Max Tokens

Limit the number of tokens in a GraphQL document.

It is used to prevent DOS attack, heap overflow or server overloading.

The token limit is often limited by the graphql parser, but this is not always the case and would lead to a fatal heap overflow.

Provided by GraphQL Armor

How to use?

Install the plugin:

npm install @escape.tech/graphql-armor-max-tokens

pnpm add @escape.tech/graphql-armor-max-tokens

yarn add @escape.tech/graphql-armor-max-tokens

bun add @escape.tech/graphql-armor-max-tokens

Then, add it to your plugins:

gateway.config.ts

import { maxTokensPlugin } from '@escape.tech/graphql-armor-max-tokens'
import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  plugins: () => [
    maxTokensPlugin({
      // Toggle the plugin | Default: true
      enabled: true,
      // Number of tokens allowed | Default: 5000
      n: 5000,
      // Do you want to propagate the rejection to the client? | default: true
      propagateOnRejection: true,
      // List of queries that are allowed to bypass the plugin
      allowList: [],
 
      /* Advanced options (use here on your own risk) */
 
      // Callbacks that are ran whenever a Query is accepted
      onAccept: [],
 
      // Callbacks that are ran whenever a Query is rejected
      onReject: []
    })
  ]
})

References

Max Directives Header Propagation