When building a GraphQL endpoint, you’ll probably have to face the question of how to control who can see and interact with the data in your API. This typically involves authentication (determining who you are) and authorization (determining if you have access). In this collection, we’ll cover strategies and best practices for both.

  • Backend
  • Frontend

There are a number of useful patterns for GraphQL auth. Depending on how much control you need, this collection presents a variety of auth strategies from generic to fine-grained.

Khalil Stemmler
Developer Advocate

Authentication in Apollo Client

Apollo Client uses the ultra flexible Apollo Link that includes several options for authentication. These official docs describe these options.


The official docs on how to authorize users and control permissions in your GraphQL API.


Authentication and authorization can be the trickiest things to implement for a GraphQL API. From custom schema directives to middleware to tokens, Mandi Wise covers the complexities, nuances, and available options for adding auth to your GraphQL API so you can deploy it with confidence.

Mandi Wise

Blog Post

JWTs (JSON Web Token, pronounced ‘jot’) are becoming a popular way of handling auth. This post aims to demystify what a JWT is, discuss its pros/cons and cover best practices in implementing JWT on the client-side, keeping security in mind. Although, we’ve worked on the examples with a GraphQL clients, but the concepts apply to any frontend client.


Related collections

© 2024 Apollo Graph Inc.


  • About us
  • Careers
  • Open positions
  • Team