Catch the highlights of GraphQLConf 2023! Click for recordings. Or check out our recap blog post.
Persisted Operations

Persisted Operations

Persisted operations is a mechanism for preventing the execution of arbitrary GraphQL operation documents. By default, the persisted operations plugin follows the the APQ Specification for SENDING hashes to the server.

You have to define your operations in your configuration file like below;

documents: ./documents/*.graphql

Then GraphQL Mesh will generate a persisted operations map under .mesh artifacts as persisted_operations.json like below;

  "ecf4edb46db40b5132295c0291d62fb65d6759a9eedfa4d5d612dd5ec54a6b38": "{__typename}"

So you can use this file as a reference for your persisted operations in the client side.

Testing Persisted Operations

Create an example GraphQL operation;

query Test {

And assume that you have the following configuration file;

documents: ./test.graphql

Then GraphQL Mesh will generate .mesh/persisted_operations.json;

  "ecf4edb46db40b5132295c0291d62fb65d6759a9eedfa4d5d612dd5ec54a6b38": "query Test {\n  __typename\n}"

Start your GraphQL Mesh server and send the following request to the server;

Execute persisted GraphQL operation
curl -X POST -H 'Content-Type: application/json' http://localhost:4000/graphql \
  -d '{"extensions":{"persistedQuery":{"version":1,"sha256Hash":"ecf4edb46db40b5132295c0291d62fb65d6759a9eedfa4d5d612dd5ec54a6b38"}}}'

Allow only persisted operations

By default, GraphQL Mesh will allow all operations to be executed in dev mode, but not in production mode.

You can change this behavior by setting allowUnpersistedOperations to false or true in your configuration file.

  allowArbitraryOperations: true

Other options

You can also configure the following options:

  # Whether to allow execution of arbitrary GraphQL operations aside from persisted operations.
  allowArbitraryOperations: false;
  # Whether to skip validation of the persisted operation
  skipDocumentValidation: false;
  # Customize error messages
    # Error message to return when the operation is not found
    notFound: 'PersistedQueryNotFound'
    # Error to be thrown when rejecting non-persisted operations
    persistedQueryOnly?: string;
    # Error to be thrown when the extraction of the persisted operation id failed
    keyNotFound?: string;