requires-scopes1.1.0

Prevent access to elements in the query if the user doesn't have the right OAuth scopes

Requires Scopes extension

Provides the @requiresScopes directive which prevents access to elements in the query if the user doesn't have the right OAuth scopes. It expects the authentication token to be in JSON, as provided by the jwt extension, and have the scopes in OAuth2 format. So a scope claim with a list of scopes as a string separated by a space.

Install


# grafbase.toml
[extensions.requires-scopes]
version = "1.0"

Install the extensions before starting the gateway:


grafbase extension install

Usage


extend schema
  @link(
    url: "https://grafbase.com/extensions/requires-scopes/1.0.5"
    import: ["@requiresScopes"]
  )

type Query {
  public: String!
  hasReadScope: String @requiresScopes(scopes: "read")
  hasReadAndWriteScope: String @requiresScopes(scopes: [["read", "write"]])
  hasReadOrWriteScope: String @requiresScopes(scopes: [["read"], ["write"]])
}

Claims	Field	Access granted?
`{"scope": ""}`	public	yes
`{"scope": ""}`	hasReadScope	no
`{"scope": "read"}`	hasReadScope	yes
`{"scope": "read"}`	hasWriteScope	no
`{"scope": "read"}`	hasReadOrWriteScope	yes
`{"scope": "read,write"}`	hasReadAndWriteScope	yes

Apache-2.0

18 Aug, 2025

Julius de Bruijn

InstallAdd this to your TOML configuration file:

[extensions] requires-scopes = "1.1.0"

github.com/grafbase/extensions/tree/main/extensions/requires-scopes

More extensions

tag1.1.0

Build schema contracts with the @tag directive

rest0.5.2

Declarative REST resolver extension.

authenticated1.0.3

Prevent access to elements in the query when the user is not authenticated