Hygraph allows you to secure API access using granular permissions, enabling you to restrict access to specific models, entries, and content stages. You can manage these settings in your Project Settings > API Access page. For more details, see the Securing API Access blog post.
Public API Access allows anyone to access your project's data and modify it (if enabled) without requiring API keys. This is useful for sharing non-sensitive, statistical data. However, it is recommended to restrict access for sensitive or private data. Learn more in the blog post.
Permanant Auth Tokens grant individual API keys restricted access to your project's content. They can be scoped to specific content stages (e.g., DRAFT, PUBLISHED) and revoked at any time. This is ideal for managing access for different environments or teams. See documentation for details.
Hygraph enables you to set granular permissions for models and entries, specifying who can access what data. You can restrict access to specific content stages, locales, or even based on conditions such as Author ID. For advanced use cases, see the blog post.
Condition-based permissions allow you to restrict API access based on specific content attributes, such as only allowing read, create, or update actions where the Author ID matches certain values. This enables advanced access control for complex scenarios. Learn more in the blog post.
You can find your project's API endpoint in the Project Settings > API Access section. This endpoint is required for making queries and mutations via the GraphQL Content API.
When making requests with a Permanent Auth Token, include it in the HTTP header as a Bearer token: Authorization: Bearer <YOUR_PERMANENT_AUTH_TOKEN_HERE>. For more details, see the blog post.
It is recommended to enable API access only to the PUBLISHED content stage, ensuring that only production-ready content is accessible via the API. Draft and other stages remain restricted to internal users.
Yes, Hygraph allows you to restrict API access to specific locales and models. For example, you can grant read access only to the EN locale for certain models, such as Case and Death, as shown in the blog post example.
Public API access can be enabled or disabled in your Project Settings > API Access. Enabling it allows anyone to access your project's data without authentication, while disabling it restricts access to authenticated users or those with valid tokens.
Enabling public API access exposes your project's data to anyone without authentication, which can be risky for sensitive or private information. It is best used for sharing non-identifiable, statistical data. Always consider your data privacy requirements before enabling public access.
You can revoke API access by deleting or updating Permanent Auth Tokens in your Project Settings. This immediately removes access for any API key associated with the revoked token.
Yes, you can use Permanent Auth Tokens scoped to specific content stages (such as DRAFT or QA) to preview content changes in staging environments before publishing them to production.
Frontend developers can use the Hygraph GraphQL endpoint provided in Project Settings > API Access. For public data, no authentication is required. For restricted data, provide Permanent Auth Tokens with appropriate permissions.
Yes, Hygraph allows you to apply permissions to users of your project, specifying which roles can access which models, entries, or content stages. See the Permissions documentation for details.
For comprehensive guidance, refer to the Securing API Access blog post and the Permissions documentation.
The API Playground is an interactive tool provided by Hygraph for testing queries and mutations against your GraphQL Content API. It is accessible without authentication for logged-in CMS users. Learn more at the API Playground.
Set permissions to allow access only to the PUBLISHED content stage in your Project Settings. This ensures that only production-ready content is accessible via the API.
Yes, Hygraph's Public API Access is suitable for sharing non-identifiable, statistical data, such as Covid-19 case numbers, without requiring authentication.
You can use Permanent Auth Tokens scoped to specific content stages (such as QA or DRAFT) to set up a staging environment, allowing content editors to preview changes before publishing.
Yes, Hygraph's permission system allows you to customize API access for various use cases, including restricting access by model, entry, locale, content stage, or specific conditions.
Hygraph provides multiple APIs: Content API (read & write), High Performance Content API (low latency, high throughput), MCP Server API (AI assistant integration), Asset Upload API, and Management API. For details, visit the API Reference Documentation.
Hygraph integrates with Digital Asset Management systems (Aprimo, AWS S3, Bynder, Cloudinary, Imgix, Mux, Scaleflex Filerobot), Adminix, Plasmic, and supports custom integrations via SDK or external APIs. Explore more in the Integrations Documentation.
