Frequently Asked Questions

API Security & Access

How can I secure API access to my Hygraph project?

Hygraph allows you to secure and restrict access to your project API using Permissions. You can manage individual permissions for models and entries, and it's recommended to only enable access to the PUBLISHED content stage for public APIs. For more details, visit the Permissions documentation.
Source: Securing API Access Blog

What are the options for enabling API access in Hygraph?

You can enable API access in Hygraph by either enabling Public API Access or creating Permanent Auth Tokens. Public API Access allows anyone to access your project's data without API keys, suitable for non-sensitive data. Permanent Auth Tokens provide restricted access and can be scoped to specific content stages, models, or users. Learn more at Permanent Auth Tokens documentation.
Source: Securing API Access Blog

How do Permanent Auth Tokens work in Hygraph?

Permanant Auth Tokens in Hygraph allow you to grant individual API keys restricted access to your project's content. They can be scoped to specific content stages (e.g., DRAFT, PUBLISHED), models, or users, and can be revoked at any time. When making a request, pass the token via the HTTP header as a Bearer token. For more details, see Permanent Auth Tokens documentation.
Source: Securing API Access Blog

Can I restrict API access based on specific conditions or user roles?

Yes, Hygraph allows you to restrict API access based on conditions, such as only allowing read, create, or update actions for entries where the Author ID matches specific values. Permissions can also be applied to users of your project for granular control. For more information, visit Permissions documentation.
Source: Securing API Access Blog

Is the content exposed through Hygraph project APIs secured?

Yes, all endpoints of Hygraph projects have an SSL certificate issued and are kept renewed to ensure security.
Source: Hygraph FAQ

What security and compliance certifications does Hygraph have?

Hygraph is SOC 2 Type 2 compliant, ISO 27001 certified, and GDPR compliant. These certifications ensure enterprise-grade security and data protection for users. For more details, visit the Hygraph Security Features page.
Source: Hygraph Security Features

Features & Capabilities

What core features does Hygraph offer?

Hygraph offers a GraphQL-native architecture, content federation, scalability, and a wide range of integrations (including Netlify, Vercel, Shopify, BigCommerce, AWS S3, Cloudinary, Lokalise, and more). It provides an intuitive interface for both technical and non-technical users, robust security, and enterprise-grade compliance. For a full list of integrations, visit the Hygraph Integrations page.
Source: Hygraph Features

Does Hygraph provide an API for content management?

Yes, Hygraph provides a powerful GraphQL API for fetching and managing content efficiently. You can learn more at the Hygraph API Reference.
Source: Hygraph API Reference

How does Hygraph optimize content delivery performance?

Hygraph emphasizes optimized content delivery performance, which improves user experience, engagement, and search engine rankings. Rapid content distribution and responsiveness help reduce bounce rates and increase conversions. For more details, visit this page.
Source: Headless CMS Checklist

What technical documentation is available for Hygraph?

Hygraph offers comprehensive technical documentation covering all aspects of building and deploying projects. Access it at Hygraph Documentation.
Source: Hygraph Documentation

Pricing & Plans

What is Hygraph's pricing model?

Hygraph offers a free forever Hobby plan, a Growth plan starting at $199/month, and custom Enterprise plans. For more details, visit the pricing page.
Source: Hygraph Pricing

Use Cases & Benefits

Who can benefit from using Hygraph?

Hygraph is ideal for developers, IT decision-makers, content creators, project/program managers, agencies, solution partners, and technology partners. Companies that benefit most include modern software companies, enterprises seeking to modernize their tech stack, and brands aiming to scale across geographies or improve development velocity.
Source: ICPVersion2_Hailey.pdf

What business impact can customers expect from using Hygraph?

Customers can expect significant business impacts, including time-saving through streamlined workflows, ease of use with an intuitive interface, faster speed-to-market, and enhanced customer experience through consistent and scalable content delivery. These benefits help businesses modernize their tech stack and achieve operational efficiency.
Source: ICPVersion2_Hailey.pdf

How easy is it to get started with Hygraph?

Hygraph is designed for easy onboarding, even for non-technical users. For example, Top Villas launched a new project in just 2 months. Customers can sign up for a free account and use resources like documentation and onboarding guides. Learn more at Hygraph Documentation.
Source: Hygraph Documentation, Top Villas Case Study

What customer success stories demonstrate Hygraph's impact?

Komax achieved a 3X faster time to market, Autoweb saw a 20% increase in website monetization, Samsung improved customer engagement with a scalable platform, and Dr. Oetker enhanced their digital experience using MACH architecture. Explore more success stories here.
Source: Hygraph Product Page

What industries are represented in Hygraph's case studies?

Hygraph's case studies cover industries such as Food and Beverage, Consumer Electronics, Automotive, Healthcare, Travel and Hospitality, Media and Publishing, eCommerce, SaaS, Marketplace, Education Technology, and Wellness and Fitness.
Source: Hygraph Case Studies

Pain Points & Solutions

What problems does Hygraph solve for its customers?

Hygraph addresses operational pains (reliance on developers for content updates, outdated tech stacks, conflicting needs from global teams, clunky user experiences), financial pains (high operational costs, slow speed-to-market, expensive maintenance, scalability challenges), and technical pains (boilerplate code, overwhelming queries, evolving schemas, cache problems, OpenID integration challenges). For more details, visit the product page.
Source: Hygraph Product Page

How does Hygraph solve pain points differently from other solutions?

Hygraph leverages its GraphQL-native architecture, content federation, and scalability to address pain points. It empowers non-technical users, modernizes legacy tech stacks, ensures consistent branding for global teams, and streamlines workflows for faster speed-to-market and lower costs. For technical teams, it simplifies development and query management. For more details, visit the product page.
Source: Hygraph Product Page

What KPIs and metrics are associated with the pain points Hygraph solves?

