration, and deployment checklist
4) Safety, privacy, editor-data, secret, and rollback notes
About this resource
Knowledge Freshness
This skill is based on Payload's official overview, installation docs,
configuration docs, Local API docs, and payloadcms/payload repository reviewed
on 2026-06-04. The current docs describe Payload as a Next.js full-stack
framework with a code-first config, React admin panel, automatic database
schema, REST and GraphQL APIs, Local API access, auth, access control, uploads,
live preview, and migrations. The installation docs currently show
payload @payloadcms/next, optional rich-text/image/GraphQL packages, and
database adapters such as MongoDB, Postgres, and SQLite.
Prefer the live Payload docs and official repository over model memory for
supported Next.js versions, Node.js requirements, adapter packages, route group
structure, config options, migration behavior, Local API defaults, and
deployment guidance.
Scope Note
Use this skill for Payload-backed content, admin, media, and backend work inside
Next.js applications. It is not a generic CMS comparison, not a replacement for
content governance, and not permission to expose editor data, admin routes, or
production media without explicit access-control review.
Core Workflow
Inventory the current Next.js version, Node.js runtime, package manager,
router structure, /src usage, app route groups, existing CMS/data layer,
auth provider, file storage, API routes, and deployment platform.
Confirm whether Payload is being added to an existing Next.js app, scaffolded
with create-payload-app, or migrated from another CMS or internal admin
backend.
Check the current Payload installation requirements for supported Next.js
versions, Node.js version, package manager support, database compatibility,
and any cache-component limitations before editing the app.
Add payload and @payloadcms/next with the project package manager, then
select only the needed optional packages such as rich text, image
processing, GraphQL, or upload-related dependencies.
Choose the database adapter deliberately. Document MongoDB, Postgres, SQLite,
or another adapter package, connection string handling, migration workflow,
local/preview/staging/production separation, and backup path.
Add or review the Payload route group and required app files without
overwriting unrelated frontend routes. Keep the public app route group,
Payload admin/API route group, layouts, middleware, and route handlers clear.
Create or review payload.config.ts with collections, globals, fields,
database adapter, auth collections, upload collections, admin settings,
access rules, hooks, plugins, localization, and TypeScript output paths.
Model content from real editorial workflows: drafts, versions, slugs,
relationships, localization, media, redirects, SEO fields, preview URLs,
publishing approvals, and migration needs.
Review access control at collection, field, operation, tenant, role, and
preview boundaries. Treat editor roles and admin permissions as production
authorization logic, not UI configuration.
Use the Local API deliberately from React Server Components, route handlers,
seed scripts, hooks, and access-control functions. Pass request context when
transactions or access checks require it.
Review overrideAccess, showHiddenFields, depth, select, populate,
pagination, document locks, and file upload options before using Local API
calls in user-facing paths.
Produce a rollout plan covering migrations, generated types, seeds,
admin-user setup, uploads, storage, preview URLs, REST/GraphQL exposure,
backups, rollback, monitoring, and editor smoke tests.
Access model: admin users, public readers, editors, publishers, tenant roles,
hidden fields, protected media, and API permissions.
API exposure plan for Local API, REST, GraphQL, custom route handlers, hooks,
webhooks, and background jobs.
Production Rules
Never add Payload routes without reviewing the full route map. Admin, REST,
GraphQL, upload, preview, and custom route handlers must have intentional
auth and access behavior.
Keep PAYLOAD_SECRET, database credentials, storage keys, email credentials,
webhook secrets, and auth provider credentials out of source control and
client bundles.
Treat Payload access control as security-critical code. Test positive and
negative cases for public reads, editor writes, admin-only actions, tenant
isolation, field-level visibility, and hidden fields.
Use the Local API with explicit access decisions. The default server-side
power is useful, but user-facing calls should not bypass access checks by
accident.
Review generated migrations, generated types, seed scripts, and adapter
changes before applying them to staging or production.
Validate upload collections for MIME type, file size, image processing,
storage bucket, derivative generation, filename behavior, public URL exposure,
and delete/retention rules.
Keep examples and AI prompts synthetic. Do not paste unpublished content,
admin screenshots, media URLs, user records, database exports, or production
migration logs into public channels.
Include rollback limits honestly. Some content/schema/media changes require a
restore from backup or a forward-fix migration rather than a clean revert.
Compatibility
Native
Claude Code / Claude: use as a reusable Agent Skill for planning,
implementing, reviewing, and operating Payload-backed Next.js CMS/admin
features.
Codex/OpenAI workflows: use as SKILL.md-style instructions when editing
Next.js codebases that add Payload config, collections, adapters, admin UI,
uploads, or content APIs.
Manual Adaptation
Cursor, Windsurf, Gemini, and Generic AGENTS files: adapt the trigger,
workflow, safety notes, privacy notes, and output contract into repository
rules for Payload CMS and admin-backend work.
Output Contract
Source evidence: Payload docs and repository URLs reviewed, with date.
