By default, all queries and mutations in Hygraph require a Permanent Auth Token (PAT) for authorization. You can configure Public API Permissions to allow unauthenticated requests, but this should be done carefully to avoid exposing sensitive data. Permissions can be set for each model, stage, environment, and locale, and you can specify whether mutations are allowed. Learn more.
PATs are Bearer tokens used to control access for querying and mutating content in Hygraph. You can create individual PATs for specific API actions, such as querying data from the draft stage or performing mutations server-side. PATs should be kept secure and never exposed client-side. They must be passed via the Authorization header in HTTP requests. Learn more.
Public API access is disabled by default for all new projects. You can enable public access and configure custom permissions for each model, stage, and locale. Optional conditions can further restrict access, such as allowing queries only for specific content IDs. Careful configuration is required to prevent unauthorized access or destructive actions. Learn more.
The default public stage for all new Hygraph projects is set to PUBLISHED. If no stage parameter is specified in a GraphQL query or HTTP header, content from the default stage will be served. Learn more.
Third-party authentication allows Hygraph users to connect their accounts to external applications and execute Content API and Management API requests. Unlike PATs, third-party authentication enables attribution of API requests to specific users, enhancing visibility and auditability. Access is controlled based on roles and permissions configured in Hygraph. Learn more.
To set up third-party authentication, you need an OAuth client ID and client secret from Hygraph. Contact Hygraph Support with your application details (name, description, logo, type, home page link). After approval, securely store your client secret and update your app with the OAuth credentials. If compromised, rotate your client secret and update all authorized apps. Learn more.
You can view and manage all active third-party connections in your account settings under 'Connected apps'. To revoke access to any app, click 'Revoke' next to the app in the list. Learn more.
Hygraph supports a wide range of integrations, including Digital Asset Management (Aprimo, AWS S3, Bynder, Cloudinary, Mux, Scaleflex Filerobot), Hosting & Deployment (Netlify, Vercel), Headless Commerce (BigCommerce, commercetools, Shopify), Localization (Lokalise, Crowdin, EasyTranslate, Smartling), Personalization & AB Testing (Ninetailed), AI (AltText.ai), and more. For details, see the Hygraph Integrations Documentation.
Each Hygraph project has a unique GraphQL API endpoint per environment, allowing both querying and mutating data. The regular endpoint is suitable for most use cases, while the high-performance endpoint is optimized for global content delivery with low latency and high read-throughput. Learn more.
Hygraph leverages state-of-the-art caching techniques and a robust edge service, deploying endpoints close to users worldwide. This ensures low latency, high read-throughput, and rapid content delivery, improving user experience and engagement. Learn more.
Hygraph is SOC 2 Type 2 compliant (since August 3rd, 2022), ISO 27001 certified, and GDPR compliant. These certifications ensure enhanced security, data protection, and adherence to global standards. Hygraph also provides granular permissions, audit logs, encryption, SSO integrations, and automatic backups. View the security report.
Comprehensive technical documentation, including guides on API authorization, permissions, roles, endpoints, and integration examples, is available at Hygraph Documentation. For content workflows, webhooks, and API playgrounds, refer to the respective sections in the documentation.
Hygraph offers 24/7 support via chat, email, and phone. Enterprise customers benefit from SLAs with critical issue resolution in less than an hour. Extensive documentation, onboarding assistance, a dedicated Customer Success Manager, and community channels (Slack, Intercom) are available for troubleshooting and guidance. Learn more.
Customers using Hygraph APIs report significant improvements, including up to 3X faster time-to-market (Komax), 15% higher customer engagement (Samsung), and 7X higher content velocity. Hygraph supports content management across 40+ global markets and enables scalable, efficient digital experiences. See case studies.
Yes. Komax achieved 3X faster time-to-market and managed 20,000+ product variations across 40+ markets via a single CMS. Samsung improved engagement by 15% with a composable member platform. Sennheiser saw a 136.7% increase in e-commerce conversions after migrating to a MACH-compliant headless commerce solution. Read more case studies.
Hygraph is recognized as the #1 easiest to implement headless CMS. Customers can start building for free with a developer account and benefit from a structured onboarding process, including introduction calls, account provisioning, and technical/content kickoffs. Developers can use the free API playground for immediate hands-on experience. Try Hygraph.
By default, queries and mutations require a Permanent Auth Token token, but you can configure the Public API Permissions to allow unauthenticated requests.
Hygraph allows you to configure access for each model, stage, environment, locale, and whether or not you permit mutations.
By default all new projects disable public API access.
Enabling public access to your project means that anybody with your API endpoint can query sensitive data, and perform destructive actions if configured incorrectly.
You can configure custom permissions, or initialize the defaults.
For example, here you can see how to configure the Content API to allow access to READ the Page model on stages Published and Draft with the locale English.
