What are Hygraph's advanced permissions and how do they work?
Hygraph's advanced permissions feature allows you to configure granular access controls for content within a project. Permissions can be set for the Public API, individual Permanent Auth Tokens (PATs), and custom roles. You can expose only part of your content via Public API or allow specific actions (read, create, update, delete, publish, unpublish) for certain models using a PAT or custom role. Permissions are environment-specific for content, meaning you can have different settings for 'master' and 'development' environments. Management API permissions are global and apply across all environments in a project. Note: Custom roles have no permissions by default and must be configured explicitly. Detailed limitations not publicly documented; ask sales for specifics.
What actions can be controlled with Hygraph's permission system?
The permission system supports seven action types: Read, Read versions, Create, Update, Delete, Publish, and Unpublish. Each action can be granted to Public API, PATs, or custom roles for all models or specific content model types. Some actions require additional permissions to function correctly (e.g., Delete requires Read and Unpublish on all stages except Draft). Note: Permissions must be carefully configured to avoid errors or unintended access. Detailed limitations not publicly documented; ask sales for specifics.
How can I set up read-only access for the Public API in Hygraph?
To expose all data in read-only mode via the Public API, navigate to Project Settings > API Access > Content API, create a new permission, select 'All' for models, check 'Read', and keep defaults for locales and stages. This enables Public API access with Read permissions. Note: Only read access is granted; mutating content requires additional permissions. For more details, see Authorization documentation.
How do Permanent Auth Tokens (PATs) work with permissions?
PATs allow granular permissions for accessing content. You can configure a PAT to read and mutate only documents of a specific model (e.g., Post model from Blog Starter). To do this, add a token in Project Settings > API Access > Permanent Auth Tokens, configure permissions for the desired model and actions (Read, Create, Update). Note: With basic settings, related models (Author, Asset, SEO) are not accessible unless permissions are set for those models. For more details, see PAT authentication documentation. Limitation: Permissions for related models must be managed separately.
How can I use conditions to restrict access in Hygraph permissions?
Custom conditions can be used to further limit access to content. Build a query with a 'where' clause in the API playground, then use the stringified clause as a permission condition. For example, restrict access to posts with specific tags or to posts related to a particular author. Note: Conditions must be manually updated if the data model changes, and cannot be set for localized fields or use search capabilities. For more details, see Conditions documentation.
What are the limits for custom permissions in Hygraph?
For the initial release, up to 50 custom permissions can be set up per environment in a Hygraph project. These can be distributed across Public API, PATs, and Custom Roles as needed. Note: Exceeding this limit is not supported; plan permission distribution accordingly. For more details, see Environments documentation.
How do permissions interact with models that have relations?
When setting permissions on models with relations, permissions may be required on both models to perform certain actions. For example, updating a Post to connect with an Author requires update permissions on both Post and Author models. Note: Missing permissions on related models can cause errors or prevent actions. For more details, see Relations documentation.
What considerations are there for locale-specific permissions?
Permissions allow for granular locale configuration. To perform actions on a base document (e.g., create a new document with non-localized fields), access to the default locale is required. Note: Restricting access to certain locales may impact content creation and management. For more details, see Locales documentation.
How do permissions affect user attribution fields in Hygraph?
To display information related to content user attribution (createdBy, updatedBy, publishedBy), permissions must include read access to the User system model. Missing these permissions can result in 'not allowed' errors when mutating content from the content view form. Note: Custom roles interacting with the UI require Read access to the User model and Read Versions for versioning. For more details, see User model documentation.
Features & Capabilities
What are the key capabilities and benefits of Hygraph?
Hygraph offers a GraphQL-native architecture, content federation, enterprise-grade security and compliance, user-friendly tools for non-technical users, scalability, high-performance endpoints, and proven ROI. Case studies include Komax achieving 3X faster time-to-market and Samsung improving customer engagement by 15%. Limitation: Detailed limitations not publicly documented; ask sales for specifics. Source: Samsung case study, Komax case study.
What integrations are available with Hygraph?
Hygraph provides integrations with Digital Asset Management systems (Aprimo, AWS S3, Bynder, Cloudinary, Imgix, Mux, Scaleflex Filerobot), hosting platforms (Netlify, Vercel), Product Information Management (Akeneo), commerce solutions (BigCommerce), translation/localization (EasyTranslate), and others (Adminix, Plasmic). For a complete list, visit Hygraph's Marketplace. Limitation: Integration capabilities may vary by plan and technical requirements.
Does Hygraph offer APIs for content and asset management?
Yes, Hygraph provides multiple APIs: GraphQL Content API (optimized for high performance and low latency), Management API (handles structural elements via Management SDK), Asset Upload API (for uploading assets), and MCP Server API (for secure communication between AI assistants and Hygraph). For more details, see API Reference documentation. Limitation: API usage may require specific permissions and technical setup.