Inventory: Next.js/runtime versions, route groups, CMS/data layer, auth,
storage, APIs, deployment, and current content model.
Payload install fails: verify Node.js, supported Next.js version range,
package manager, peer dependency guidance, and database adapter package.
Admin routes conflict with the app: inspect route groups, layouts,
middleware, and copied Payload app files before moving public frontend routes.
Local API exposes hidden or unauthorized data: review overrideAccess,
showHiddenFields, select, populate, depth, user, and request
context for the call site.
Migrations or generated types drift: regenerate from the current config,
review generated SQL or artifacts, and confirm whether the repo treats them
as source-owned or generated output.
Uploads work locally but fail in production: verify storage adapter,
bucket credentials, file-size limits, MIME allowlists, image processing,
public URL configuration, and deletion/retention behavior.
Preview or draft content leaks: review preview URL signing, draft access,
published filters, role checks, CDN caching, and screenshot/log handling.
Duplicate Check
No existing upstream content file uses the payload-nextjs-cms-backend slug
or official Payload documentation/repository URLs.
Existing Next.js, database, auth, upload, and generic admin/backend entries
remain distinct because this skill is specifically scoped to Payload's
Next.js integration, Payload config, database adapters, Local API, admin
panel, uploads, access control, and CMS rollout safety.
Editorial Disclosure
This is a source-backed community content entry submitted by oktofeesh1.
There is no paid placement, affiliate link, sponsorship, or maintainer-verified
package artifact attached to this listing.
Show that Payload Next.js CMS Backend Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/payload-nextjs-cms-backend)
How it compares
Payload Next.js CMS Backend Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
Add Payload to a Next.js app with code-first collections, admin UI, database adapters, access control, Local API usage, uploads, migrations, and production CMS safety review.
Add Better Auth to a Next.js App Router project with API route handlers, database-backed sessions, client helpers, protected route checks, and production auth safety review.
Build Inngest-backed Next.js workflows with event triggers, durable steps, local Dev Server testing, API route serving, retries, concurrency, and production deployment review.
✓The download URL is Payload's external source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
Payload installation can add backend routes, an admin panel, database adapters, generated types, migrations, REST/GraphQL APIs, uploads, and auth surfaces; review the resulting route map before merging.
Do not commit `PAYLOAD_SECRET`, database URLs, S3-compatible storage keys, email provider credentials, webhook secrets, OAuth secrets, or copied dashboard values.
Run migrations, schema changes, seed scripts, collection rewrites, file moves, and adapter changes only against the intended environment after backup and rollback review.
The Payload Local API can bypass network boundaries and has access-control options that must be set deliberately; do not use `overrideAccess` casually in user-facing routes.
Admin users, access rules, field visibility, upload permissions, live preview URLs, and draft/publish workflows are authorization surfaces that need tests.
If GraphQL or REST APIs are exposed, review depth, select/populate behavior, relationship traversal, hidden fields, rate limits, and authentication before production use.
Uploads and image processing can read local files, write object storage, generate derivatives, and expose media URLs; validate file types, sizes, access rules, and storage retention.
✓The download URL is Convex's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
`convex dev` logs in, creates or connects a cloud dev deployment, writes deployment URLs, and syncs backend functions; confirm the target account and project first.
Treat `convex import`, migrations, table rewrites, backfills, deletes, and scheduled functions as data-mutating operations that need environment confirmation.
Do not commit Convex deployment secrets, auth provider secrets, API keys for actions, webhook secrets, or copied dashboard values.
Keep client-exposed values such as `NEXT_PUBLIC_CONVEX_URL` separate from server-only secrets used by actions, auth providers, integrations, or external APIs.
Review generated APIs, table indexes, pagination, and query fan-out before shipping realtime screens that could overload clients or expose broad datasets.
When actions call external services or LLM APIs, add timeout, retry, logging, rate-limit, and secret-handling guidance before production use.
✓The download URL is Better Auth's external source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
Do not commit Better Auth secrets, OAuth provider secrets, database URLs, email-provider credentials, API-key plugin secrets, or copied dashboard values.
Run schema generation or migrations only against the intended database environment; auth tables, sessions, accounts, and verification records are production-critical.
Treat route protection as server-side authorization work. UI hiding, optimistic middleware redirects, or cookie existence checks are not full access control.
Review `proxy.ts` or `middleware.ts` behavior by Next.js version before relying on database-backed session checks inside request middleware.
Keep OAuth callback URLs, base URLs, trusted origins, and cookie settings environment-specific to avoid broken login loops or cross-environment session confusion.
Track Better Auth release notes and security advisories before introducing auth flows or enabling advanced plugins in production.
Add rollback steps before replacing an existing auth provider because user, account, session, and verification tables can affect active logins.
✓The download URL is Inngest's external JavaScript SDK source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
The official quickstart documents both package installation and a CLI install path for the Dev Server; review shell installers before piping remote scripts into a shell.
Inngest functions can send email, charge billing systems, call LLMs, write databases, enqueue follow-up work, and retry failed steps; design idempotency before production use.
Do not commit Inngest signing keys, event keys, dashboard tokens, API keys used inside steps, webhook secrets, or copied dashboard values.
Confirm the target Inngest environment before syncing functions, sending events, replaying runs, testing webhooks, or invoking workflows from the Dev Server UI.
Keep event names and schemas explicit. Broad catch-all events, copied production payloads, and unvalidated event data can trigger unintended work.
Review retry policies, concurrency, rate limits, cancellation, durable step behavior, and deployment timeouts before moving request work into asynchronous functions.
For AI workflows, document model calls, human approval points, tool side effects, token cost controls, and what happens when a step retries after partial completion.
Privacy notes
✓Payload can store editor accounts, customer content, drafts, versions, media files, metadata, auth records, access-control context, API responses, and admin activity.
Local API calls, seed scripts, build logs, migration logs, previews, screenshots, issue reports, and AI prompts can expose private content, hidden fields, user records, upload paths, or database details.
Use synthetic content, fake users, and non-production media for examples, demos, bug reports, screenshots, and AI-assisted troubleshooting.
Avoid sending full documents, unpublished drafts, user records, media binaries, access tokens, object-storage keys, or production exports into prompts or public issues.
Review Payload, database, storage, deployment, analytics, email-provider, and AI-assistant retention policies before using real editor or customer content.
✓Convex can store user records, app data, realtime query results, auth identifiers, scheduled job state, file metadata, logs, and action inputs or outputs.
Client queries, browser traces, app logs, error trackers, screenshots, and AI prompts can expose document IDs, user IDs, table names, deployment URLs, or sampled records.
Use synthetic seed data for examples, imports, demos, issue reports, screenshots, and AI-assisted troubleshooting.
Review Convex, auth-provider, deployment-provider, analytics, external API, and AI-assistant retention policies before using real customer data.
If Convex actions call LLMs, payment systems, email providers, or webhooks, document what user data leaves Convex and where it is retained.
✓Better Auth handles user identity, email addresses, password-auth state, OAuth profile data, sessions, cookies, accounts, verification tokens, and plugin-specific user data.
Application logs, error trackers, request traces, AI prompts, and screenshots can retain user IDs, emails, callback URLs, cookies, session state, or OAuth provider details.
Use synthetic users and test OAuth applications for examples, demos, issue reports, screenshots, and AI-assisted troubleshooting.
If organization, API key, two-factor, passkey, or SSO plugins are enabled, treat membership, roles, credentials, and device metadata as sensitive authorization data.
Review Better Auth, database, deployment-provider, analytics, email-provider, and AI-assistant retention policies before using real customer identity data.
✓Inngest events, function inputs, step outputs, errors, logs, traces, Dev Server runs, and dashboard history can contain user IDs, emails, order IDs, file metadata, prompts, or webhook payloads.
Use synthetic payloads for Dev Server invokes, examples, issue reports, screenshots, demos, and AI-assisted troubleshooting.
Avoid sending raw payment data, authentication secrets, access tokens, private documents, or full customer records as event payloads; pass stable IDs and fetch data inside authorized server code when possible.
Review Inngest, deployment-provider, observability, LLM-provider, email-provider, payment-provider, and AI-assistant retention policies before using real customer data.
If workflows call LLMs or third-party APIs, document which event fields leave the app, where outputs are retained, and how retries affect duplicate external requests.
Prerequisites
Next.js application or migration branch with a supported Next.js version, Node.js runtime, and package manager.
Database adapter decision for MongoDB, Postgres, SQLite, or another currently supported Payload adapter.
Content model plan for collections, globals, fields, relationships, drafts, versions, localization, and editor workflows.
`PAYLOAD_SECRET`, database connection strings, storage credentials, email credentials, and deployment secrets managed through local, preview, staging, and production configuration.
Next.js App Router project or migration branch with a known package manager.
Convex account access and permission to create or use the target Convex project and deployment.
`NEXT_PUBLIC_CONVEX_URL` and any Convex deployment environment variables managed through local, preview, staging, and production secret configuration.
Data model plan for Convex tables, indexes, generated API functions, and client query/mutation usage.
Next.js App Router project or migration branch with a known package manager.
Database choice and adapter plan, such as Drizzle, Prisma, MongoDB, or Better Auth's built-in Kysely-backed flow.
Local, preview, staging, and production secret-management path for Better Auth secrets, OAuth client IDs, and OAuth client secrets.
Route map that separates public pages, authenticated pages, API routes, server actions, admin routes, and organization-scoped areas.
Next.js App Router project or migration branch with a known package manager.
Inngest account or local-only Dev Server plan, plus permission to create or connect the target Inngest app.
Decision on stable SDK usage versus any beta SDK documentation path before pinning package versions.
`INNGEST_DEV`, signing keys, event keys, and deployment environment variables managed through local, preview, staging, and production secret configuration.