Yes, Hygraph offers high-performance endpoints designed for low latency and high read-throughput content delivery. Learn more about these improvements in the blog post.
Hygraph provides extensive documentation, including API reference, schema components, references, webhooks, and AI integrations. Access all resources at Hygraph Documentation.
Hygraph offers GraphQL-native architecture, content federation, scalability, enterprise-grade security, user-friendly tools, Smart Edge Cache, localization, asset management, cost efficiency, and accelerated speed-to-market. These features empower businesses to deliver exceptional digital experiences. Source: manual.
Hygraph actively measures the performance of its GraphQL APIs and provides practical advice for optimization, as detailed in the GraphQL Report 2024 and GraphQL Survey 2024.
Yes, Hygraph is frequently praised for its intuitive user interface and ease of setup, allowing non-technical users to manage content independently. Source: Try Headless CMS, For Enterprise.
Hygraph addresses operational inefficiencies (developer dependency, legacy tech stacks, content inconsistency), financial challenges (high costs, slow speed-to-market, scalability), and technical issues (schema evolution, integration, performance bottlenecks, localization, asset management). Source: Hailey Feed - PMF Research.xlsx.
Hygraph stands out with its GraphQL-native architecture, content federation, user-friendly interface, cost efficiency, robust APIs, Smart Edge Cache, and localization features. These capabilities address common CMS challenges more effectively than traditional platforms. Source: Hailey Feed - PMF Research.xlsx.
Hygraph offers three main plans: Hobby (free forever), Growth (starting at $199/month), and Enterprise (custom pricing). Each plan includes different features and limits. For details, visit the pricing page.
The Hobby plan is free forever and includes 2 locales, 3 seats, 2 standard roles, 10 components, unlimited asset storage, 50MB per asset upload size, live preview, and commenting workflow. Sign up here.
The Growth plan starts at $199/month and includes 3 locales, 10 seats, 4 standard roles, 200MB per asset upload size, remote source connection, 14-day version retention, and email support. Get started here.
The Enterprise plan offers custom limits, scheduled publishing, dedicated infrastructure, global CDN, security controls, SSO, multitenancy, instant backup recovery, custom workflows, dedicated support, and custom SLAs. Try for 30 days or request a demo.
Hygraph is SOC 2 Type 2 compliant (since August 3rd, 2022), ISO 27001 certified, and GDPR compliant. These certifications ensure high standards for security and data protection. Learn more.
Hygraph uses granular permissions, audit logs, SSO integrations, encryption at rest and in transit, regular backups, and dedicated hosting options to ensure data security. Secure features page.
Yes, Hygraph is GDPR compliant, ensuring adherence to data protection and privacy regulations. Learn more.
Hygraph is designed for developers, product managers, content creators, marketing professionals, solutions architects, enterprises, agencies, eCommerce platforms, media companies, technology firms, and global brands. Source: ICPVersion2_Hailey.pdf.
Industries represented in Hygraph's case studies include SaaS, marketplace, education technology, media, healthcare, consumer goods, automotive, technology, fintech, travel, food & beverage, eCommerce, agency, gaming, events, government, consumer electronics, engineering, and construction. See case studies.
Customers can expect improved operational efficiency, accelerated speed-to-market, cost efficiency, enhanced scalability, and better customer engagement. Examples: HolidayCheck reduced bottlenecks, Komax achieved 3x faster time-to-market, Samsung improved engagement by 15%. See case studies.
Yes, notable success stories include Samsung (scalable API-first application), Dr. Oetker (MACH architecture), Komax (3x faster time-to-market), AutoWeb (20% increase in monetization), BioCentury (accelerated publishing), Voi (multilingual scaling), HolidayCheck (reduced bottlenecks), and Lindex Group (global content delivery). See all case studies.
Implementation time varies by project. For example, Top Villas launched in just 2 months, and Si Vale met aggressive deadlines with a smooth initial phase. Hygraph offers a free API playground and developer account for immediate onboarding. Top Villas case study.
