What is Payload CMS? The In-Depth CIO Guide to the Code-First Headless CMS (2026)

Payload CMS is the code-first headless CMS of the Next.js ecosystem: MIT-licensed, self-hosted, with auth and access control in the core. The in-depth decision-maker guide – substitution, the Figma acquisition, Payload vs. Sanity, GDPR, cost.
5 min readMatthias RadscheitMatthias Radscheit
Happycodingen-US

TL;DR

Payload is a code-first, MIT-licensed headless CMS built on TypeScript that runs natively inside Next.js applications since version 3: the data model lives as code, the database (PostgreSQL) sits in your infrastructure, and authentication and access control are part of the core – no license fees, no content-SaaS subscription. It replaces Strapi, Directus, Contentful-class SaaS and homegrown CMS builds. Since the Figma acquisition (2025), Payload has strong commercial backing; the MIT license remains the structural safeguard. For editorially driven multi-channel content, Sanity remains the stronger choice – we deliberately use both and draw the honest line in this guide.

  • Payload is code-first: the data model lives as TypeScript configuration in the repository – versioned, reviewable, CI/CD-ready.
  • Next.js-native since Payload 3: CMS, admin panel and website run in one application and one deployment – your database, your infrastructure.
  • MIT license without feature gating: auth, access control, localisation and versioning are in the open-source core, not an enterprise tier.
  • The Figma acquisition (2025) provides commercial backing – and the MIT license remains the structural safeguard for the extreme case.
  • Payload vs. Sanity is not a religion: app-adjacent content with data sovereignty → Payload; collaborative editorial at scale → Sanity.
  • The honest limit: without TypeScript competence in the team (or a partner), Payload forfeits its biggest advantage.
Definition: Payload CMS
Payload is an open-source headless CMS built on TypeScript (MIT license) that runs as a code-first system directly inside Next.js applications: data models are defined as configuration in code, content lives in your own database (PostgreSQL or MongoDB), and authentication, access control, versioning and localisation are part of the core. Since 2025, Payload is part of Figma.

By 2026, the headless CMS landscape has sorted itself into two camps: content-as-a-service platforms that manage content in their cloud (Contentful, Sanity, Storyblok), and self-hosted systems where data and runtime stay in-house. Payload is the most prominent representative of a third, younger idea: the CMS is no longer a separate system but part of the application itself – same repository, same deployment, same language. For decision-makers this is more than developer convenience: it changes cost structure, data sovereignty and the operating model.

What Payload does differently, technically

Three architectural decisions define Payload – and explain why it established itself so quickly in the Next.js ecosystem:

  • Config as code: collections, fields, validation and access rules are defined as TypeScript configuration – not clicked together. The data model lives in the Git repository, goes through code review and CI/CD, and is reproducible across environments. For governance, that is a fundamental difference: every schema change is traceable, testable and revertible.
  • Next.js-native since version 3: Payload installs into the Next.js application. Admin panel, APIs and website share one deployment; the Local API allows data access without HTTP round-trips directly in server rendering. In practice: one repository, one pipeline, one hosting – instead of CMS instance plus front end plus synchronisation.
  • Your database instead of a content cloud: content lives in PostgreSQL (or MongoDB) on your infrastructure. Backups, encryption, retention and deletion policies follow your rules – not a content-SaaS contract.

Which products does Payload CMS replace?

Payload occupies the intersection of headless CMS, application backend and admin framework. Depending on your starting point, it substitutes different systems:

SystemModelWhen Payload is the alternative
Strapiopen-source headless CMS (Node.js), open corewhen you want TypeScript end-to-end, Next.js integration and features without enterprise gating
Directusdatabase-centric open-source CMS/backendwhen the data model should live in code rather than a database UI
Contentful / content SaaScontent-as-a-service, usage/seat-based planswhen subscription costs, data sovereignty or API limits argue against the cloud
WordPress + ACF (headless)PHP ecosystem with field pluginswhen the PHP/plugin stack should give way to a typed TypeScript stack
Homegrown CMS/admin buildcustom backend with admin UIPayload replaces the custom build: admin, auth and CRUD are solved, your logic joins as hooks and endpoints
Firebase/BaaS for content appsBaaS data storage without editorial UIwhen content needs a real editorial interface with roles and approvals

The last row is worth noting: because Payload ships authentication, roles and access control in its core, it often replaces not just the CMS but half the application backend – customer portals, member areas and internal tools grow on the same foundation as the content.

