Auth Providers

Configure provider types OIDC, JWT or JWKS that work with Grafbase to authenticate and authorize user requests.

You can use any OpenID Connect provider that adheres to the OpenID Connect Discovery spec with your backend.

We append /.well-known/openid-configuration to the URL to locate the OpenID configuration.

schema
  @auth(
    providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
    rules: [{ allow: private }]
  ) {
  query: Query
}

We recommend that you use an environment variable for the issuer value.

Grafbase supports a symmetric JWT provider that you can use to authorize requests using a JWT signed by yourself or a third-party service.

To use the JWT provider you will need to configure the issuer (any valid URL), and a secret value.

schema
  @auth(
    providers: [
      {
        type: jwt
        issuer: "{{ env.ISSUER_URL }}"
        secret: "{{ env.JWT_SECRET }}"
      }
    ]
    rules: [{ allow: private }]
  ) {
  query: Query
}

We recommend that you use an environment variable for the issuer and secret values.

Grafbase supports JSON Web Key Sets that contain public keys to verify any JWT issued by the provider, signed using RS256.

We append /.well-known/jwks.json to the issuer URL to locate the JWKS configuration.

schema
  @auth(
    providers: [{ type: jwks, issuer: "{{ env.ISSUER_URL }}" }]
    rules: [{ allow: private }]
  ) {
  query: Query
}

If the auth provider does not add the iss claim, you must add the full JWKS endpoint including /.well-known/jwks.json:

schema
  @auth(
    providers: [{ type: jwks, jwksEndpoint: "{{ env.JWKS_ENDPOINT }}" }]
    rules: [{ allow: private }]
  ) {
  query: Query
}

If both issuer and jwksEndpoint is provided, issuer is used for claim verification and jwksEndpoint is used to fetch the keys.

schema
  @auth(
    providers: [
      {
        type: jwks
        issuer: "{{ env.ISSUER_URL }}"
        jwksEndpoint: "{{ env.JWKS_ENDPOINT }}"
      }
    ]
    rules: [{ allow: private }]
  ) {
  query: Query
}

We recommend that you use an environment variable for the issuer and jwksEndpoint values.

There are auth providers that sign tokens with the same iss value.

You should add a clientId value to the provider config. Grafbase will check the aud claim inside the JWT is an array of strings, and the value matches clientId.

schema
  @auth(
    providers: [
      { type: oidc, issuer: "https://my.idp.com", clientId: "some-id" }
    ]
  ) {
  query: Query
}

Without a check like this, all APIs using the same issuer would share the same keys, thereby allowing customers to access each other's APIs.

  • JWT — HS (HMAC+SHA): HS256, HS384, HS512
  • OIDC — RS256,RS384,RS512
  • JWKS — RS256,RS384,RS512
Was this page helpful?