Authenticate GraphQL Requests¶

On this page

Overview
Authorization Header
Credential Headers

Overview¶

The GraphQL API operates over HTTP, which means that you can access your exposed data using any HTTP or GraphQL client. Realm enforces rules for all GraphQL operations, so any GraphQL HTTP request must include an application user’s login credentials or a valid access token.

Authorization Header¶

To authenticate a GraphQL request as an arbitrary logged in user from any provider, include a valid user access token as a bearer token in the request’s Authorization header:

copy

http.post({
  "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql",
  "headers": {
    "Authorization": "Bearer <Access Token>"
  },
  "body": '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'
})

copy

curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \
   --header 'Authorization: Bearer <Access Token>' \
   --header 'Content-Type: application/json' \
   --data-raw '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'

Credential Headers¶

Important

Credential headers are useful for infrequent or test requests. However, we strongly encourage you to authenticate GraphQL requests using an Authorization Header from a client that uses a Realm SDK.

GraphQL requests from a web browser must use an Authorization header to avoid CORS errors.

Email/Password¶

To authenticate a GraphQL request as an email/password user, include the user’s credentials in the request’s email and password headers:

copy

http.post({
  "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql",
  "headers": {
    "email": "<User's Email Address>",
    "password": "<User's Password>",
  },
  "body": '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'
})

copy

curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \
   --header 'email: <User's Email Address>' \
   --header 'password: <User's Password>' \
   --header 'Content-Type: application/json' \
   --data-raw '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'

API Key¶

To authenticate a GraphQL request as an API Key user, include the user or server API key in the request’s apiKey header:

copy

http.post({
  "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql",
  "headers": {
    "apiKey": "<User or Server API Key>"
  },
  "body": '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'
})

copy

curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \
   --header 'apiKey: <User or Server API Key>' \
   --header 'Content-Type: application/json' \
   --data-raw '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'

Custom JWT¶

To authenticate a GraphQL request as a custom JWT user, include the JWT string in the request’s jwtTokenString header:

copy

http.post({
  "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql",
  "headers": {
    "jwtTokenString": "<User's JWT Token>"
  },
  "body": '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'
})

copy

curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \
   --header 'jwtTokenString: <User's JWT Token>' \
   --header 'Content-Type: application/json' \
   --data-raw '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'

← Define a Custom Resolver Run GraphQL Operations from a CLI →