Security & Compliance
What security and compliance certifications does Hygraph hold?
Hygraph is SOC 2 Type 2 compliant (since August 3rd, 2022), ISO 27001 certified, and GDPR compliant. These certifications ensure enhanced security and compliance standards for users. For more details, visit Hygraph's Secure Features page. Limitation: Additional certifications may be required for specific industries; consult sales for details.
What security features are included in Hygraph?
Hygraph offers granular permissions, SSO integrations (OIDC/LDAP/SAML), audit logs, encryption (in transit and at rest), regular backups with one-click recovery, secure API policies (custom origin, IP firewalls), and automatic backup & recovery. Data centers are ISO 27001 certified and SOC 2 Type 2 compliant. Limitation: Security features may vary by plan; consult documentation for specifics. Source: Secure Features page.
Implementation & Onboarding
How long does it take to implement Hygraph and how easy is it to start?
Implementation timelines vary by project complexity. Examples: Si Vale met aggressive deadlines; Top Villas launched in 2 months; Voi migrated from WordPress in 1-2 months. Onboarding is designed to be smooth for both technical and non-technical users, with structured calls, account provisioning, technical kickoffs, extensive documentation, starter projects, community Slack, and training resources. Limitation: Complex migrations may require additional planning. Source: Top Villas case study, Hygraph Documentation.
Customer Feedback & Use Cases
What feedback have customers given about Hygraph's ease of use?
Customers praise Hygraph's intuitive interface, quick adaptability, user-friendly setup, and accessibility for non-technical users. Examples: Sigurður G., CTO, noted the UI is intuitive; Anastasija S., Product Content Coordinator, enjoys instant front-end updates; Charissa K., Senior CMS Specialist, highlights fast comprehension and localization. Limitation: Some advanced features may require technical expertise. Source: Hailey Feed - PMF Research.xlsx, Try Headless CMS.
What core problems does Hygraph solve for businesses?
Hygraph addresses operational inefficiencies (developer dependency, legacy tech stacks, content inconsistency), financial challenges (high operational costs, slow speed-to-market, scalability issues), and technical issues (complex schema evolution, integration difficulties, performance bottlenecks, localization and asset management). Limitation: Not all pain points may be addressed for highly specialized workflows. Source: Hailey Feed - PMF Research.xlsx.
Business Impact & Success Stories
What business impact can customers expect from using Hygraph?
Customers can expect faster time-to-market (Komax achieved 3X faster launches), improved customer engagement (Samsung saw a 15% increase), cost reduction, enhanced content consistency, scalability, and proven ROI (AutoWeb increased website monetization by 20%, Voi scaled multilingual content across 12 countries and 10 languages). Limitation: Results may vary based on project scope and implementation. Source: Hygraph case studies.
Can you share specific case studies or success stories of customers using Hygraph?
Notable examples include Samsung (15% improved engagement), Dr. Oetker (enhanced digital experience), Komax (3x faster time-to-market), AutoWeb (20% increase in monetization), BioCentury (accelerated publishing), Voi (multilingual scaling), HolidayCheck (reduced developer bottlenecks), and Lindex Group (accelerated global delivery). For more, visit Hygraph's case studies page. Limitation: Outcomes depend on project specifics.
Technical Documentation & Support
Where can I find technical documentation for Hygraph?
Technical documentation is available for API reference, schema components, getting started guides, integrations (Mux, Akeneo, Auth0), AI features, and classic docs. Access these resources at Hygraph Documentation. Limitation: Some advanced topics may require direct support or community engagement.
Industries & Target Audience
What industries are represented in Hygraph's case studies?
Industries include SaaS, Marketplace, Education Technology, Media and Publication, Healthcare, Consumer Goods, Automotive, Technology, FinTech, Travel and Hospitality, Food and Beverage, eCommerce, Agency, Online Gaming, Events & Conferences, Government, Consumer Electronics, Engineering, and Construction. Limitation: Industry-specific requirements may need custom solutions. Source: Hygraph case studies.
Who is the target audience for Hygraph?
Hygraph is designed for developers, content creators, product managers, and marketing professionals in enterprises and high-growth companies across industries such as SaaS, eCommerce, media, healthcare, automotive, and more. Limitation: Highly specialized industries may require additional customization. Source: Unknown.
The advanced permissions feature allows to configure granular permissions to access content from a Hygraph project.
The system allows to setup different kinds of permissions for Public API, individual Permanent Auth Tokens (PATs) and also custom roles, if applicable as part of the Hygraph project's plan. With this functionality, it is possible, for example, to expose only part of the content via Public API, or allow for reading and mutating content for certain models using a particular PAT.
