Authentication through directives

You can use the @authenticated, @requiresScope, @policy and @skipAuth directives to control access to your GraphQL API. These directives are used to enforce authentication and authorization rules on your supergraph.

Granular field access by Federation auth directives (@authenticated, @requiresScopes, @policy)

You can use the authenticated directive to enforce authentication rules on specific fields. This directive can be used to restrict access to certain fields based on the viewer’s session.

Then, you can use the authenticated directive to set authentication rules on fields:

Since @authenticated is a native directive, you can import it instead of defining it explicitly;

extend schema @link(url: "https://specs.apollo.dev/federation/v2.6", import: ["@authenticated"])
 
type Query {
  me: User! @authenticated
  protectedField: String @authenticated
  # publicField: String
}

Exclude fields from authentication by using schema field directive @skipAuth

If you have completely protected supergraph but allow unauthenticated access for certain fields by annotating them.

You need to define the skipAuth directive in your schema:

# This is needed for Federation because `@skipAuth` is not part of Federation spec
extend schema
  @link(url: "https://specs.apollo.dev/link/v1.0")
  @link(url: "https://specs.apollo.dev/federation/v2.6", import: ["@composeDirective"])
  @link(url: "https://the-guild.dev/graphql/mesh/spec/v1.0", import: ["@skipAuth"])
  @composeDirective(name: "@skipAuth")
 
directive @skipAuth on FIELD_DEFINITION | OBJECT | INTERFACE

Then, you can use the skipAuth directive to exclude fields from authentication:

type Query {
  me: User!
  protectedField: String
  publicField: String @skipAuth
}