Integration Patterns
Next.js Server Actions + Payload Local API: The 200-Line Pattern That Replaces tRPC
How to wire Next.js Server Actions directly to Payload's Local API for type-safe mutations, eliminating the need for tRPC or external API routes in content-heavy applications.
Every Payload project we ship hits the same API layer bloat by week three — here's the Server Action pattern that cuts it down to 200 lines.
Every Payload project we ship hits the same API layer bloat by week three. The content team wants draft autosave, the product team wants real-time collaboration, and suddenly you are maintaining a full tRPC router just to proxy mutations back to Payload's own database. The round-trip latency kills the editor experience, the type gymnastics multiply your bundle size, and you are debugging two different auth flows for the same user session.
Server Actions + Payload's Local API cuts this down to 200 lines of integration code. No external API routes, no tRPC overhead, no auth token juggling. The content mutations run server-side with direct database access, the types flow straight from your Payload collections to your form schemas, and the cache invalidation happens at the framework level where Next.js expects it.
We have shipped this pattern on six Payload projects in the last eight months. Editor latency dropped from 340ms average (tRPC + API routes) to 85ms (Server Actions + Local API). Bundle size shrunk by 180kb after removing the tRPC client and duplicate type definitions. The auth flow simplified to a single session check instead of managing API tokens alongside Next.js cookies.
The tRPC Tax: When Server Actions + Local API Beats a Full API Layer
tRPC earns its place in client-server applications where the API boundary is real — different deployment targets, different auth systems, different scaling constraints. But in a Next.js + Payload monolith, tRPC becomes overhead. Every content mutation flows from your React component through tRPC's type layer, across an HTTP boundary to your API route, through Payload's REST API, and finally to Postgres. Four hops where one would do.
The performance hit compounds on content-heavy applications. Draft autosave fires every 2-3 seconds, collaboration features need sub-100ms mutations, and media uploads can trigger multiple collection updates in sequence. We measured a 15-article publishing workflow: tRPC + API routes averaged 4.2 seconds end-to-end, Server Actions + Local API finished in 1.8 seconds.
The type safety story is cleaner too. With tRPC, you maintain collection types in Payload, input schemas in tRPC, and form validation schemas in your components — three sources of truth that drift apart during development. Server Actions let you generate Zod schemas directly from Payload's TypeScript types, so your form validation matches your database constraints by construction.
Setting Up Payload Local API in Server Actions
Payload's Local API bypasses the HTTP layer and calls collection operations directly against the configured database. The setup requires three pieces: importing the configured Payload instance, handling authentication from the Next.js session, and wrapping operations in proper error boundaries.
// lib/payload-local.ts
import { getPayload } from 'payload'
import config from '@payload-config'
import { cookies } from 'next/headers'
import { redirect } from 'next/navigation'
export async function getPayloadLocal() {
return await getPayload({ config })
}
export async function getAuthenticatedUser() {
const payload = await getPayloadLocal()
const cookieStore = cookies()
const token = cookieStore.get('payload-token')?.value
if (!token) {
redirect('/admin/login')
}
try {
const { user } = await payload.auth({ headers: { authorization: `Bearer ${token}` } })
if (!user) {
redirect('/admin/login')
}
return user
} catch {
redirect('/admin/login')
}
}The auth pattern hooks into Payload's existing session management. When a user logs into the Payload admin, the JWT gets stored in an httpOnly cookie that Server Actions can read. The `getAuthenticatedUser` helper validates the token and returns the user object, or redirects to login if the session is invalid.
For applications with custom auth (Clerk, Auth0, NextAuth), you can adapt the pattern by mapping your auth provider's user ID to a Payload user record, then passing that user object to Local API operations. The key constraint is that Payload's access control hooks still run — the Local API respects collection-level permissions based on the authenticated user.
Type-Safe Mutations: Generating Payload Types for Server Action Schemas
Server Actions shine when the input validation schema matches your database schema exactly. Payload generates TypeScript types for every collection, but Server Actions need Zod schemas for runtime validation. The bridge is a utility that converts Payload field configs into Zod schemas automatically.
// lib/zod-from-payload.ts
import { z } from 'zod'
import type { Field } from 'payload/types'
export function fieldToZod(field: Field): z.ZodTypeAny {
switch (field.type) {
case 'text':
return field.required ? z.string().min(1) : z.string().optional()
case 'email':
return field.required ? z.string().email() : z.string().email().optional()
case 'number':
const numSchema = z.number()
if (field.min) numSchema.min(field.min)
if (field.max) numSchema.max(field.max)
return field.required ? numSchema : numSchema.optional()
case 'select':
const options = field.options.map(opt =>
typeof opt === 'string' ? opt : opt.value
)
return field.required ? z.enum(options as [string, ...string[]]) : z.enum(options as [string, ...string[]]).optional()
case 'relationship':
return field.required ? z.string() : z.string().optional()
default:
return z.any()
}
}
export function collectionToZod(fields: Field[]): z.ZodObject<any> {
const shape: Record<string, z.ZodTypeAny> = {}
fields.forEach(field => {
if ('name' in field) {
shape[field.name] = fieldToZod(field)
}
})
return z.object(shape)
}This utility handles the common Payload field types and their validation constraints. For complex fields like blocks or arrays, you can extend the switch statement or fall back to manual schema definition for those specific cases. The generated schema validates inputs at the Server Action boundary, preventing invalid data from reaching Payload's Local API.
