Build a Headless Blog
This tutorial walks you through using BuildPad DaaS as a headless CMS backend for a blog — creating a posts collection, seeding content, and fetching it from a frontend.
What you’ll learn:
- Create a custom collection via the Data Model editor
- Create a read policy and apply it to all authenticated requests
- Fetch posts from a frontend using a static API token
Prerequisites
- A running BuildPad DaaS instance (see Quick Start)
- Admin credentials
Create the posts collection
Navigate to Data Model in the DaaS Studio and click Create Collection:
- Name:
posts - Primary key type: integer (auto-increment)
Add the following fields:
| Field | Type | Notes |
|---|---|---|
title | string | Required |
slug | string | Unique |
body | text | Rich text |
status | string | Default: draft |
published_at | dateTime | Nullable |
Create a read policy and a static API token
All BuildPad DaaS API requests require a valid token — there is no anonymous/unauthenticated access. The pattern for a public-facing frontend is to create a read-only policy, a dedicated reader user, and embed that user’s static token in your app.
Create the policy:
- Go to Policies → click Add Policy and name it (e.g.,
Public Read). Leave Admin access and App access off then click Create. - On the policy detail page, scroll to the Permissions section.
- Click Add Collection, find
postsin the list, and click it — the row is added with full read access (green R badge) automatically. - Click the green R badge in the
postsrow and select Use Custom — a modal opens. - On the Field Permissions tab (shown by default), select only the fields you want to expose publicly.
- Switch to the Item Permissions tab and set the filter:
{ "status": { "_eq": "published" } } - Click Save.
Create the reader user and attach the policy:
- Go to Users → click Add User → fill in an email (e.g.
reader@your-domain.com) and a password. Leave the role unset → click Create. You’ll be redirected to the users list. - Click the reader user to open it → go to the Policies tab → attach the
Public Readpolicy you just created. - Switch to the Basic Information tab → find the Token field → click the + icon button (tooltip: “Generate Token”) → copy the revealed value → click Save. This is your
<public_read_token>.
Do not assign this user a role with admin or write permissions. The policy attached in step 8 is the only permission this user should have.
Create some posts
Navigate to Content → posts and create a few posts. Set at least one to status: published.
Fetch posts from your frontend
Use the static token you generated in the previous step:
curl
curl -g "https://your-domain.com/api/items/posts?filter[status][_eq]=published&sort=-published_at&fields=id,title,slug,published_at" \
-H "Authorization: Bearer <public_read_token>"Fetch a single post by slug
const res = await fetch(
`https://your-domain.com/api/items/posts?filter[slug][_eq]=${slug}&filter[status][_eq]=published&fields=*`,
{ headers: { Authorization: 'Bearer <public_read_token>' } }
)
const { data } = await res.json()
const post = data[0]Next Steps
- Add an
authorM2O field linking todaas_users - Add a
tagsM2M relation for categorisation - Use Content Versioning to draft posts before publishing
For production, store <public_read_token> in an environment variable (e.g. NEXT_PUBLIC_DAAS_TOKEN) rather than hardcoding it. Consider caching API responses at the CDN level using Cache-Control headers to reduce load.