Auth
When building a GraphQL endpoint, you’ll probably have to face the question of how to control who can see and interact with the data in your API. This typically involves authentication (determining who you are) and authorization (determining if you have access). In this collection, we’ll cover strategies and best practices for both.
- Backend
- Frontend
“There are a number of useful patterns for GraphQL auth. Depending on how much control you need, this collection presents a variety of auth strategies from generic to fine-grained.

Developer Advocate
Docs | Apollo Client uses the ultra flexible Apollo Link that includes several options for authentication. These official docs describe these options. |
Docs | The official docs on how to authorize users and control permissions in your GraphQL API. |
Talk | Authentication and authorization can be the trickiest things to implement for a GraphQL API. From custom schema directives to middleware to tokens, Mandi Wise covers the complexities, nuances, and available options for adding auth to your GraphQL API so you can deploy it with confidence. Mandi Wise |
Blog Post | JWTs (JSON Web Token, pronounced ‘jot’) are becoming a popular way of handling auth. This post aims to demystify what a JWT is, discuss its pros/cons and cover best practices in implementing JWT on the client-side, keeping security in mind. Although, we’ve worked on the examples with a GraphQL clients, but the concepts apply to any frontend client. Hasura |
Related collections
GraphQL for Android
By Martin Bonnin
- Frontend
- Mobile
GraphQL Tooling and Code-gen
By Kurt Kemple
- Backend
- Frontend
- GraphOS
- How-to
Caching & State Management with Apollo Client
By Khalil Stemmler
- Frontend
Production Ready Graphs
By Kurt Kemple
- Backend
- GraphOS
- How-to
Federation 101
By Khalil Stemmler
- Backend
- GraphOS
Error Handling with Apollo
By Kurt Kemple
- Backend
- Frontend