Authentication & Authorization

Grafbase exposes many ways to configure data access. This includes configuring rules for signed-in users, users of groups, anonymous access, and rules for operations.

Data access can be configured globally, by model, or by field.

You must handle authentication yourself using a supported provider.

Authorization can be configured with a valid OpenID Connect (IdP) or JWT provider.

The auth provider must issue a JWT that can be passed with requests using the authorization HTTP header in the format of authorization: Bearer TOKEN.

You can configure different types of authorization, including public, anonymous, signed-in, or role-based access using rules inside the @auth directive.

You can also use API keys to authorize requests.