Skip to Content
TutorialsBuild a Headless Blog

Build a Headless Blog

This tutorial walks you through using BuildPad DaaS as a headless CMS backend for a blog — creating a posts collection, seeding content, and fetching it from a frontend.

What you’ll learn:

  • Create a custom collection via the Data Model editor
  • Create a read policy and apply it to all authenticated requests
  • Fetch posts from a frontend using a static API token

Prerequisites

  • A running BuildPad DaaS instance (see Quick Start)
  • Admin credentials

Create the posts collection

Navigate to Data Model in the DaaS Studio and click Create Collection:

  • Name: posts
  • Primary key type: integer (auto-increment)

Add the following fields:

FieldTypeNotes
titlestringRequired
slugstringUnique
bodytextRich text
statusstringDefault: draft
published_atdateTimeNullable

Create a read policy and a static API token

All BuildPad DaaS API requests require a valid token — there is no anonymous/unauthenticated access. The pattern for a public-facing frontend is to create a read-only policy, a dedicated reader user, and embed that user’s static token in your app.

Create the policy:

  1. Go to Policies → click Add Policy and name it (e.g., Public Read). Leave Admin access and App access off then click Create.
  2. On the policy detail page, scroll to the Permissions section.
  3. Click Add Collection, find posts in the list, and click it — the row is added with full read access (green R badge) automatically.
  4. Click the green R badge in the posts row and select Use Custom — a modal opens.
  5. On the Field Permissions tab (shown by default), select only the fields you want to expose publicly.
  6. Switch to the Item Permissions tab and set the filter: { "status": { "_eq": "published" } }
  7. Click Save.

Create the reader user and attach the policy:

  1. Go to Users → click Add User → fill in an email (e.g. reader@your-domain.com) and a password. Leave the role unset → click Create. You’ll be redirected to the users list.
  2. Click the reader user to open it → go to the Policies tab → attach the Public Read policy you just created.
  3. Switch to the Basic Information tab → find the Token field → click the + icon button (tooltip: “Generate Token”) → copy the revealed value → click Save. This is your <public_read_token>.

Do not assign this user a role with admin or write permissions. The policy attached in step 8 is the only permission this user should have.

Create some posts

Navigate to Contentposts and create a few posts. Set at least one to status: published.

Fetch posts from your frontend

Use the static token you generated in the previous step:

curl -g "https://your-domain.com/api/items/posts?filter[status][_eq]=published&sort=-published_at&fields=id,title,slug,published_at" \ -H "Authorization: Bearer <public_read_token>"

Fetch a single post by slug

const res = await fetch( `https://your-domain.com/api/items/posts?filter[slug][_eq]=${slug}&filter[status][_eq]=published&fields=*`, { headers: { Authorization: 'Bearer <public_read_token>' } } ) const { data } = await res.json() const post = data[0]

Next Steps

  • Add an author M2O field linking to daas_users
  • Add a tags M2M relation for categorisation
  • Use Content Versioning to draft posts before publishing

For production, store <public_read_token> in an environment variable (e.g. NEXT_PUBLIC_DAAS_TOKEN) rather than hardcoding it. Consider caching API responses at the CDN level using Cache-Control headers to reduce load.

Last updated on