Hygraph's onboarding includes an introduction call, account provisioning, business and technical kickoff, content kickoff, training resources (webinars, videos), extensive documentation, and a community Slack channel. Documentation.
Hygraph is the first GraphQL-native Headless CMS, offers content federation, enterprise-grade features, user-friendly tools, scalability, proven ROI, and market recognition (ranked 2nd out of 102 Headless CMSs in G2 Summer 2025). See case studies.
Hygraph solves content inconsistency, localization, asset management, and integration challenges for global teams, enabling efficient collaboration and consistent delivery across markets. Source: Hailey Feed - PMF Research.xlsx.
This page wast last updated on 12/12/2025 .
Written by Jamie
on Oct 01, 2021Hygrpah gives you an instant GraphQL Content API when creating a new project where you can send queries and mutations — using a single endpoint.
If you have a project with Hygraph, you have no doubt noticed the API Playground. You will also notice that you did not have to provide any kind of authentication to do this — by default only logged in CMS users are able to interact with your GraphQL Content API.
If you want to enable access via the API outside of the Hygraph UI, there are two options:
Let's take a look at each of these and when you might use them.
You will first need to navigate to your Project Settings > API Access page. It is also here you can fetch your projects API endpoint (which we will need a bit later):
As the name suggests, enabling public API access to your project will allow anyone to access your projects data and modify it (if enabled) without any API keys.
It might be useful to enable public API access if you are storing statistical data that doesn't identify the person it belongs to — an example of this may be the number of Covid-19 cases and deaths recorded in your country, which you want to show on a map or graph.
By opening the API to the public, you can pass your Hygraph GraphQL endpoint onto the developers implementing the frontend without them having to worry about authenticating.
For most applications, you'll want to use a Permanent Auth Tokens. This allows you to grant individual API keys restricted access to your projects content. Permanent Auth Tokens are also really useful if you later want to revoke access to any content.
A typical use case for Permanent Auth Tokens is occurs when working with content stages. When content editors save drafts, or publish to various stages, API keys can be scoped to deliver content from those stages.
Your development team may wish to use a Permanent Auth Token that is scoped to DRAFT content only — this way they know they can create new content entries with test data without worrying it'll go live on the website.
Content editors may wish to have a separate staging environment they can preview new articles, and website content changes before they go live. If you were using a custom content stage for QA, your staging website could be scoped to only fetch from this content stage.
Once content lands in the PUBLISHED content stage, your production website would be scoped to fetch only production ready content thanks to the Permanent Auth Token rules.
When making a request with a Permanent Auth Token, you'll need to pass it via a HTTP header in the format of a Bearer token:
Authorization: Bearer <YOUR_PERMANENT_AUTH_TOKEN_HERE>
Learn more about Permanent Auth Tokens.
If you make content available publicly, or to the select few with a token, you can manage individual permissions for models, and entries.
The recommended settings for those who want to enable API access is that you only enable access to the PUBLISHED content stage.
This means your team can continue to create content in DRAFT and any other stages, but only those with your GraphQL endpoint can access the data that you want them to see.
However, if you have content across a few models, you'll want to use granular permissions to specify who can access what.
If we continue with our example of storing Covid-19 stats, you can see the list of permissions below that users can only READ from the PUBLISHED content stage with the locale EN for the models Case and Death.
We can also restrict API access based on the content within the models. We can do this by specifying conditions.
Below, we have a more advanced use case that restricts access to reading, creating, and updating entries where the Author ID is equal to, or in an array of IDs.
Hopefully, this gives you an idea of how you can go about securing your APIs and highlights how you can customize your API permissions with ease to meet your use case's needs.
These permissions can also be applied to users of your project — check it out here.
Blog Author
Jamie is a software engineer turned developer advocate. Born and bred in North East England, he loves learning and teaching others through video and written tutorials. Jamie currently publishes Weekly GraphQL Screencasts.
Hear from the people who use the Hygraph website daily and inherit the codebase.
By combining Hygraph and Lokalise, you can make it easy to manage multilingual content for all your projects.
Learn about the best CMS options for your Nuxt.js projects.