Authenticate GraphQL Requests¶

On this page

Overview
Get a Client API Access Token
Refresh a Client API Access Token

Overview¶

MongoDB Realm enforces collection rules for all GraphQL operations. This means that all GraphQL requests must be made by a logged in user of your Realm app.

The GraphQL API uses realm client access tokens to authorize requests. This guide demonstrates how to get a valid access token for a user and how to refresh the access token after it expires.

Example

The following request demonstrates how to include an access token for a user with each request. Replace <Access Token> with the access_token value that you want to use.

copy

curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/graphql' \
  --header 'Authorization: Bearer <Access Token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{"query":"query AllMovies {\n  movies {\n    title\n    year\n  }\n}"}'

Get a Client API Access Token¶

To get an access token, you need to authenticate with the realm Client HTTP API using the user’s login credentials. The Client API authentication endpoints accept valid user credentials in the body of a POST request and use the following URL form:

copy

https://realm.mongodb.com/api/client/v2.0/app/<yourappid-abcde>/auth/providers/<provider type>/login

Example

The following request authenticates a realm user with the client API. The request body specifies the user’s login credentials.

Anonymous
Email/Password
API Key
Custom JWT

copy

curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/myapp-abcde/auth/providers/anon-user/login'

copy

curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/myapp-abcde/auth/providers/local-userpass/login' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "username": "test@example.com",
    "password": "password"
  }'

copy

curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/myapp-abcde/auth/providers/api-key/login' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "key": "hScMWZyOKnjQMbfDPMJ1qHgtdGT2raQXdVDDvlC2SzKEBKlHKV8FK9SPCSTnODPg"
  }'

copy

curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/app/myapp-abcde/auth/providers/custom-token/login' \
  --header 'Content-Type: application/json' \
  --data-raw '{
     "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ0ZXN0ZGV2LWJwcWVsIiwiZXhwIjoxNTE2MjM5MDIyLCJzdWIiOiIyNDYwMSIsInVzZXJfZGF0YSI6eyJuYW1lIjoiSmVhbiBWYWxqZWFuIiwiYWxpYXNlcyI6WyJNb25zaWV1ciBNYWRlbGVpbmUiLCJVbHRpbWUgRmF1Y2hlbGV2ZW50IiwiVXJiYWluIEZhYnJlIl19fQ.mVWr4yFf8nD1EhuhrJbgKfY7BEpMab38RflXzUxuaEI"
  }'

The authentication request is successful, so the response body includes access_token and refresh_token values for the user. Each of these values is a JSON web token string that identifies the authenticated user and authorizes requests on their behalf.

copy

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1Nzg5NjY1MTYsImlhdCI6MTU3ODk2NDcxNiwiaXNzIjoiNWUxZDE2ZWM4YWM5M2QzMGFjNDg0ZTk0Iiwic3RpdGNoX2RldklkIjoiMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwic3RpdGNoX2RvbWFpbklkIjoiNWRkODFiYmU3NTFhYzk2ZDM3NmI1Mjg1Iiwic3ViIjoiNWUxM2E0MWUxYjM4ZDM1ODQzMGVkMWYzIiwidHlwIjoiYWNjZXNzIn0.WnWJM01meRDZRVIPr7tXqHcXSgrz0refMrpx7bMVgeQ",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODQxNDg3MTYsImlhdCI6MTU3ODk2NDcxNiwic3RpdGNoX2RhdGEiOm51bGwsInN0aXRjaF9kZXZJZCI6IjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCIsInN0aXRjaF9kb21haW5JZCI6IjVkZDgxYmJlNzUxYWM5NmQzNzZiNTI4NSIsInN0aXRjaF9pZCI6IjVlMWQxNmVjOGFjOTNkMzBhYzQ4NGU5NCIsInN0aXRjaF9pZGVudCI6eyJpZCI6IjVlMTNhNDFlMWIzOGQzNTg0MzBlZDFmMiIsInByb3ZpZGVyX3R5cGUiOiJsb2NhbC11c2VycGFzcyIsInByb3ZpZGVyX2lkIjoiNWUxM2E0MDUxYjM4ZDM1ODQzMGVkMWI3In0sInN1YiI6IjVlMTNhNDFlMWIzOGQzNTg0MzBlZDFmMyIsInR5cCI6InJlZnJlc2gifQ.fqr19MaUykKqi8C8csJUUzNe9jQOucPbtcc0soWgc5k"
}

Refresh a Client API Access Token¶

Access tokens expire 30 minutes after MongoDB Realm grants them. When an access token expires, you can either request another access token using the user’s credentials or use the refresh token to request a new access token with including the user’s credentials.

The Client API session refresh endpoint accepts a POST request that includes the refresh token in the Authorization header and uses the following URL:

copy

https://realm.mongodb.com/api/client/v2.0/auth/session

Example

The following request demonstrates how to use a refresh token to get a new, valid access token. Replace <Refresh Token> with the refresh_token value for the access token that you want to refresh.

copy

curl --location --request POST 'https://realm.mongodb.com/api/client/v2.0/auth/session' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer <Refresh Token>'

← Define a Custom Query or Mutation GraphQL Types, Resolvers, and Operators →

1: Setup

2: Write a Client

User Management

Authentication Providers

Configure a MongoDB Cluster

CRUD Operations

Reference

Configuration

Trigger Types

Configure Third-Party Services

Built-In Services

Examples

Deployment Methods

Get Started

The Realm Data Model

Work with Realm Database

Work with MongoDB Realm

Reference

Get Started

The Realm Data Model

Work with Realm Database

Work with MongoDB Realm

Reference

Get Started

The Realm Data Model

Work with Realm Database

Work with MongoDB Realm

Reference

Get Started

The Realm Data Model

Work with Realm Database

Work with MongoDB Realm

Reference

Get Started

Work with MongoDB Realm

GraphQL API

Authenticate GraphQL Requests¶

Overview¶

Get a Client API Access Token¶

Refresh a Client API Access Token¶