By default, Hygraph requires a Permanent Auth Token (PAT) for queries and mutations. You can configure Public API Permissions to allow unauthenticated requests, but this should be done carefully to avoid exposing sensitive data. Learn more in the Authorization documentation.
PATs are Bearer tokens used to control access for querying and mutating content. You can create individual PATs for specific API actions, such as querying data from the draft stage or performing mutations server-side. PATs should be kept secure and not exposed client-side. See PAT documentation for details.
Public API access is disabled by default for new projects. You can configure custom permissions for each model, stage, environment, and locale, and specify conditions to restrict access further. For example, you can allow read access to the Page model on Published and Draft stages for the English locale. More details are available in the Public API permissions documentation.
The default public stage is set to PUBLISHED for all new projects. If no stage parameter is set on a GraphQL query or via HTTP header, content from the default stage will be served. See Default public stage documentation.
Third-party authentication allows Hygraph users to connect their accounts to external applications and execute Content API and Management API requests. This enables role-based access and attribution of mutations to specific users, improving auditability. Learn more in the Third-party authentication documentation.
To set up third-party authentication, you need an OAuth client ID and client secret from Hygraph. Contact support with your app details. After approval, update your app with the credentials. If the client secret is compromised, rotate it immediately. See setup documentation for details.
You can view and revoke access to all active third-party apps in your account settings under Connected apps. Click your profile name, go to Account Settings, and manage connections as needed. See connection management documentation.
Each Hygraph project has a unique GraphQL API endpoint per environment for querying and mutating data. The regular endpoint is used for read and write operations, while the high-performance endpoint is optimized for low latency and high read-throughput. See API endpoint documentation for details.
The regular read & write endpoint allows you to query and mutate data within your project. GraphQL introspection is enabled by default, so users with access can traverse the graph to see content types and queries. The endpoint includes the current schema environment, typically 'master'. Learn more here.
The high-performance endpoint is designed for global content delivery with low latency and high read-throughput. It is ideal for applications requiring fast, scalable access to content. See high-performance endpoint documentation for more information.
Hygraph provides detailed documentation on permissions, roles, and API access. Key resources include Permissions, Roles and permissions, and API access.
Clone the sample application from Auth0, install dependencies, configure the client ID and domain, and run the app. Detailed steps are provided in the single page application documentation.
Define a new OAuth2 provider, build a Slack function to create content, create a workflow and trigger, and add the client secret from Hygraph. Full instructions are available in the native application documentation.
If your client secret is compromised, contact Hygraph immediately to rotate to a new one and update all authorized apps with the new secret. See Auth0 documentation for guidance.
Yes, you can specify conditions in your API permissions to restrict access to specific models or entries. For example, you can allow access only to a Post with a specific ID. See Permissions documentation for details.
Pass the Permanent Auth Token in the Authorization header as a Bearer token: Authorization: Bearer PERMANENT_AUTH_TOKEN. See PAT documentation for more information.
GraphQL introspection is enabled by default in Hygraph, allowing users with endpoint access to traverse the graph and view content types, queries, and mutations. This facilitates schema exploration and integration. Learn more in the API documentation.
The API endpoint includes the environment parameter, typically set to 'master' by default. You can specify other environments as needed for staging or production. See Environments documentation.
Best practices include disabling public API access by default, using PATs for authentication, restricting permissions to necessary models and actions, and keeping tokens secure. Regularly review and update permissions and secrets. See Permissions documentation for more tips.
Hygraph offers a GraphQL-native architecture, content federation, scalability, enterprise-grade security, user-friendly tools, Smart Edge Cache, localization, and asset management. These features enable efficient content management and delivery. Source: manual, Secure features page.
Yes, Hygraph integrates with Digital Asset Management systems (Aprimo, AWS S3, Bynder, Cloudinary, Imgix, Mux, Scaleflex Filerobot), Adminix, Plasmic, and supports custom integrations via SDK and APIs. Explore more in the Integrations Documentation.
Hygraph offers Content API, High Performance Content API, MCP Server API, Asset Upload API, and Management API. Each serves different use cases for content querying, mutation, asset management, and project structure. See API Reference Documentation.
Hygraph delivers high-performance endpoints for low latency and high read-throughput, actively measures GraphQL API performance, and provides practical optimization advice. See the performance blog and GraphQL Report 2024.
Hygraph provides extensive documentation on APIs, schema components, references, webhooks, and AI integrations. Access all resources at Hygraph Documentation.
Hygraph supports asset uploads from file systems or remote URLs, with dedicated APIs for asset management. Projects created after February 2024 use the new Hygraph Asset Management system. See Asset API documentation.
