Auth Providers
Configure provider types OIDC or JWT that work with Grafbase to authenticate and authorize user requests.
You can use any OpenID Connect provider that adheres to the OpenID Connect Discovery spec with your backend.
We append /.well-known/openid-configuration
to the URL to locate the OpenID configuration.
schema
@auth(
providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
rules: [{ allow: private }]
) {
query: Query
}
We recommend that you use an environment variable for the issuer
value.
Grafbase supports a symmetric JWT provider that you can use to authorize requests using a JWT signed by yourself or a third-party service. We currently support the algorithms HS256, HS384, and HS512.
To use the JWT provider you will need to configure the issuer
(any valid URL), and a secret
value.
schema
@auth(
providers: [
{
type: jwt
issuer: "{{ env.ISSUER_URL }}"
secret: "{{ env.JWT_SECRET }}"
}
]
rules: [{ allow: private }]
) {
query: Query
}
We recommend that you use an environment variable for the issuer
and secret
values.
You can also add a custom clientId
value to the OIDC or JWT provider config for those times where the identity provider uses the same issuer for tokens.
Without a check like this, all APIs using the same issuer would share the same keys, thereby allowing customers to access each other's APIs.
schema
@auth(
providers: [
{ type: oidc, issuer: "https://my.idp.com", clientId: "some-id" }
]
) {
query: Query
}