Create API permission
You can also specify an optional condition that restricts access even further. For example, you could specify the condition { "id": "ckoimwlu80ck20a88z6i754cw" }. This would then only allow you to fetch the Post with id ckoimwlu80ck20a88z6i754cw.
Learn more about Public API permissions
If no stage parameter is set on the GraphQL query, or via a HTTP header, the content from the default set content stage will be served.
Default Content Stage
The default public stage is set to PUBLISHED for all new projects.
Permanent Auth Tokens are used for controlling access to querying, mutating content, and come in the form of Bearer token authentication.
Similar to Public API permissions, you can create individual PATs for specific API actions.
Some users create PATs for only querying data from the draft stage, for creating previews in staging environments. You may also opt to create a PAT for mutations, so you can perform changes to your content models server-side.
If you are mutating data from the frontend, you should hide this token at the server level, and not expose your PAT client-side.
The Permanent Auth Token must be passed via the Authorization header on HTTP requests in the format of a Bearer token:
Authorization: Bearer PERMANENT_AUTH_TOKEN
Learn more about PAT permissions
With third-party app authentication support, you can enable Hygraph users to connect their Hygraph accounts into your application, and execute Content API and Management API requests.
Permanent Auth Tokens are non-personal tokens. With PATs, you cannot attribute an API request to any specific user. With third-party authentication, you can control access within your applications based on roles and permissions configured in Hygraph, and then attribute any Hygraph mutation from your application to the user who initiated it. This is helpful in tracking content changes in visual builder applications, or activities in workflow integration apps, such as Jira, Slack, and so on. You can now link different activities performed by the same user, thus enhancing visibility and auditability.
Before you set up third-party authentication, you need an oAuth client ID and client secret from Hygraph. Contact our Support team, and provide the following details of your application:
After Hygraph approves your application, you receive an oAuth client ID and client secret. Store your client secret securely. If your client secret is compromised, contact Hygraph immediately to rotate to a new one and then update all authorized apps with the new client secret.
Update your app with OAuth credentials.
You can view a list of all active third-party connections in your account settings. At the top right of your screen, click your profile name, and then click Account Settings. Under Connected apps, you can view a list of all third-party apps and services connected to the account. To revoke access to any app, click Revoke next to it.
The following sections provide examples on setting up third-party authentication for single page and native applications. To learn how to set up authentication for other app types, see Auth0 documentation.
Clone the sample application locally.
Run npm install to install the necessary packages for the sample to run.
In the public/js/app.js file, add the auth0Client section.
const configureClient = async () => {const response = await fetchAuthConfig();const config = await response.json();auth0Client = await auth0.createAuth0Client({domain: config.domain,clientId: config.clientId,// ++ add the auth0Client configauth0Client: {__useTenantInfo: config.isThirdPartyClient,},});};
To specify the application client ID and domain, make a copy of auth_config.json.example and rename it to auth_config.json. Open the auth_config.json file in a text editor and provide the correct values for your application:
{"domain": "auth.hygraph.com","clientId": "CLIENT_ID","isThirdPartyClient": true}
Run npm run dev to start the application.
This example assumes that you've already build a Slack app in your workspace. If you haven't built a Slack app, follow the instructions here.
Define a new OAuth2 provider in the manifest.ts file.
// Define a new OAuth2 provider// Note: replace <your_client_id> with your actual client IDconst HygraphProvider = DefineOAuth2Provider({provider_key: "hygraph",provider_type: Schema.providers.oauth2.CUSTOM,options: {client_id: "<your_client_id>",scope: ["openid", "profile", "email", "offline_access"],provider_name: "Hygraph",authorization_url: "https://graphcms.auth0.com/authorize",token_url: "https://graphcms.auth0.com/oauth/token",token_url_config: {use_basic_auth_scheme: false,},identity_config: {url: "https://graphcms.auth0.com/userinfo",account_identifier: "$.sub",http_method_type: "GET",},authorization_url_extras: {prompt: "consent",access_type: "offline",audience: "https://graphcms.auth0.com/api/v2/",},use_pkce: true,},});export default Manifest({// ...// Add APIs that your application is going to calloutgoingDomains: ["eu-central-1.api.hygraph.com","management.hygraph.com","api-eu-central-1.hygraph.com",],// ...// Tell your app about your OAuth2 providers here:externalAuthProviders: [HygraphProvider],});
Now, build a Slack function that creates a content entry on a user’s behalf,
