Auth
When building a GraphQL endpoint, you’ll probably have to face the question of how to control who can see and interact with the data in your API. This typically involves authentication (determining who you are) and authorization (determining if you have access). In this collection, we’ll cover strategies and best practices for both.
There are a number of useful patterns for GraphQL auth. Depending on how much control you need, this collection presents a variety of auth strategies from generic to fine-grained.
Khalil Stemmler
Developer Advocate
Blog post
A guide to authentication in GraphQL
Note: If you’re not yet familiar with GraphQL, take a look at my other post first and come back later — you’ll get more out of it. Update 2018: This post is from early 2016. Check out the best practices we recommend for authentication and authorization. In this post, I want to talk about how you might go about […]
Blog post
Authorization in GraphQL
Update: Auth now available in Apollo Router Apollo has shipped our new authentication and authorization features as built-in Router features. Checkout the launch post: https://www.apollographql.com/blog/graphql/security/enforcing-graphql-security-best-practices-with-graphos/ At some point (probably pretty early on) when building a GraphQL endpoint, you’ll probably have to face the question of how to control who can see and interact with the […]
Docs
Authentication in Apollo Client
Apollo Client uses the ultra flexible Apollo Link that includes several options for authentication. These official docs describe these options.
Docs
Authentication in Apollo Server
The official docs on how to authorize users and control permissions in your GraphQL API.
Talk
How to Auth: Secure a GraphQL API with Confidence
Authentication and authorization can be the trickiest things to implement for a GraphQL API. From custom schema directives to middleware to tokens, Mandi Wise covers the complexities, nuances, and available options for adding auth to your GraphQL API so you can deploy it with confidence.
Blog Post
The Ultimate Guide to handling JWTs on frontend clients (GraphQL)
JWTs (JSON Web Token, pronounced ‘jot’) are becoming a popular way of handling auth. This post aims to demystify what a JWT is, discuss its pros/cons and cover best practices in implementing JWT on the client-side, keeping security in mind. Although, we’ve worked on the examples with a GraphQL clients, but the concepts apply to any frontend client.
