requires-scopes1.0.5

Prevent access to elements in the query if the user doesn't have the right OAuth scopes

Requires Scopes

Provides the @requiresScopes directive which prevents access to elements in the query if the user doesn't have the right OAuth scopes. It expects the authentication token to be in JSON, as provided by the jwt extension, and have the scopes in OAuth2 format. So a scope claim with a list of scopes as a string separated by a space.

Install


# grafbase.toml
[extension.requires-scopes]
version = "1.0"

Run the install command before starting the gateway


grafbase extension install

Usage


# subgraph schema
extend schema
  @link(
    url: "https://grafbase.com/extensions/requires-scopes/1.0.0"
    import: ["@requiresScopes"]
  )

type Query {
  public: String!
  hasReadScope: String @requiresScopes(scopes: "read")
  hasReadAndWriteScope: String @requiresScopes(scopes: [["read", "write"]])
  hasReadOrWriteScope: String @requiresScopes(scopes: [["read"], ["write"]])
}

Claims	Field	Access granted?
`{"scope": ""}`	public	yes
`{"scope": ""}`	hasReadScope	no
`{"scope": "read"}`	hasReadScope	yes
`{"scope": "read"}`	hasWriteScope	no
`{"scope": "read"}`	hasReadOrWriteScope	yes
`{"scope": "read,write"}`	hasReadAndWriteScope	yes

Apache-2.0

26 Mar, 2025

Julius de Bruijn

InstallAdd this to your TOML configuration file:

[extensions] requires-scopes = "1.0.5"

github.com/grafbase/extensions/tree/main/extensions/requires-scopes

More extensions

snowflake0.3.0

Resolve GraphQL fields with Snowflake queries

jwt1.3.0

Restrict access to your graph with JWT

postgres0.6.0

Integrate your Postgres database directly into Grafbase Gateway. This...