Client Side Token

“All the APIs documented here require an API token for access.” - This does not seem to be true.

I have no problems connecting to Slash Dgraph via Apollo (Angular or React). I have created an authentication token, but how do I prevent someone without it from connecting?


This should be clarified. The “APIs documented here” should specifically state that it is referring to the API endpoints listed on THIS page: /admin

This can be seen in the last example on the page:

curl 'https://<your-backend>/admin' \
  -H 'X-Auth-Token: <your-token>' \
  -H 'Content-Type: application/json' \
  --data-binary '{"query":"{ getGQLSchema { schema } }"}'

I believe this wording is due to conflicting changes where multiple endpoints have been combined into the admin endpoint. I think @careyaaron3000 or @damian might be the right people to tag to review this.

If you are specifically needing to add API token access to the /graphql endpoint then you should look at the @auth directive. If you have a use case for blocking all access to the /graphql endpoint beyond what is capable with @auth, then this might be able to be turned into a feature request instead.