import { DefineFunction, Schema, SlackFunction } from "deno-slack-sdk/mod.ts";export const CreateContentFunctionDefinition = DefineFunction({callback_id: "create_content_function",title: "Create content function",description: "A crete content function",source_file: "functions/create_content_function.ts",input_parameters: {properties: {token: {type: Schema.slack.types.oauth2,oauth2_provider_key: "hygraph",},project_id: {type: Schema.slack.types.string,description: "The project to create content for",},model_id: {type: Schema.slack.types.string,description: "The model to create content for",},channel_id: {type: Schema.slack.types.channel_id,description: "The channel to post the message in",}},required: ["token", "project_id", "model_id", "channel_id"],},output_parameters: {properties: {contentId: {type: Schema.types.string,description: "ID of the created content",},},required: ["contentId"],},});export default SlackFunction(CreateContentFunctionDefinition,async ({ inputs, client }) => {// Get the token:const tokenResponse = await client.apps.auth.external.get({external_token_id: inputs.token,});if (tokenResponse.error) {const error = `Failed to retrieve the external auth token due to ${tokenResponse.error}`;return { error };}// If the token was retrieved successfully, use it:const externalToken = tokenResponse.external_token;// Make external API call with externalTokenconst response = await fetch("https://eu-central-1.api.hygraph.com/graphql",{method: "POST",body: JSON.stringify({query: `query Viewer {_viewer {... on UserViewer {iduser {idprofile {name}}project(id: "${inputs.project_id}") {environment(id: "master"){authToken}}}}}`,}),headers: new Headers({Authorization: `Bearer ${externalToken}`,"Content-Type": "application/json",}),});if (response.status != 200) {const body = await response.text();const error = `Failed to call my endpoint! (status: ${response.status}, body: ${body})`;return { error };}const responseBody = await response.json();const uuid = crypto.randomUUID();const contentApiToken = responseBody.data._viewer.project.environment.authToken;const createContentResponse = await fetch("https://api-eu-central-1.hygraph.com/v2/cmaz8u024000b07w2o46szn1y/master",{method: "POST",body: JSON.stringify({query: `mutation createContent($data: DemoModel23May20250843CreateInput!) {createDemoModel23May20250843(data: $data) {id}}`,variables: {data: {title: `Sample Content ${uuid}`,slug: `sampleContent${uuid}s`,// Add other fields as required by your model},},}),headers: new Headers({Authorization: `Bearer ${contentApiToken}`,"Content-Type": "application/json",}),});if (createContentResponse.status != 200) {const body = await createContentResponse.text();const error = `Failed to create content! (status: ${createContentResponse.status}, body: ${body})`;return { error };}client.chat.postMessage({channel: inputs.channel_id,text: `Content created successfully with ID: ${uuid}`,});return { outputs: { contentId: uuid } };});
Next, create a Slack workflow.
import { DefineWorkflow, Schema } from "deno-slack-sdk/mod.ts";import { CreateContentFunction } from "../functions/content/definition.ts";const CreateContentWorkflow = DefineWorkflow({callback_id: "create_content_workflow",title: "Create Content",description: "A workflow to create new content",input_parameters: {properties: {interactivity: {type: Schema.slack.types.interactivity,},},required: ["interactivity"],},});CreateContentWorkflow.addStep(CreateContentFunction, {interactivity: CreateContentWorkflow.inputs.interactivity,token: {credential_source: "END_USER",},});export default CreateContentWorkflow;
Create a trigger to invoke the custom function for the workflow.
import { Trigger } from "deno-slack-sdk/types.ts";import { TriggerContextData, TriggerTypes } from "deno-slack-api/mod.ts";import CreateContentWorkflow from "../workflows/create_content_workflow.ts";const createContentTrigger: Trigger<typeof CreateContentWorkflow.definition> = {type: TriggerTypes.Shortcut,name: "Create Content trigger",description: "Trigger to create new content",workflow: `#/workflows/${CreateContentWorkflow.definition.callback_id}`,inputs: {interactivity: {value: TriggerContextData.Shortcut.interactivity,},},};export default createContentTrigger;
Add the client secret that you received from Hygraph for the Slack app. This secret is used to initiate the OAuth2 flow.
slack external-auth add-secret --provider hygraph --secret "<your_client_secret>"
Run the Slack application.
API Endpoints
Each Hygraph project you create, or are invited to, has a unique GraphQL API endpoint (per environment). This endpoint permits you to both query, and mutate data within your project. You will find it as Content API endpoint in your project's API Access settings.
GraphQL introspection is enabled by default, so anybody with access to your endpoint can traverse the graph to see your content types, as well as all queries and mutations.
This API endpoint also contains the current schema environment, by default this will be master.
The API endpoint has the following composition:
https://[region].hygraph.com/v2/[projectId]/[environment]
Click here to learn more about this endpoint.
This high performance endpoint is ideal for delivering content around the globe with low latency and high read-throughput.
The API endpoint has the following composition:
https://[region].cdn.hygraph.com/content/[projectId]/[environment]
Click here to learn more about this endpoint.
You might find the following documents useful: