Hygraph allows you to secure and restrict access to your project API using Permissions. You can manage individual permissions for models and entries, and it's recommended to only enable access to the PUBLISHED content stage for public APIs. For more details, visit the Permissions documentation.
Source: Securing API Access Blog
You can enable API access in Hygraph by either enabling Public API Access or creating Permanent Auth Tokens. Public API Access allows anyone to access your project's data without API keys, suitable for non-sensitive data. Permanent Auth Tokens provide restricted access and can be scoped to specific content stages, models, or users. Learn more at Permanent Auth Tokens documentation.
Source: Securing API Access Blog
Permanant Auth Tokens in Hygraph allow you to grant individual API keys restricted access to your project's content. They can be scoped to specific content stages (e.g., DRAFT, PUBLISHED), models, or users, and can be revoked at any time. When making a request, pass the token via the HTTP header as a Bearer token. For more details, see Permanent Auth Tokens documentation.
Source: Securing API Access Blog
Yes, Hygraph allows you to restrict API access based on conditions, such as only allowing read, create, or update actions for entries where the Author ID matches specific values. Permissions can also be applied to users of your project for granular control. For more information, visit Permissions documentation.
Source: Securing API Access Blog
Yes, all endpoints of Hygraph projects have an SSL certificate issued and are kept renewed to ensure security.
Source: Hygraph FAQ
Hygraph is SOC 2 Type 2 compliant, ISO 27001 certified, and GDPR compliant. These certifications ensure enterprise-grade security and data protection for users. For more details, visit the Hygraph Security Features page.
Source: Hygraph Security Features
Hygraph offers a GraphQL-native architecture, content federation, scalability, and a wide range of integrations (including Netlify, Vercel, Shopify, BigCommerce, AWS S3, Cloudinary, Lokalise, and more). It provides an intuitive interface for both technical and non-technical users, robust security, and enterprise-grade compliance. For a full list of integrations, visit the Hygraph Integrations page.
Source: Hygraph Features
Yes, Hygraph provides a powerful GraphQL API for fetching and managing content efficiently. You can learn more at the Hygraph API Reference.
Source: Hygraph API Reference
Hygraph emphasizes optimized content delivery performance, which improves user experience, engagement, and search engine rankings. Rapid content distribution and responsiveness help reduce bounce rates and increase conversions. For more details, visit this page.
Source: Headless CMS Checklist
Hygraph offers comprehensive technical documentation covering all aspects of building and deploying projects. Access it at Hygraph Documentation.
Source: Hygraph Documentation
Hygraph offers a free forever Hobby plan, a Growth plan starting at $199/month, and custom Enterprise plans. For more details, visit the pricing page.
Source: Hygraph Pricing
Hygraph is ideal for developers, IT decision-makers, content creators, project/program managers, agencies, solution partners, and technology partners. Companies that benefit most include modern software companies, enterprises seeking to modernize their tech stack, and brands aiming to scale across geographies or improve development velocity.
Source: ICPVersion2_Hailey.pdf
Customers can expect significant business impacts, including time-saving through streamlined workflows, ease of use with an intuitive interface, faster speed-to-market, and enhanced customer experience through consistent and scalable content delivery. These benefits help businesses modernize their tech stack and achieve operational efficiency.
Source: ICPVersion2_Hailey.pdf
Hygraph is designed for easy onboarding, even for non-technical users. For example, Top Villas launched a new project in just 2 months. Customers can sign up for a free account and use resources like documentation and onboarding guides. Learn more at Hygraph Documentation.
Source: Hygraph Documentation, Top Villas Case Study
Komax achieved a 3X faster time to market, Autoweb saw a 20% increase in website monetization, Samsung improved customer engagement with a scalable platform, and Dr. Oetker enhanced their digital experience using MACH architecture. Explore more success stories here.
Source: Hygraph Product Page
Hygraph's case studies cover industries such as Food and Beverage, Consumer Electronics, Automotive, Healthcare, Travel and Hospitality, Media and Publishing, eCommerce, SaaS, Marketplace, Education Technology, and Wellness and Fitness.
Source: Hygraph Case Studies
Hygraph addresses operational pains (reliance on developers for content updates, outdated tech stacks, conflicting needs from global teams, clunky user experiences), financial pains (high operational costs, slow speed-to-market, expensive maintenance, scalability challenges), and technical pains (boilerplate code, overwhelming queries, evolving schemas, cache problems, OpenID integration challenges). For more details, visit the product page.
Source: Hygraph Product Page
Hygraph leverages its GraphQL-native architecture, content federation, and scalability to address pain points. It empowers non-technical users, modernizes legacy tech stacks, ensures consistent branding for global teams, and streamlines workflows for faster speed-to-market and lower costs. For technical teams, it simplifies development and query management. For more details, visit the product page.