The advantages of a code-first open-source CMS

  • No license and no content-SaaS costs: the MIT license knows no feature gating – localisation, versioning, auth and access control cost nothing extra. The cost curve tracks your infrastructure, not entries, API calls or editor seats.
  • Data sovereignty as architecture: content, users and media live in your database on EU infrastructure. GDPR questions (storage location, processing, deletion) are answered by the architecture, not a contract annex.
  • One stack, one deployment: CMS and application share TypeScript, repository and pipeline. Fewer interfaces, fewer deployments, fewer systems for a team to master.
  • Extensibility without platform limits: hooks, custom endpoints, custom React components in the admin – business logic becomes part of the system instead of a workaround beside it.
  • Exit security: standard PostgreSQL plus MIT code in your own repository – there is simply no vendor who could withdraw the service or dictate terms.
  • Auth included: login, roles, API keys and field-level access rules are core features – for many projects a separate auth system becomes unnecessary (the boundary to full IAM below).

The Figma acquisition: what it means for decision-makers

In 2025, Figma acquired Payload – for an open-source project of this size a defining event, and one that rightly gets questioned in evaluations. The sober assessment: in the short term, the acquisition means commercial backing, a full-time team and growing visibility – Payload is better funded than most open-source CMS. In the medium term, strategic uncertainty remains about how strongly the roadmap will serve Figma use cases. The structural safeguard is the MIT license: the entire core including the admin panel is open, forkable, and keeps running on your infrastructure – on your terms, independent of product decisions in San Francisco. Treat the acquisition as what it is: a governance fact that belongs in the decision record – not a knockout criterion, but not a sales pitch without context either.

Payload vs. Sanity: the honest line, drawn from using both

We implement both systems – which is exactly why this comparison belongs here, without tribalism. The systems optimise for different priorities:

CriterionPayloadSanity
Core modelcode-first, self-hosted, part of the Next.js appcontent lake as a service, Studio as the interface
Data storageyour PostgreSQL/MongoDB instance (EU, self-hosted)Sanity cloud (content lake), governed by contract
Cost model€0 license; cost = infrastructure + projectfree tier; Teams from ~$15/user/month (as of July 2026)
Editorial collaborationsolid (versions, drafts, live preview)best in class (real-time collaboration, presence, comments)
Structured multi-channel contentgood (blocks, relations)reference class (Portable Text, GROQ, releases)
Auth & access controlincluded in core, field-levelStudio roles; app auth is solved separately
Typical sweet spotapp-adjacent content, portals, data sovereignty, no SaaS subscriptioneditorially driven sites, large content teams, multi-channel

Our rule of thumb from projects: if the endeavour is an application with content (portal, product, internal tools) or demands strict data sovereignty, the path leads to Payload. If it is an editorially driven content platform with many authors and channels, Sanity plays its strengths – as described on our Sanity service page. In between, the individual case decides.

The architecture in 90 seconds

Payload organises content in collections (pages, articles, products, users) and globals (singletons like navigation or settings). Fields range from primitives via relations to blocks – reusable content components for page-builder patterns. Hooks run logic on read and write operations (validation, enrichment, webhooks); access-control functions govern permissions per collection, document or field. Externally, three APIs speak: REST and GraphQL for external consumers, and the Local API for latency-free access inside your own Next.js server. The admin panel is React – customisable down to individual field components and views. Versioning, drafts, scheduled publishing, localisation and live preview are core features.

When Payload fits – and when it does not

Honest is honest, even for a system we like to use. Payload does not fit if no TypeScript competence is available and no partner carries operations – a code-first CMS without code competence forfeits its core advantage. It also does not fit when large editorial teams need real-time collaboration (then Sanity), or when all you need is a lean marketing site with minimal IT (then managed platforms are legitimate too). Payload plays to its strengths with customer portals and applications with editorial components, strict data-sovereignty requirements, Next.js teams reducing system boundaries – and wherever content-SaaS subscriptions or CMS license models stop making economic sense.

