requires-scopes1.0.5

Prevent access to elements in the query if the user doesn't have the right OAuth scopes

Requires Scopes

Provides the @requiresScopes directive which prevents access to elements in the query if the user doesn't have the right OAuth scopes. It expects the authentication token to be in JSON, as provided by the jwt extension, and have the scopes in OAuth2 format. So a scope claim with a list of scopes as a string separated by a space.

Install


# grafbase.toml
[extension.requires-scopes]
version = "1.0"

Run the install command before starting the gateway


grafbase extension install

Usage


# subgraph schema
extend schema
  @link(
    url: "https://grafbase.com/extensions/requires-scopes/1.0.0"
    import: ["@requiresScopes"]
  )

type Query {
  public: String!
  hasReadScope: String @requiresScopes(scopes: "read")
  hasReadAndWriteScope: String @requiresScopes(scopes: [["read", "write"]])
  hasReadOrWriteScope: String @requiresScopes(scopes: [["read"], ["write"]])
}

Claims	Field	Access granted?
`{"scope": ""}`	public	yes
`{"scope": ""}`	hasReadScope	no
`{"scope": "read"}`	hasReadScope	yes
`{"scope": "read"}`	hasWriteScope	no
`{"scope": "read"}`	hasReadOrWriteScope	yes
`{"scope": "read,write"}`	hasReadAndWriteScope	yes

Apache-2.0

26 Mar, 2025

Julius de Bruijn

InstallAdd this to your TOML configuration file:

[extensions] requires-scopes = "1.0.5"

github.com/grafbase/extensions/tree/main/extensions/requires-scopes

More extensions

authenticated1.0.3

Prevent access to elements in the query when the user is not authenticated

jwt0.2.7

JWT authentication extension.

nats0.4.1

Map NATS endpoints to GraphQL fields. Supports regular and JetStream...