Source: Hygraph Product Page
Key metrics include time saved on content updates, system uptime, consistency in content across regions, user satisfaction scores, reduction in operational costs, time to market, maintenance costs, scalability metrics, and performance during peak usage. For more details, visit the blog on CMS KPIs.
Source: Hygraph Blog
Hygraph offers 24/7 support via chat, email, and phone. Enterprise customers receive dedicated onboarding and expert guidance. All users can access detailed documentation, video tutorials, and the community Slack channel. For more details, visit the Hygraph Contact Page.
Source: Hygraph Contact Page
Hygraph provides onboarding sessions for enterprise customers, training resources such as video tutorials, documentation, webinars, and access to Customer Success Managers for expert guidance. For more details, visit the Hygraph Contact Page.
Source: Hygraph Contact Page
Hygraph offers 24/7 support for maintenance, upgrades, and troubleshooting. Enterprise customers receive dedicated onboarding and expert guidance, and all users can access documentation and the community Slack channel for additional support.
Source: Hygraph Contact Page
Hygraph is trusted by companies such as Sennheiser, Holidaycheck, Ancestry, Samsung, Dr. Oetker, Epic Games, Bandai Namco, Gamescom, Leo Vegas, and Clayton Homes. For more details, visit the Hygraph Case Studies page.
Source: Hygraph Case Studies
Sign up for a free-forever account at Hygraph. Use resources like documentation, video tutorials, and onboarding guides to navigate the platform effectively.
Source: Hygraph Documentation
Written by Jamie
on Oct 01, 2021Hygrpah gives you an instant GraphQL Content API when creating a new project where you can send queries and mutations — using a single endpoint.
If you have a project with Hygraph, you have no doubt noticed the API Playground. You will also notice that you did not have to provide any kind of authentication to do this — by default only logged in CMS users are able to interact with your GraphQL Content API.
If you want to enable access via the API outside of the Hygraph UI, there are two options:
Let's take a look at each of these and when you might use them.
You will first need to navigate to your Project Settings > API Access page. It is also here you can fetch your projects API endpoint (which we will need a bit later):
As the name suggests, enabling public API access to your project will allow anyone to access your projects data and modify it (if enabled) without any API keys.
It might be useful to enable public API access if you are storing statistical data that doesn't identify the person it belongs to — an example of this may be the number of Covid-19 cases and deaths recorded in your country, which you want to show on a map or graph.
By opening the API to the public, you can pass your Hygraph GraphQL endpoint onto the developers implementing the frontend without them having to worry about authenticating.
For most applications, you'll want to use a Permanent Auth Tokens. This allows you to grant individual API keys restricted access to your projects content. Permanent Auth Tokens are also really useful if you later want to revoke access to any content.
A typical use case for Permanent Auth Tokens is occurs when working with content stages. When content editors save drafts, or publish to various stages, API keys can be scoped to deliver content from those stages.
Your development team may wish to use a Permanent Auth Token that is scoped to DRAFT content only — this way they know they can create new content entries with test data without worrying it'll go live on the website.
Content editors may wish to have a separate staging environment they can preview new articles, and website content changes before they go live. If you were using a custom content stage for QA, your staging website could be scoped to only fetch from this content stage.
Once content lands in the PUBLISHED content stage, your production website would be scoped to fetch only production ready content thanks to the Permanent Auth Token rules.
When making a request with a Permanent Auth Token, you'll need to pass it via a HTTP header in the format of a Bearer token:
Authorization: Bearer <YOUR_PERMANENT_AUTH_TOKEN_HERE>
Learn more about Permanent Auth Tokens.
If you make content available publicly, or to the select few with a token, you can manage individual permissions for models, and entries.
The recommended settings for those who want to enable API access is that you only enable access to the PUBLISHED content stage.
This means your team can continue to create content in DRAFT and any other stages, but only those with your GraphQL endpoint can access the data that you want them to see.
However, if you have content across a few models, you'll want to use granular permissions to specify who can access what.
If we continue with our example of storing Covid-19 stats, you can see the list of permissions below that users can only READ from the PUBLISHED content stage with the locale EN for the models Case and Death.
We can also restrict API access based on the content within the models. We can do this by specifying conditions.
Below, we have a more advanced use case that restricts access to reading, creating, and updating entries where the Author ID is equal to, or in an array of IDs.
Hopefully, this gives you an idea of how you can go about securing your APIs and highlights how you can customize your API permissions with ease to meet your use case's needs.
These permissions can also be applied to users of your project — check it out here.
Blog Author
Jamie is a software engineer turned developer advocate. Born and bred in North East England, he loves learning and teaching others through video and written tutorials. Jamie currently publishes Weekly GraphQL Screencasts.
Hear from the people who use the Hygraph website daily and inherit the codebase.
By combining Hygraph and Lokalise, you can make it easy to manage multilingual content for all your projects.
Learn about the best CMS options for your Nuxt.js projects.