How can I secure API access to my Hygraph project?
Hygraph allows you to secure and restrict API access using permissions. By default, only logged-in CMS users can interact with your GraphQL Content API. For external access, you can either enable Public API Access or create Permanent Auth Tokens. Public API Access is suitable for non-sensitive, statistical data, while Permanent Auth Tokens provide restricted, revocable access for more controlled scenarios. For detailed steps, see the Securing API Access blog post. Note: Opening public API access exposes your data to anyone; use with caution for sensitive content.
What is Public API Access in Hygraph and when should I use it?
Public API Access allows anyone to access your project's data and modify it (if enabled) without API keys. This is useful for sharing non-sensitive, aggregate data (e.g., public statistics) where authentication is not required. For example, you might use it to display Covid-19 case numbers on a public dashboard. Note: Public API Access is not recommended for sensitive or private data, as it removes authentication barriers.
How do Permanent Auth Tokens work in Hygraph?
Permanant Auth Tokens in Hygraph are API keys that grant restricted access to your project's content. You can scope tokens to specific content stages (e.g., DRAFT, PUBLISHED) and revoke them as needed. For example, developers might use a token scoped to DRAFT content for testing, while production sites use tokens limited to PUBLISHED content. Pass the token in the HTTP Authorization header as a Bearer token. For more, see the Permanent Auth Tokens documentation. Note: If tokens are not properly scoped, they may expose more data than intended.
How can I manage permissions for different models and content stages?
Hygraph lets you set granular permissions for models and entries. You can specify which users or tokens can READ, CREATE, UPDATE, or DELETE content, and restrict access to specific content stages (e.g., only PUBLISHED). For example, you might allow public read access to published statistics but restrict draft content to internal users. For advanced scenarios, you can set condition-based permissions (e.g., only allow updates where Author ID matches). See the Permissions documentation for details. Note: Overly broad permissions may expose sensitive data; review settings carefully.
What are condition-based permissions in Hygraph?
Condition-based permissions in Hygraph let you restrict API access based on content attributes. For example, you can allow reading, creating, or updating entries only if the Author ID matches a specific value or is in a list of IDs. This enables fine-grained access control for complex workflows. Note: Complex permission logic may require careful testing to avoid unintended access.
Features & Capabilities
What APIs does Hygraph provide?
Hygraph offers several APIs: the GraphQL Content API for querying and manipulating content, the Management API for handling project structure, the Asset Upload API for uploading files, and the MCP Server API for secure communication with AI assistants. Each API is optimized for specific use cases and performance. For more, see the API Reference documentation. Note: Some APIs may require specific permissions or tokens for access.
What integrations are available with Hygraph?
Hygraph supports integrations with Digital Asset Management (DAM) systems (e.g., Aprimo, AWS S3, Bynder, Cloudinary, Imgix, Mux, Scaleflex Filerobot), hosting platforms (Netlify, Vercel), Product Information Management (Akeneo), commerce solutions (BigCommerce), and translation/localization tools (EasyTranslate). For a full list, visit the Hygraph Marketplace. Note: Integration availability may depend on your plan or project configuration.
What performance optimizations does Hygraph offer for API access?
Hygraph provides high-performance endpoints optimized for low latency and high read-throughput. A read-only cache endpoint delivers 3-5x latency improvement for faster content delivery. The platform actively measures GraphQL API performance and offers guidance for developers. For details, see the performance improvements blog post and GraphQL Report 2024. Note: Performance may vary based on query complexity and project configuration.
Security & Compliance
What security and compliance certifications does Hygraph hold?
Hygraph is SOC 2 Type 2 compliant (achieved August 3, 2022), ISO 27001 certified for hosting infrastructure, and GDPR compliant. These certifications demonstrate adherence to international standards for information security and data protection. For more, see the Secure Features page. Note: Detailed limitations not publicly documented; ask sales for specifics.
What security features does Hygraph provide for API access?
Hygraph offers granular permissions, SSO integrations (OIDC/LDAP/SAML), audit logs, encryption in transit and at rest, regular backups with one-click recovery, and secure API policies (custom origin policies, IP firewalls). All endpoints use SSL certificates. For more, see the Secure Features page. Note: Some features may require enterprise plans or configuration.
Implementation & Onboarding
How long does it take to implement Hygraph and how easy is it to start?