Operations and cost for decision-makers

The calculation follows the familiar open-source pattern: license zero, cost in project and operations. A focused Payload setup sits at €8,000–20,000 in our project classes, a full application with portal features at €20,000–60,000; EU operations (for us typically Hetzner with PostgreSQL) in the low three-digit monthly range. The structural difference to content SaaS: no cost per editor seat, entry or API call – and the database is yours from day one. Where Payload’s built-in auth ends and real IAM begins is covered in our Keycloak guide.

Frequently asked questions

Can Payload CMS be operated in a GDPR-compliant way?
Yes, structurally: Payload runs self-hosted, content and user data live in your own database on EU infrastructure – no content cloud, no third-country transfer in the core. Storage location, backups, retention and deletion follow your policies. What remains are the services you choose to connect. We typically operate Payload setups on Hetzner in Germany.
What does Payload CMS really cost?
The software: nothing – MIT license without feature gating, no cost per user, entry or API call. What you actually budget is project and operations: a focused setup from €8,000–20,000, a full application €20,000–60,000, operations in the low three-digit monthly range. The benchmark is content-SaaS subscriptions that grow with editor seats and usage.
Which systems does Payload replace, concretely?
Headless CMS like Strapi, Directus or Contentful-class SaaS, headless WordPress+ACF – and frequently the homegrown application backend with admin UI, because auth, roles and CRUD are in the core. It does not replace specialised systems like PIM or ERP – it integrates them.
What does the Figma acquisition mean for future-proofing?
Two-sided, but manageable: the acquisition (2025) brings funding, a full-time team and visibility – roadmap authority now sits with Figma, though. The structural safeguard is the MIT license: core and admin are open and forkable, and your deployment keeps running independent of product decisions. Both belong in the decision record.
Payload or Sanity – which is better?
Wrong question – they optimise for different priorities, and we deliberately implement both: Payload for app-adjacent content, portals and strict data sovereignty (self-hosted, auth in core); Sanity for editorially driven multi-channel platforms with real-time collaboration in large content teams. The choice follows your editorial model and data-sovereignty requirement, not the hype.
Payload or Strapi – the most common comparison?
Both are open-source Node CMS; the differences lie in the model: Payload is consistently code-first and TypeScript-native, runs inside the Next.js app since version 3, and keeps core features free of enterprise gating. Strapi configures more through the admin UI and moves several enterprise features into paid tiers. For Next.js/TypeScript teams, Payload is usually the more consistent choice today.
Is Payload’s built-in authentication enough – or do we need Keycloak?
For application login, roles and API access within the Payload application: yes, it is fully capable. Once single sign-on across multiple applications, directory federation (Active Directory) or company-wide identity management come into play, an IAM like Keycloak belongs in front – Payload then connects as an OIDC client. The two do not exclude each other; they are two layers.
How does a migration from WordPress or a SaaS CMS work?
Plannable in three steps: translate the data model into Payload collections (the most valuable step – legacy clutter gets dropped), import content via script over REST/Local API, and secure redirects and SEO migration. Effort drivers are content quality and edge cases in the legacy system, not Payload. With SaaS sources, the vendor’s export path is added.
Does Payload scale for large installations?
Yes – the limits are set by your chosen infrastructure, not the CMS: PostgreSQL scales proven, Next.js instances scale horizontally, media lives in object storage, caching and CDN handle delivery. For load peaks, the operating concept decides; the Local API also avoids internal HTTP overhead.
What team prerequisites does Payload need?
TypeScript competence – that is the honest ticket. The data model lives in code; whoever maintains it must read and change code. Editors, in contrast, work in a modern admin panel without technical hurdles. Without an internal TypeScript team, Payload works well in a partner model: setup and evolution external, editorial internal.

Sources

Related articles

Open for select projects

Let's talk about your project

Book a no-obligation call, send us an email, or use the form – we'd love to hear from you.

150+
Completed projects
15
Years of experience
8
Senior‑level team members