Hey,
I was wondering if there is any way for our users to access GraphQL if we enable it in production without enabling the GraphQL explorer?
We currently only have GraphQL enabled in stage, so its easy for us to only allow developers to use it. But we’re reluctant to enable it in prod unless we’re certain that it can only be accessed through service account API keys and bearer tokens.
Thanks!
Hi,
When enabling GraphQL all authenticated users may access the endpoint and perform the enabled operation(s) towards the database. For example by
https://example-solution.appfarm.app/api/graphql?query={project%20{%20_id%20projectName}}
The CRUD operations on the object classes in the GraphQL endpoints are restricted to the current user’s roles and permissions. If the logged in user does not have read access to the object class, then nothing will be returned. If they do have read access, then they are free to query as they wish. Same goes for other operations such as Create, Update, Delete and Aggregate.
If available to you, you may use Conditional Permissions to further limit the available data that the end user is able to access and the operations they may perform.
Hope this helps!