v1Authentication

Authentication through directives

You can use the @authenticated, @requiresScope, @policy and @skipAuth directives to control access to your GraphQL API. These directives are used to enforce authentication and authorization rules on your supergraph.

💡

You need to configure your gateway to use specific authentication rules in order to use these directives.

See here to configure authentication for Hive Gateway

Granular field access by Federation auth directives (@authenticated, @requiresScopes, @policy)

You can use the authenticated directive to enforce authentication rules on specific fields. This directive can be used to restrict access to certain fields based on the viewer’s session.

Then, you can use the authenticated directive to set authentication rules on fields:

Since @authenticated is a native directive, you can import it instead of defining it explicitly;

extend schema @link(url: "https://specs.apollo.dev/federation/v2.6", import: ["@authenticated"])
 
type Query {
  me: User! @authenticated
  protectedField: String @authenticated
  # publicField: String
}
💡

You can learn more about the auth directives in the gateway docs here. Auth in Hive Gateway

Exclude fields from authentication by using schema field directive @skipAuth

If you have completely protected supergraph but allow unauthenticated access for certain fields by annotating them.

You need to define the skipAuth directive in your schema:

# This is needed for Federation because `@skipAuth` is not part of Federation spec
extend schema
  @link(url: "https://specs.apollo.dev/link/v1.0")
  @link(url: "https://specs.apollo.dev/federation/v2.6", import: ["@composeDirective"])
  @link(url: "https://the-guild.dev/graphql/mesh/spec/v1.0", import: ["@skipAuth"])
  @composeDirective(name: "@skipAuth")
 
directive @skipAuth on FIELD_DEFINITION | OBJECT | INTERFACE

Then, you can use the skipAuth directive to exclude fields from authentication:

type Query {
  me: User!
  protectedField: String
  publicField: String @skipAuth
}
💡

In order to use this directive, you need to configure Generic Auth plugin to use Complete Protection in your GraphQL Mesh Gateway.