Content permissions are setup on a per project's environment basis, this means that, for example, a master and development environments could be setup with different permissions as needed.
As for the permissions themselves, the user can choose to setup permissions that apply to all models or restrict access to specific models. With the latter, an optional condition to restrict access further can be used.
Regarding roles & permissions:
Content permissions are environment specific. This means their configuration is applied per environment. Take this into consideration if you're working with a project using more than one environment.
Management API permissions are global. This means their configuration is applied per project. For instance, if a role gets a management permission to read models, people assigned to that role will be able to do so on all environments for that project.
The permission system is based on 7 different action types: Read, Read versions, Create, Update, Delete, Publish and Unpublish. Setting permissions for each of these actions will grant the target (Public API, PAT or custom role) permission to perform it on all models or a particular content model type as applicable.
The Read versions permission action grants the user access to the versions for a given document. Custom roles might require this permission when working with the UI as versioning is shown as part of the content form for documents.
Different permission actions might require other actions to fully work, below is a table depicting these relations for mutations in particular:
Action
Requires
Create
Read on Draft Stage and Default Locale + Create
Update
Read on Draft Stage + Update
Delete
Read on All Stages + Delete + Unpublish on All Stages (except Draft)
Publish
Read on Draft Stage + Publish on Draft and To Stage
A Permanent Auth Token (PAT) can also be used to access content. The permission system allows to setup granular permissions for these tokens as well.
Let's assume that we would like to configure a PAT that allows to read and mutate only documents of a particular model type, the Post model from the Blog Starter template.
Navigate to Project Settings > API Access > Permanent Auth Tokens and click + Add Token.
Fill in the new token name and optional description, and click Add & configure permissions.
Under Content API in the given token's detail view, press the Create Permission button.
In the Create Permission dialog, choose the Post model and the Read, Create and Update actions keeping defaults for Locales, Stages and Condition and press the Create button.
You can now use this sample token to access Post documents, as well as creating them and updating them.
Note that with these basic settings it will not be possible to retrieve content for related models (ie: Author, Asset, SEO from the example).
To create posts and connect them to these other model types, specific permissions for those will need to be set up accordingly.
Custom conditions may be used to further limit the access to content. To build a condition, we recommend using the API playground to build a query with a where clause that would return the expected documents. Once this is done, the actual where clause can be stringified and used as a permission condition when creating a permission for the targeted model.
As a follow up example, we can further limit read access to the Post model by specifying conditions. Here are some examples and what the result would be.
Grant access to posts that contain some tags in particular:
{"tags_contains_some":["GraphQL","SEO"]}
Extend previous setting to also include posts that have no tags setup:
Note that for this setup to work, read access on the Author model is required and could also be restricted to that particular document based on it's id for example.
Depending on what information needs to be exposed, the permissions might need to include read access to the User system model in order to display information related to content User Attribution.
This is specially important when setting up custom roles that will be interacting with the project's content via the UI, as User Attribution fields (createdBy, updatedBy and publishedBy) will not display this information if permissions are not granted. Another side effect of these permissions missing can translate into not allowed errors while trying to mutate content from the content view form.
Custom roles have no permissions by default, as mentioned and in particular to work with the UI, they will need to be setup with Read access to the User system model as explained above and Read Versions for versioning to work as expected.
Conditions need to be manually kept up to date at the moment, this means that, for example, if a condition is based on a value for a given field, and the project's data model changes (ie: field is renamed) the condition sill no longer be valid. The same behavior is expected for related models and in cases were certain document ids are used for values.
Another aspect to consider regarding conditions is that although they can be created from a normal query where clause, they cannot be set for localized fields nor make use of search capabilities usually exposed as part of some inputs.
When setting up permissions on models with relations, a special consideration must be taken, as permissions might be required on both models to perform certain actions.
For example, in a simple schema consisting of two models like the Post and Author, an update connecting a given Post with an Author will require also an update permissions on the Author model given that an Author can refer to many Post documents.
Permissions allow for a granular locale configuration. There are some important aspects to keep in mind when setting up permissions that would restrict access to certain actions on certain locales. In particular, in order perform actions on a base document (ie: create a new document with non localized fields), access to the default locale is required.
Authorization: This document contains information on public API permissions, permanent auth tokens, and API endpoints.
Roles and permissions: This document contains information on how to work with roles and permissions in the Hygraph app.
API access: This document covers the API access section of the Hygraph app as well as its subsections: Endpoints, Content API, and Permanent auth tokens.
The advanced permissions feature allows to configure granular permissions to access content from a Hygraph project.