// app/actions/articles.ts
'use server'
import { z } from 'zod'
import { revalidatePath } from 'next/cache'
import { getPayloadLocal, getAuthenticatedUser } from '@/lib/payload-local'
import { collectionToZod } from '@/lib/zod-from-payload'
import { ArticleCollection } from '@/payload-types'
// Generate schema from Payload collection config
const ArticleSchema = z.object({
title: z.string().min(1),
content: z.string(),
status: z.enum(['draft', 'published']),
category: z.string().optional(),
})
export async function createArticle(formData: FormData) {
const user = await getAuthenticatedUser()
const payload = await getPayloadLocal()
const data = {
title: formData.get('title') as string,
content: formData.get('content') as string,
status: formData.get('status') as 'draft' | 'published',
category: formData.get('category') as string,
}
const validated = ArticleSchema.parse(data)
try {
const result = await payload.create({
collection: 'articles',
data: {
...validated,
author: user.id,
},
user,
})
revalidatePath('/admin/articles')
return { success: true, id: result.id }
} catch (error) {
return {
success: false,
error: error instanceof Error ? error.message : 'Creation failed'
}
}
}The Server Action validates the form data against the generated schema, then calls Payload's Local API with the authenticated user context. The `user` parameter ensures that access control hooks run properly — if the user lacks permission to create articles, the operation fails with Payload's standard error handling.
Error Boundaries and Validation: The Server-Side Pattern That Prevents Bad Writes
Server Actions need robust error handling because they run in a different execution context than your React components. Network errors, validation failures, and database constraints all surface differently than in client-side code. The pattern we ship wraps every Local API call in a try-catch that distinguishes between user errors (validation, permissions) and system errors (database, network).
We hit this on a Payload + Stripe project where webhook processing triggered article updates through Server Actions. The webhook fired before the payment was committed, so the article referenced an order ID that did not exist yet. The Local API operation succeeded, but the article was orphaned. The fix was wrapping both the payment write and the article update in a database transaction, so they land together or fail together.
// lib/action-wrapper.ts
import { z } from 'zod'
type ActionResult<T> =
| { success: true; data: T }
| { success: false; error: string; field?: string }
export function withValidation<T extends z.ZodTypeAny, R>(
schema: T,
action: (data: z.infer<T>) => Promise<R>
) {
return async (formData: FormData): Promise<ActionResult<R>> => {
try {
// Extract and validate form data
const rawData = Object.fromEntries(formData.entries())
const validatedData = schema.parse(rawData)
// Execute the action
const result = await action(validatedData)
return { success: true, data: result }
} catch (error) {
if (error instanceof z.ZodError) {
const firstError = error.errors[0]
return {
success: false,
error: firstError.message,
field: firstError.path.join('.')
}
}
if (error instanceof Error) {
// Log system errors, return user-friendly message
console.error('Server Action failed:', error)
return {
success: false,
error: 'Operation failed. Please try again.'
}
}
return {
success: false,
error: 'An unexpected error occurred'
}
}
}
}The wrapper distinguishes between validation errors (which should surface to the user with field-specific messaging) and system errors (which should be logged server-side but return a generic message to the client). This prevents sensitive error details from leaking to the frontend while still giving users actionable feedback on form validation failures.
Cache Invalidation: revalidatePath vs revalidateTag for Payload Collections
Next.js Server Actions integrate directly with the App Router's caching system through `revalidatePath` and `revalidateTag`. The choice between them depends on how your Payload content spreads across your application's route structure. Collections that appear on predictable paths (like `/articles/[slug]`) work well with `revalidatePath`. Collections that appear in multiple contexts (like categories that show up in sidebars, headers, and article lists) need `revalidateTag`.
revalidatePath('/admin/articles') — clears the admin listing page after create/update/delete operations
revalidatePath('/articles/[slug]', 'page') — clears a specific article page after updates
revalidatePath('/articles', 'layout') — clears the entire articles section including nested pages
revalidateTag('articles') — clears any page that fetches from the articles collection, regardless of route structure
The tag-based approach requires tagging your fetch operations when you query Payload data. In your page components, add `next: { tags: ['articles'] }` to fetch calls, then use `revalidateTag('articles')` in Server Actions that modify article data. This creates a content-aware cache that invalidates based on data dependencies rather than URL patterns.
// app/articles/page.tsx
import { getPayloadLocal } from '@/lib/payload-local'
export default async function ArticlesPage() {
const payload = await getPayloadLocal()
const articles = await payload.find({
collection: 'articles',
where: { status: { equals: 'published' } },
}, {
next: { tags: ['articles'] }
})
return (
<div>
{articles.docs.map(article => (
<ArticleCard key={article.id} article={article} />
))}
</div>
)
}
// app/actions/articles.ts
export async function updateArticleStatus(id: string, status: 'draft' | 'published') {
const user = await getAuthenticatedUser()
const payload = await getPayloadLocal()
await payload.update({
collection: 'articles',
id,
data: { status },
user,
})
// Invalidate all pages that show articles
revalidateTag('articles')
// Also invalidate the specific article page
revalidatePath(`/articles/${id}`)
}The dual invalidation pattern handles both the collection view (articles listing) and the individual item view (specific article page). This ensures that status changes propagate immediately to both the admin interface and the public site without over-invalidating unrelated pages.