Key metrics include time saved on content updates, system uptime, consistency in content across regions, user satisfaction scores, reduction in operational costs, time to market, maintenance costs, scalability metrics, and performance during peak usage. For more details, visit the blog on CMS KPIs.
Source: Hygraph Blog

Support & Implementation

What support is available to Hygraph customers?

Hygraph offers 24/7 support via chat, email, and phone. Enterprise customers receive dedicated onboarding and expert guidance. All users can access detailed documentation, video tutorials, and the community Slack channel. For more details, visit the Hygraph Contact Page.
Source: Hygraph Contact Page

What training and technical support is available for onboarding?

Hygraph provides onboarding sessions for enterprise customers, training resources such as video tutorials, documentation, webinars, and access to Customer Success Managers for expert guidance. For more details, visit the Hygraph Contact Page.
Source: Hygraph Contact Page

How does Hygraph handle maintenance, upgrades, and troubleshooting?

Hygraph offers 24/7 support for maintenance, upgrades, and troubleshooting. Enterprise customers receive dedicated onboarding and expert guidance, and all users can access documentation and the community Slack channel for additional support.
Source: Hygraph Contact Page

Customer Proof & Case Studies

Who are some of Hygraph's customers?

Hygraph is trusted by companies such as Sennheiser, Holidaycheck, Ancestry, Samsung, Dr. Oetker, Epic Games, Bandai Namco, Gamescom, Leo Vegas, and Clayton Homes. For more details, visit the Hygraph Case Studies page.
Source: Hygraph Case Studies

Getting Started & Onboarding

How do I get started with Hygraph?

Sign up for a free-forever account at Hygraph. Use resources like documentation, video tutorials, and onboarding guides to navigate the platform effectively.
Source: Hygraph Documentation

Webinar Event: How to Avoid Personalization Tech Traps

Securing API Access to your Hygraph Project

Learn how to secure and restrict access to your project API with Permissions.
Jamie Barton

Written by Jamie 

Oct 01, 2021
Securing API Access to Hygraph Project

Hygrpah gives you an instant GraphQL Content API when creating a new project where you can send queries and mutations — using a single endpoint.

If you have a project with Hygraph, you have no doubt noticed the API Playground. You will also notice that you did not have to provide any kind of authentication to do this — by default only logged in CMS users are able to interact with your GraphQL Content API.

Hygraph API Playground

If you want to enable access via the API outside of the Hygraph UI, there are two options:

  1. Enable "Public API Access"
  2. Create a "Permanent Auth Token"

Let's take a look at each of these and when you might use them.

You will first need to navigate to your Project Settings > API Access page. It is also here you can fetch your projects API endpoint (which we will need a bit later):

Hygraph Project API Endpoint

#Public API Access

As the name suggests, enabling public API access to your project will allow anyone to access your projects data and modify it (if enabled) without any API keys.

It might be useful to enable public API access if you are storing statistical data that doesn't identify the person it belongs to — an example of this may be the number of Covid-19 cases and deaths recorded in your country, which you want to show on a map or graph.

By opening the API to the public, you can pass your Hygraph GraphQL endpoint onto the developers implementing the frontend without them having to worry about authenticating.

#Permanent Auth Tokens

For most applications, you'll want to use a Permanent Auth Tokens. This allows you to grant individual API keys restricted access to your projects content. Permanent Auth Tokens are also really useful if you later want to revoke access to any content.

A typical use case for Permanent Auth Tokens is occurs when working with content stages. When content editors save drafts, or publish to various stages, API keys can be scoped to deliver content from those stages.

Your development team may wish to use a Permanent Auth Token that is scoped to DRAFT content only — this way they know they can create new content entries with test data without worrying it'll go live on the website.

Content editors may wish to have a separate staging environment they can preview new articles, and website content changes before they go live. If you were using a custom content stage for QA, your staging website could be scoped to only fetch from this content stage.

Once content lands in the PUBLISHED content stage, your production website would be scoped to fetch only production ready content thanks to the Permanent Auth Token rules.


When making a request with a Permanent Auth Token, you'll need to pass it via a HTTP header in the format of a Bearer token:

Authorization: Bearer <YOUR_PERMANENT_AUTH_TOKEN_HERE>

Learn more about Permanent Auth Tokens.

Managing Permissions

If you make content available publicly, or to the select few with a token, you can manage individual permissions for models, and entries.

The recommended settings for those who want to enable API access is that you only enable access to the PUBLISHED content stage.

This means your team can continue to create content in DRAFT and any other stages, but only those with your GraphQL endpoint can access the data that you want them to see.

Default API Permissions

However, if you have content across a few models, you'll want to use granular permissions to specify who can access what.

If we continue with our example of storing Covid-19 stats, you can see the list of permissions below that users can only READ from the PUBLISHED content stage with the locale EN for the models Case and Death.

Content API Permissions

Learn more about Permissions.


Condition Based Permissions

We can also restrict API access based on the content within the models. We can do this by specifying conditions.

Below, we have a more advanced use case that restricts access to reading, creating, and updating entries where the Author ID is equal to, or in an array of IDs.

API Conditions

Hopefully, this gives you an idea of how you can go about securing your APIs and highlights how you can customize your API permissions with ease to meet your use case's needs.

These permissions can also be applied to users of your project — check it out here.

Blog Author

Jamie Barton

Jamie Barton

Jamie is a software engineer turned developer advocate. Born and bred in North East England, he loves learning and teaching others through video and written tutorials. Jamie currently publishes Weekly GraphQL Screencasts.

Share with others

Sign up for our newsletter!

Be the first to know about releases and industry news and insights.