Auth Providers

Configure provider types OIDC or JWT that work with Grafbase to authenticate and authorize user requests.

You can use any OpenID Connect provider that adheres to the OpenID Connect Discovery spec with your backend.

We append /.well-known/openid-configuration to the URL to locate the OpenID configuration.

schema
  @auth(
    providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
    rules: [{ allow: private }]
  ) {
  query: Query
}

We recommend that you use an environment variable for the issuer value.

Grafbase supports a symmetric JWT provider that you can use to authorize requests using a JWT signed by yourself or a third-party service. We currently support the algorithms HS256, HS384, and HS512.

To use the JWT provider you will need to configure the issuer (any valid URL), and a secret value.

schema
  @auth(
    providers: [
      {
        type: jwt
        issuer: "{{ env.ISSUER_URL }}"
        secret: "{{ env.JWT_SECRET }}"
      }
    ]
    rules: [{ allow: private }]
  ) {
  query: Query
}

We recommend that you use an environment variable for the issuer and secret values.

You can also add a custom clientId value to the OIDC or JWT provider config for those times where the identity provider uses the same issuer for tokens.

Without a check like this, all APIs using the same issuer would share the same keys, thereby allowing customers to access each other's APIs.

schema
  @auth(
    providers: [
      { type: oidc, issuer: "https://my.idp.com", clientId: "some-id" }
    ]
  ) {
  query: Query
}
Was this page helpful?