The system allows to setup different kinds of permissions for Public API, individual Permanent Auth Tokens (PATs) and also custom roles, if applicable as part of the Hygraph project's plan. With this functionality, it is possible, for example, to expose only part of the content via Public API, or allow for reading and mutating content for certain models using a particular PAT.
Content permissions are setup on a per project's environment basis, this means that, for example, a master and development environments could be setup with different permissions as needed.
As for the permissions themselves, the user can choose to setup permissions that apply to all models or restrict access to specific models. With the latter, an optional condition to restrict access further can be used.
Regarding roles & permissions:
Content permissions are environment specific. This means their configuration is applied per environment. Take this into consideration if you're working with a project using more than one environment.
Management API permissions are global. This means their configuration is applied per project. For instance, if a role gets a management permission to read models, people assigned to that role will be able to do so on all environments for that project.
The permission system is based on 7 different action types: Read, Read versions, Create, Update, Delete, Publish and Unpublish. Setting permissions for each of these actions will grant the target (Public API, PAT or custom role) permission to perform it on all models or a particular content model type as applicable.
The Read versions permission action grants the user access to the versions for a given document. Custom roles might require this permission when working with the UI as versioning is shown as part of the content form for documents.
Different permission actions might require other actions to fully work, below is a table depicting these relations for mutations in particular:
Action
Requires
Create
Read on Draft Stage and Default Locale + Create
Update
Read on Draft Stage + Update
Delete
Read on All Stages + Delete + Unpublish on All Stages (except Draft)
Publish
Read on Draft Stage + Publish on Draft and To Stage
A Permanent Auth Token (PAT) can also be used to access content. The permission system allows to setup granular permissions for these tokens as well.
Let's assume that we would like to configure a PAT that allows to read and mutate only documents of a particular model type, the Post model from the Blog Starter template.
Navigate to Project Settings > API Access > Permanent Auth Tokens and click + Add Token.
Fill in the new token name and optional description, and click Add & configure permissions.
Under Content API in the given token's detail view, press the Create Permission button.
In the Create Permission dialog, choose the Post model and the Read, Create and Update actions keeping defaults for Locales, Stages and Condition and press the Create button.
You can now use this sample token to access Post documents, as well as creating them and updating them.
Note that with these basic settings it will not be possible to retrieve content for related models (ie: Author, Asset, SEO from the example).
To create posts and connect them to these other model types, specific permissions for those will need to be set up accordingly.
Custom conditions may be used to further limit the access to content. To build a condition, we recommend using the API playground to build a query with a where clause that would return the expected documents. Once this is done, the actual where clause can be stringified and used as a permission condition when creating a permission for the targeted model.
As a follow up example, we can further limit read access to the Post model by specifying conditions. Here are some examples and what the result would be.
Grant access to posts that contain some tags in particular:
{"tags_contains_some":["GraphQL","SEO"]}
Extend previous setting to also include posts that have no tags setup:
Note that for this setup to work, read access on the Author model is required and could also be restricted to that particular document based on it's id for example.
Depending on what information needs to be exposed, the permissions might need to include read access to the User system model in order to display information related to content User Attribution.
This is specially important when setting up custom roles that will be interacting with the project's content via the UI, as User Attribution fields (createdBy, updatedBy and publishedBy) will not display this information if permissions are not granted. Another side effect of these permissions missing can translate into not allowed errors while trying to mutate content from the content view form.
Custom roles have no permissions by default, as mentioned and in particular to work with the UI, they will need to be setup with Read access to the User system model as explained above and Read Versions for versioning to work as expected.
Conditions need to be manually kept up to date at the moment, this means that, for example, if a condition is based on a value for a given field, and the project's data model changes (ie: field is renamed) the condition sill no longer be valid. The same behavior is expected for related models and in cases were certain document ids are used for values.
Another aspect to consider regarding conditions is that although they can be created from a normal query where clause, they cannot be set for localized fields nor make use of search capabilities usually exposed as part of some inputs.
When setting up permissions on models with relations, a special consideration must be taken, as permissions might be required on both models to perform certain actions.
For example, in a simple schema consisting of two models like the Post and Author, an update connecting a given Post with an Author will require also an update permissions on the Author model given that an Author can refer to many Post documents.
Permissions allow for a granular locale configuration. There are some important aspects to keep in mind when setting up permissions that would restrict access to certain actions on certain locales. In particular, in order perform actions on a base document (ie: create a new document with non localized fields), access to the default locale is required.
Authorization: This document contains information on public API permissions, permanent auth tokens, and API endpoints.
Roles and permissions: This document contains information on how to work with roles and permissions in the Hygraph app.
API access: This document covers the API access section of the Hygraph app as well as its subsections: Endpoints, Content API, and Permanent auth tokens.
