Documentation
Gateway
Other Features
Security
Max Tokens

Max Tokens

Limit the number of tokens in a GraphQL document.

It is used to prevent DOS attack, heap overflow or server overloading.

The token limit is often limited by the graphql parser, but this is not always the case and would lead to a fatal heap overflow.

Provided by GraphQL Armor

How to use?

Install the plugin:

npm install @escape.tech/graphql-armor-max-tokens

Then, add it to your plugins:

gateway.config.ts
import { maxTokensPlugin } from '@escape.tech/graphql-armor-max-tokens'
import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  plugins: () => [
    maxTokensPlugin({
      // Toggle the plugin | Default: true
      enabled: true,
      // Number of tokens allowed | Default: 5000
      n: 5000,
      // Do you want to propagate the rejection to the client? | default: true
      propagateOnRejection: true,
      // List of queries that are allowed to bypass the plugin
      allowList: [],
 
      /* Advanced options (use here on your own risk) */
 
      // Callbacks that are ran whenever a Query is accepted
      onAccept: [],
 
      // Callbacks that are ran whenever a Query is rejected
      onReject: []
    })
  ]
})

References