Support passing payload-token into local API operations

[robertmalicke]

This discussion is to add functionality to the local payload server API so that the auth token payload-token can be passed into it to get the current user. If users would like to adopt a server-first approach in nextjs with server components and server actions, then they will be using the local API, and they will have a payload-token as a cookie. They will need to exchange a payload-token to get the current user.

Current possibilities:

1. Provide guidance on how users can verify the JWT from payload-token. If the JWT is verified, they can trust the email field (or other custom claims) and then simply use the local API find() operation on a collection. This could be adding a verifyToken() operation on the local API.
2. Provide an operation on the local API that takes a current-token and returns the user, only if the token is not-tampered

Currently, it seems unclear how we are supposed to use the local API to authorize users. It is nice to leverage the /api/user/login endpoint to set a cookie, but then what are we supposed to do with it in a server action or component?

Thanks for all your hard work!

[robertmalicke]

The solution is to use payload.auth({ headers: request.headers }). Thanks to Jarrod and Great Forrest Way for posting this answer. Leaving here and closing for the community record.