Max Tokens

Limit the number of tokens in a GraphQL document. It is used to prevent DOS attack, heap overflow or server overloading. The token limit is often limited by the GraphQL parser, but this is not always the case and would lead to a fatal heap overflow.

Basic Configuration

Hive Gateway ships with the basic “max tokens” security features. You can enable it by setting the maxTokens option to true or configure the amount of allowed tokens by passing a number to the option.

gateway.config.ts


import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  maxTokens: true // defaults to 1000
})

Advanced Configuration

The built-in configuration options are limited and should be enough for most use-cases. However, if you need more control, you can configure more by installing the GraphQL Armor Max Tokens plugin.


npm install @escape.tech/graphql-armor-max-tokens


pnpm add @escape.tech/graphql-armor-max-tokens


yarn add @escape.tech/graphql-armor-max-tokens


bun add @escape.tech/graphql-armor-max-tokens

gateway.config.ts


import { maxTokensPlugin } from '@escape.tech/graphql-armor-max-tokens'
import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  plugins: () => [
    maxTokensPlugin({
      // Toggle the plugin | Default: true
      enabled: true,
      // Number of tokens allowed | Default: 5000
      n: 5000,
      // Do you want to propagate the rejection to the client? | default: true
      propagateOnRejection: true,
      // List of queries that are allowed to bypass the plugin
      allowList: [],
 
      /* Advanced options (use here on your own risk) */
 
      // Callbacks that are ran whenever a Query is accepted
      onAccept: [],
 
      // Callbacks that are ran whenever a Query is rejected
      onReject: []
    })
  ]
})