Navigation

Authenticate GraphQL Requests

Overview

The GraphQL API operates over HTTP, which means that you can access your exposed data using any HTTP or GraphQL client. Realm enforces rules for all GraphQL operations, so any GraphQL HTTP request must include an application user’s login credentials or a valid access token.

Authorization Header

To authenticate a GraphQL request as an arbitrary logged in user from any provider, include a valid user access token as a bearer token in the request’s Authorization header:

http.post({
  "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql",
  "headers": {
    "Authorization": "Bearer <Access Token>"
  },
  "body": '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'
})
curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \
   --header 'Authorization: Bearer <Access Token>' \
   --header 'Content-Type: application/json' \
   --data-raw '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'

Credential Headers

Important

Credential headers are useful for infrequent or test requests. However, we strongly encourage you to authenticate GraphQL requests using an Authorization Header from a client that uses a Realm SDK.

GraphQL requests from a web browser must use an Authorization header to avoid CORS errors.

Email/Password

To authenticate a GraphQL request as an email/password user, include the user’s credentials in the request’s email and password headers:

http.post({
  "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql",
  "headers": {
    "email": "<User's Email Address>",
    "password": "<User's Password>",
  },
  "body": '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'
})
curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \
   --header 'email: <User's Email Address>' \
   --header 'password: <User's Password>' \
   --header 'Content-Type: application/json' \
   --data-raw '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'

API Key

To authenticate a GraphQL request as an API Key user, include the user or server API key in the request’s apiKey header:

http.post({
  "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql",
  "headers": {
    "apiKey": "<User or Server API Key>"
  },
  "body": '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'
})
curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \
   --header 'apiKey: <User or Server API Key>' \
   --header 'Content-Type: application/json' \
   --data-raw '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'

Custom JWT

To authenticate a GraphQL request as a custom JWT user, include the JWT string in the request’s jwtTokenString header:

http.post({
  "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql",
  "headers": {
    "jwtTokenString": "<User's JWT Token>"
  },
  "body": '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'
})
curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \
   --header 'jwtTokenString: <User's JWT Token>' \
   --header 'Content-Type: application/json' \
   --data-raw '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'