Operations not allowed

After adding the Dgraph.Authorization directive as in here: Using Firebase Authentication - GraphQL every mutation / query became unusable

Shared instance of v21.03.0-78-ge4ad0b113


  • Dgraph Cloud (GraphQL feature)
  • Dgraph On-Prem (EE)
  • Dgraph (community edition)


type User {
  username: String! @id @search(by: [hash])
  displayName: String
  avatarImg: String
  nodes: [Node] @hasInverse(field: "createdBy")

type Node
    query: {
      rule: """
            query($USER: String!) {
                queryNode {
                    createdBy(filter: { username: { eq: $USER } }) {
  ) {
  id: ID!
  title: String!
  topic: String!
  externalId: String
  description: String
  url: String
  date: String
  origin: String
  thumbnailUrl: String
  createdBy: User!
  attachedTo: Node
  approvedConnections: [Node] @hasInverse(field: "attachedTo")

Dgraph.Authorization {“JWKUrl”:“jwk-url”, “Namespace”: "dgraph-namespace, “Audience”: [“project-id”], “Header”: “X-Auth-Token”}

I verified the kid parameter from JWKUrl and IdToken and it matches
I verified that the Audience matches the aud parameter of IdToken and it matches
I verified that the USER field under custom claim matches the username of User whose node is being queried and it matches
I verified the IdToken itself to make sure it didn’t expire.

I used the generated queryNode, getNode, getUser and queryUser operations

query MyQuery {
  queryNode(filter: {id: "0x1a4fdf3e72"}) {
  getUser(username: "Whatever") {
  queryUser(filter: {username: {eq: "Whatever"}}) {


  "data": null,
  "errors": [
      "message": "Operations not allowed -- [queryNode getUser queryUser]"

It doesn’t really matter what query / mutation is run because all of them are unusable regardless of the @auth directive. Users cannot be queried / mutated either. Even when the @auth directive is removed, the problem persists.

Sometimes the issue can be the grouping of queries. In GraphQL each block is individual. If you use a block that is protected and other that is not. It can prompt you for the one that is blocked blocking all the others until you solve the blocking one.

Other thing is, make sure you have followed all steps and the JWKURL is correct. From the google APIs perspective or any other. Maybe you are missing some permission in your google console.