Sam Julien - Becoming a “Secret” Agent: Securing Your GraphQL Backend with JWTs

About Sam

Hi, I’m Sam, an Angular GDE and Collaborator, a Sr. Developer Advocate Engineer at Auth0, and the creator of and GetAJobIn.Tech. I’m also an author for and egghead. My favorite thing in the world is sitting outside drinking good scotch next to a fire I built myself.

Becoming a “Secret” Agent: Securing Your GraphQL Backend with JWTs

Are you confused about how authentication and authorization relate to GraphQL APIs? You’re not alone! It’s no secret that learning auth is hard on its own, let alone on top of GraphQL. In this talk, Sam will show how to demystify auth while learning how to use JSON Web Tokens (JWTs) with GraphQL APIs! After discovering why controlling access to APIs is so challenging and ways that can be used to solve it, Sam will step through how to handle authorization in the GraphQL server. This talk will use JavaScript examples, but the principles will apply to other tech. By the end, you’ll feel a whole lot better about tackling auth in GraphQL!

Have questions for Sam? Submit them below.

Sam would love to answer them!

Haven’t signed up for the free conference yet?

Grab your free tickets here:

Follow Sam





Asking on behalf of @gotjoshua:

Do you know how to work with JWE (encrypted version of JWT)

1 Like

Here is an ongoing thread:

Hi Sam. Do you have an advice/resources/best practices for integrating auth0 with a react native mobile app using expo? The stack for project I’m working on is react native/expo, graphql/apollo client on the client with node/express graphql/apollo server, and prisma/postgress on the backend.

From what I gather, I would have to eject from expo to to use the react-native-auth0 module from this guide Do you have any resources or know any approaches others have used to integrate auth0 into a react native/expo project without ejecting from expo?

Most server-side authorization implementations I have seen involve checking permissions from the JWT’s scopes at the start of each type-resolver function. This means – for example – that a query may execute multiple database queries before reaching a nested resolver that fails a permissions check. Besides resulting in a poor user experience for big/deep queries that take longer, this scenario would also waste slash-graphql query credits.

Are there recommended ways to verify all permissions on all resolvers related to the query before query execution to avoid unnecessary computation time?

The best I can think of is adding middleware that will do a traversal of the query AST to check permissions required by each resolver before invoking the root resolver(s).

Is it good practice to make GraphQL proxy server over REST api provider just to hide REST endpoints? Or will it be waste of resources? Just in case i don’t want to expose my REST endpoints to frontend?

Can you explain the different types of tokens and how are they different?
Which one is best? The token changes in a period then how does that part work?

1 Like

What would you recommend for authorisation in case there is a case for granular permissions model instead of roles? Won’t storing entire permissions in the JWT token a bad idea due to large size/limitations? Also, when a permission/role is changed how can we force change the token to reflect latest updates?

This was a great talk, I particularly enjoyed the intro to Auth/JWT during the first few minutes.

It seems with Slash Dgraph, many of the things discussed later in the talk have been handled for you. This recent blog post is great:
And so is this video:

1 Like

What is your one-liner to explain the difference between authentication & authorization?

Question to all: what’s your favorite app to play with api’s?