Authenticate GraphQL Requests¶
Overview¶
The GraphQL API operates over HTTP, which means that you can access your exposed data using any HTTP or GraphQL client. Realm enforces rules for all GraphQL operations, so any GraphQL HTTP request must include an application user's login credentials or a valid access token.
Authorization Header¶
To authenticate a GraphQL request as an arbitrary logged in user from any
provider, include a valid user access token as a bearer token in the request's
Authorization
header:
http.post({ "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql", "headers": { "Authorization": "Bearer <Access Token>" }, "body": '{"query":"query AllMovies {\n movies {\n title\n year\n }\n}"}' })
curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \ --header 'Authorization: Bearer <Access Token>' \ --header 'Content-Type: application/json' \ --data-raw '{"query":"query AllMovies {\n movies {\n title\n year\n }\n}"}'
Credential Headers¶
Credential headers are useful for infrequent or test requests. However, we strongly encourage you to authenticate GraphQL requests using an Authorization Header from a client that uses a Realm SDK.
GraphQL requests from a web browser must use an Authorization header to avoid CORS errors.
Email/Password¶
To authenticate a GraphQL request as an email/password user, include the user's credentials in the
request's email
and password
headers:
http.post({ "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql", "headers": { "email": "<User's Email Address>", "password": "<User's Password>", }, "body": '{"query":"query AllMovies {\n movies {\n title\n year\n }\n}"}' })
curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \ --header 'email: <User's Email Address>' \ --header 'password: <User's Password>' \ --header 'Content-Type: application/json' \ --data-raw '{"query":"query AllMovies {\n movies {\n title\n year\n }\n}"}'
API Key¶
To authenticate a GraphQL request as an API Key
user, include the user or server API key in the request's apiKey
header:
http.post({ "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql", "headers": { "apiKey": "<User or Server API Key>" }, "body": '{"query":"query AllMovies {\n movies {\n title\n year\n }\n}"}' })
curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \ --header 'apiKey: <User or Server API Key>' \ --header 'Content-Type: application/json' \ --data-raw '{"query":"query AllMovies {\n movies {\n title\n year\n }\n}"}'
Custom JWT¶
To authenticate a GraphQL request as a custom JWT user, include the JWT string in the request's
jwtTokenString
header:
http.post({ "url": "https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql", "headers": { "jwtTokenString": "<User's JWT Token>" }, "body": '{"query":"query AllMovies {\n movies {\n title\n year\n }\n}"}' })
curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \ --header 'jwtTokenString: <User's JWT Token>' \ --header 'Content-Type: application/json' \ --data-raw '{"query":"query AllMovies {\n movies {\n title\n year\n }\n}"}'