Anonymous Access
Controlling anonymous access of the GraphQL endpoint is only available in Dgraph Cloud.
Configure anonymous access
To turn /graphql
endpoint anonymous access off
- Go to the Schema section of Dgraph Cloud console.
- Open the Access tab.
- Set
Anonymous Access
toggle toOn
orOff
With Anonymous Access turned off
, any client accessing the /graphql
endpoint must pass a valid client or admin
API Key in DG-Auth
or X-Auth-Token
header.
With anonymous access turned on
(Default configuration), you need to further
define the permission per type
defined in your GraphQL Schema.
Edit GraphQL type operations access permissions
have a button to “Edit Permissions” When anonymous access is on
, any newly
deployed type has read
and write
permissions for anonymous users.
To control the anonymous access to operations :
- Open the Access tab in the Schema section.
- Click on
Edit Permission
- For every Type defined in your GraphQL schema, Edit Permissions shows check
boxes to enable Anonymous Access to Read and Write. — Check
Read
to allow anonymous clients to access theget<Type>
andquery<Type>
operations. — CheckWrite
to allow anonymous clients to access theadd<Type>
,update<Type>
, anddelete<Type>
operations.
Anonymous access works as an access control security one level higher than Role-based Access Control (RBAC).
Permission settings only applies to the parent type operations: it’s still
possible to read/write data of a type that has been set with no read/write
permissions if a parent
type is granted read/write access to anonymous
clients.
Consider the following Schema:
If the Anonymous Access was granted Read and Write for Post but not granted Read
and Write for User, it would be possible still to perform the following
operation which creates a new User
.