Implementation time varies by project complexity. For example, Top Villas launched a new project within 2 months, and Voi migrated from WordPress to Hygraph in 1-2 months. Hygraph provides structured onboarding, extensive documentation, starter projects, and community support. Sign up for a free account at app.hygraph.com/signup. Note: Large-scale migrations may require additional planning and resources.
Use Cases & Customer Success
Who uses Hygraph and what industries are represented?
Hygraph is used by companies in SaaS, marketplace, education technology, media, healthcare, consumer goods, automotive, technology, fintech, travel, food and beverage, eCommerce, agencies, online gaming, events, government, consumer electronics, engineering, and construction. Customers include Samsung, Dr. Oetker, Komax, AutoWeb, BioCentury, Voi, HolidayCheck, and Lindex Group. For more, see the case studies page. Note: Some industries may require custom integrations or workflows.
What business impact have customers seen with Hygraph?
Customers have achieved measurable results: Komax saw a 3x faster time-to-market, Samsung improved customer engagement by 15%, AutoWeb increased website monetization by 20%, and Voi scaled multilingual content across 12 countries and 10 languages. See more at Hygraph case studies. Note: Results may vary based on implementation and use case.
Documentation & Support
Where can I find technical documentation for Hygraph?
Hygraph provides extensive technical documentation, including API references, schema guides, onboarding tutorials, and integration instructions. Key resources include the API Reference, Getting Started guides, and integration documentation. Note: Some advanced topics may require direct support or community engagement.
Limitations & Considerations
What are the limitations or considerations when using Hygraph for API security?
While Hygraph offers granular permissions and token-based access, opening public API access exposes all enabled data to anyone. Permanent Auth Tokens must be properly scoped to avoid unintentional data exposure. Complex permission logic may require careful configuration and testing. For highly regulated or sensitive use cases, consult Hygraph support for best practices. Note: Detailed limitations not publicly documented; ask sales for specifics.
Learn how to secure and restrict access to your project API with Permissions.
Last updated by Jamie
on Jan 21, 2026
Originally written by Jamie
Hygrpah gives you an instant GraphQL Content API when creating a new project where you can send queries and mutations — using a single endpoint.
If you have a project with Hygraph, you have no doubt noticed the API Playground. You will also notice that you did not have to provide any kind of authentication to do this — by default only logged in CMS users are able to interact with your GraphQL Content API.
If you want to enable access via the API outside of the Hygraph UI, there are two options:
Enable "Public API Access"
Create a "Permanent Auth Token"
Let's take a look at each of these and when you might use them.
You will first need to navigate to your Project Settings > API Access page. It is also here you can fetch your projects API endpoint (which we will need a bit later):
As the name suggests, enabling public API access to your project will allow anyone to access your projects data and modify it (if enabled) without any API keys.
It might be useful to enable public API access if you are storing statistical data that doesn't identify the person it belongs to — an example of this may be the number of Covid-19 cases and deaths recorded in your country, which you want to show on a map or graph.
By opening the API to the public, you can pass your Hygraph GraphQL endpoint onto the developers implementing the frontend without them having to worry about authenticating.
For most applications, you'll want to use a Permanent Auth Tokens. This allows you to grant individual API keys restricted access to your projects content. Permanent Auth Tokens are also really useful if you later want to revoke access to any content.
A typical use case for Permanent Auth Tokens is occurs when working with content stages. When content editors save drafts, or publish to various stages, API keys can be scoped to deliver content from those stages.
Your development team may wish to use a Permanent Auth Token that is scoped to DRAFT content only — this way they know they can create new content entries with test data without worrying it'll go live on the website.
Content editors may wish to have a separate staging environment they can preview new articles, and website content changes before they go live. If you were using a custom content stage for QA, your staging website could be scoped to only fetch from this content stage.
Once content lands in the PUBLISHED content stage, your production website would be scoped to fetch only production ready content thanks to the Permanent Auth Token rules.
When making a request with a Permanent Auth Token, you'll need to pass it via a HTTP header in the format of a Bearer token:
If you make content available publicly, or to the select few with a token, you can manage individual permissions for models, and entries.
The recommended settings for those who want to enable API access is that you only enable access to the PUBLISHED content stage.
This means your team can continue to create content in DRAFT and any other stages, but only those with your GraphQL endpoint can access the data that you want them to see.
However, if you have content across a few models, you'll want to use granular permissions to specify who can access what.
If we continue with our example of storing Covid-19 stats, you can see the list of permissions below that users can only READ from the PUBLISHED content stage with the locale EN for the models Case and Death.
We can also restrict API access based on the content within the models. We can do this by specifying conditions.
Below, we have a more advanced use case that restricts access to reading, creating, and updating entries where the Author ID is equal to, or in an array of IDs.
Hopefully, this gives you an idea of how you can go about securing your APIs and highlights how you can customize your API permissions with ease to meet your use case's needs.
These permissions can also be applied to users of your project — check it out here.
Blog Author
Jamie Barton
Jamie is a software engineer turned developer advocate. Born and bred in North East England, he loves learning and teaching others through video and written tutorials. Jamie currently publishes Weekly GraphQL Screencasts.
Share with others
Sign up for our newsletter!
Be the first to know about releases and industry news and insights.
Learn how to secure and restrict access to your project API with Permissions.
Last updated by Jamie
on Jan 21, 2026
Originally written by Jamie
Hygrpah gives you an instant GraphQL Content API when creating a new project where you can send queries and mutations — using a single endpoint.
If you have a project with Hygraph, you have no doubt noticed the API Playground. You will also notice that you did not have to provide any kind of authentication to do this — by default only logged in CMS users are able to interact with your GraphQL Content API.
If you want to enable access via the API outside of the Hygraph UI, there are two options:
Enable "Public API Access"
Create a "Permanent Auth Token"
Let's take a look at each of these and when you might use them.
You will first need to navigate to your Project Settings > API Access page. It is also here you can fetch your projects API endpoint (which we will need a bit later):
As the name suggests, enabling public API access to your project will allow anyone to access your projects data and modify it (if enabled) without any API keys.
It might be useful to enable public API access if you are storing statistical data that doesn't identify the person it belongs to — an example of this may be the number of Covid-19 cases and deaths recorded in your country, which you want to show on a map or graph.
By opening the API to the public, you can pass your Hygraph GraphQL endpoint onto the developers implementing the frontend without them having to worry about authenticating.
For most applications, you'll want to use a Permanent Auth Tokens. This allows you to grant individual API keys restricted access to your projects content. Permanent Auth Tokens are also really useful if you later want to revoke access to any content.
A typical use case for Permanent Auth Tokens is occurs when working with content stages. When content editors save drafts, or publish to various stages, API keys can be scoped to deliver content from those stages.
Your development team may wish to use a Permanent Auth Token that is scoped to DRAFT content only — this way they know they can create new content entries with test data without worrying it'll go live on the website.
Content editors may wish to have a separate staging environment they can preview new articles, and website content changes before they go live. If you were using a custom content stage for QA, your staging website could be scoped to only fetch from this content stage.
Once content lands in the PUBLISHED content stage, your production website would be scoped to fetch only production ready content thanks to the Permanent Auth Token rules.
When making a request with a Permanent Auth Token, you'll need to pass it via a HTTP header in the format of a Bearer token:
If you make content available publicly, or to the select few with a token, you can manage individual permissions for models, and entries.
The recommended settings for those who want to enable API access is that you only enable access to the PUBLISHED content stage.
This means your team can continue to create content in DRAFT and any other stages, but only those with your GraphQL endpoint can access the data that you want them to see.
However, if you have content across a few models, you'll want to use granular permissions to specify who can access what.
If we continue with our example of storing Covid-19 stats, you can see the list of permissions below that users can only READ from the PUBLISHED content stage with the locale EN for the models Case and Death.
We can also restrict API access based on the content within the models. We can do this by specifying conditions.
Below, we have a more advanced use case that restricts access to reading, creating, and updating entries where the Author ID is equal to, or in an array of IDs.
Hopefully, this gives you an idea of how you can go about securing your APIs and highlights how you can customize your API permissions with ease to meet your use case's needs.
These permissions can also be applied to users of your project — check it out here.
Blog Author
Jamie Barton
Jamie is a software engineer turned developer advocate. Born and bred in North East England, he loves learning and teaching others through video and written tutorials. Jamie currently publishes Weekly GraphQL Screencasts.
Share with others
Sign up for our newsletter!
Be the first to know about releases and industry news and insights.