Restrict visibility of graphql mutation and queries

I would like to whitelist [or whatever the politically correct wording of that is nowadays] access to specific graphql mutations/queries for all users.

As Dgraph autogenerates CRUD interfaces for everything, I’d like to clamp down on that and only expose things i decide should be exposed.

How would i go about doing that?

Look at the docs for the @auth directive.


Which part, specifically? I seem to have missed it.

Hey @davidLeonardi,

The docs about the @auth directive can be found here.

1 Like

Here are the @auth docs.

You can form appropriate JWT token, and pass it to the GraphQL API, which will decide based on that token whether someone can perform the query/mutation they are trying to do. So, if you don’t want all your users to have access to certain queries/mutations, then you can have a schema with auth rules like this:

type Country @auth(
	query: { rule: "{$ROLE: { eq: \"ADMIN\"}}"},
	add: { rule: "{$ROLE: { eq: \"ADMIN\"}}"},
	update: { rule: "{$ROLE: { eq: \"ADMIN\"}}"},
	delete: { rule: "{$ROLE: { eq: \"ADMIN\"}}"}
	id: ID!
	name: String! @search(by: [hash])

Then just don’t issue your users a JWT token containing ROLE as ADMIN, and they won’t be able to perform any query/mutation for type Country.

We are in the process of updating our docs at present, so expect better docs in a couple of days.