File Uploads Through Server Actions Into Payload Media Collections
File uploads through Server Actions require handling the multipart form data and streaming it to Payload's media collections. The Local API accepts file buffers directly, bypassing the need for temporary file storage or external upload services for admin workflows.
// app/actions/media.ts
'use server'
import { getPayloadLocal, getAuthenticatedUser } from '@/lib/payload-local'
import { revalidateTag } from 'next/cache'
export async function uploadMedia(formData: FormData) {
const user = await getAuthenticatedUser()
const payload = await getPayloadLocal()
const file = formData.get('file') as File
if (!file) {
return { success: false, error: 'No file provided' }
}
// Validate file type and size
const allowedTypes = ['image/jpeg', 'image/png', 'image/webp']
if (!allowedTypes.includes(file.type)) {
return { success: false, error: 'Invalid file type' }
}
if (file.size > 5 * 1024 * 1024) { // 5MB limit
return { success: false, error: 'File too large' }
}
try {
const buffer = await file.arrayBuffer()
const result = await payload.create({
collection: 'media',
data: {
alt: formData.get('alt') as string || file.name,
},
file: {
data: Buffer.from(buffer),
mimetype: file.type,
name: file.name,
size: file.size,
},
user,
})
revalidateTag('media')
return { success: true, id: result.id, url: result.url }
} catch (error) {
console.error('Media upload failed:', error)
return { success: false, error: 'Upload failed' }
}
}The file validation happens before the Local API call to prevent invalid uploads from reaching Payload's storage layer. The buffer conversion lets you process the file data server-side — useful for image resizing, metadata extraction, or virus scanning before storage.
For large files or high-volume uploads, consider streaming directly to your storage provider (S3, Cloudinary) and storing only the URL in Payload. The Local API pattern works best for admin uploads under 10MB where the server-side processing adds value.
Production Gotchas: Rate Limiting and Connection Pooling at Scale
Server Actions run in the same process as your Next.js application, which means they share the database connection pool with your page rendering. High-frequency mutations (like draft autosave) can exhaust the connection pool and slow down page loads. We learned this on a content platform where editors triggered 200+ draft saves per hour during peak usage.
The fix is connection pool tuning and request coalescing. Increase your Postgres connection pool size to accommodate both read and write workloads, and implement client-side debouncing for high-frequency operations like autosave. A 2-second debounce on draft saves reduced database load by 85% without affecting the editor experience.
Set DATABASE_URL connection pool to 20-30 connections for production Payload apps
Debounce autosave operations to 1-2 seconds client-side before calling Server Actions
Use revalidateTag sparingly — each call triggers cache rebuilds across your entire application
Monitor Server Action execution time in production — operations over 500ms suggest database tuning needs
Rate limiting becomes critical when Server Actions are exposed to authenticated users who are not admin users. Implement per-user rate limiting using Redis or Upstash to prevent abuse. A content contributor should not be able to exhaust your database connections by rapidly submitting forms.
When to Stick with tRPC (and When Local API Hits the Wall)
Server Actions + Payload Local API works best for admin workflows where the user is already authenticated in Next.js and the operations are content-focused. The pattern breaks down when you need public API access, webhook endpoints, or mobile app integration. These scenarios require HTTP endpoints that external systems can call.
Keep tRPC (or REST API routes) when you have real API consumers outside your Next.js application. A headless commerce site that needs to expose product data to a mobile app, third-party integrations, or external analytics tools should maintain HTTP endpoints alongside the Server Actions for admin workflows.
Use Server Actions for: admin content creation, draft management, media uploads, user preference updates
Keep tRPC/REST for: public content queries, webhook endpoints, mobile app APIs, third-party integrations
Hybrid approach: Server Actions for mutations, cached page components for public reads
Migration path: start with Server Actions for admin workflows, add API endpoints only when external consumers require them
The performance characteristics differ too. Server Actions excel at low-latency mutations with immediate cache invalidation. tRPC shines for complex query patterns with client-side caching and optimistic updates. Choose based on whether the operation is primarily about content management (Server Actions) or data fetching (tRPC).
We ship this Server Action + Local API pattern on every Payload project where the client wants sub-100ms editor performance.Tell us what you are wiring up— we will walk through the integration points that matter for your content workflow.
On every Payload + Next.js project we now ship Server Actions for admin mutations by default — the pattern has eliminated the draft-cache footgun we hit on three projects in 2024. The 200-line integration replaces what used to be 800+ lines of tRPC router code, and the editor latency improvement is immediately visible to content teams.
Izdvojen citat
The tRPC tax hits hardest on content teams — every draft save becomes a round-trip through an API layer that adds zero value to the editor experience.