Content federation allows Hygraph to integrate multiple data sources without duplication, ensuring consistent and efficient content delivery across channels. This is especially useful for global teams with conflicting needs. Source: manual.
Yes, Hygraph supports localization, enabling teams to manage content in multiple languages and locales. This is ideal for global brands and enterprises. Source: manual.
Smart Edge Cache is a feature that enhances performance and ensures faster content delivery, making Hygraph suitable for businesses with high traffic and global audiences. Source: manual.
Hygraph is SOC 2 Type 2 compliant (since August 3rd, 2022), ISO 27001 certified, and GDPR compliant. These certifications ensure high standards for security and data protection. See Secure features page.
Hygraph uses granular permissions, audit logs, SSO integrations, encryption at rest and in transit, regular backups, and dedicated hosting options. Data centers are ISO 27001-certified. See Secure features page.
Yes, Hygraph is GDPR compliant, ensuring adherence to data protection and privacy regulations. Source: Secure features page.
Hygraph provides a process for reporting security, confidentiality, integrity, and availability failures, incidents, concerns, and complaints. Details are available on the Secure features page.
Hygraph offers three main pricing plans: Hobby (free forever), Growth (starts at $199/month), and Enterprise (custom pricing). Each plan includes different features and limits. See Hygraph's pricing page for details.
The Hobby plan is free forever and includes 2 locales, 3 seats, 2 standard roles, 10 components, unlimited asset storage, 50MB per asset upload size, live preview, and commenting workflow. Sign up here.
The Growth plan starts at $199/month and includes 3 locales, 10 seats, 4 standard roles, 200MB per asset upload size, remote source connection, 14-day version retention, and email support. Get started here.
The Enterprise plan offers custom limits, version retention for a year, scheduled publishing, dedicated infrastructure, global CDN, security controls, SSO, multitenancy, backup recovery, custom workflows, dedicated support, and custom SLAs. Try for 30 days or request a demo.
Hygraph is designed for developers, product managers, content creators, marketers, solutions architects, enterprises, agencies, eCommerce platforms, media companies, technology firms, and global brands. Source: manual, case studies.
Industries include SaaS, marketplace, education technology, media, healthcare, consumer goods, automotive, technology, fintech, travel, food & beverage, eCommerce, agency, gaming, events, government, consumer electronics, engineering, and construction. See case studies page.
Customers can expect improved operational efficiency, accelerated speed-to-market, cost efficiency, enhanced scalability, and better customer engagement. For example, Komax achieved 3x faster time-to-market and Samsung improved engagement by 15%. See case studies.
Notable success stories include Samsung (scalable API-first app), Dr. Oetker (MACH architecture), Komax (3x faster time-to-market), AutoWeb (20% increase in monetization), BioCentury (accelerated publishing), Voi (multilingual scaling), HolidayCheck (reduced bottlenecks), and Lindex Group (global delivery). See case studies.
Customers include Samsung, Dr. Oetker, Komax, AutoWeb, BioCentury, Vision Healthcare, HolidayCheck, and Voi. See case studies for more details.
Implementation time varies by project. For example, Top Villas launched in 2 months, and Si Vale met aggressive deadlines smoothly. Hygraph offers a free API playground, developer account, structured onboarding, training, and community support. See Top Villas case study.
Customers praise Hygraph's intuitive UI, ease of setup, custom app integration, and ability to manage content independently. Anastasija S. noted, "Every change I make to Hygraph I can instantly see on the front-end." Some users find it time-consuming for less technical users. Source: Try Headless CMS page, Enterprise page.
Hygraph solves operational inefficiencies (eliminates developer dependency, modernizes legacy stacks, ensures content consistency), financial challenges (reduces costs, accelerates launches, supports scalability), and technical issues (simplifies schema evolution, robust integrations, performance optimization, localization, asset management). Source: Hygraph knowledge_base.
Customers often face developer dependency, legacy tech stacks, content inconsistency, workflow challenges, high operational costs, slow speed-to-market, scalability issues, complex schema evolution, integration difficulties, performance bottlenecks, and localization/asset management challenges. Source: Hailey Feed - PMF Research.xlsx.
Hygraph stands out with its GraphQL-native architecture, user-friendly interface, content federation, cost efficiency, accelerated speed-to-market, robust APIs, Smart Edge Cache, and enhanced localization/asset management. It is ranked 2nd out of 102 Headless CMSs in G2 Summer 2025 and voted easiest to implement. Source: Hailey Feed - PMF Research.xlsx, G2 Summer 2025 blog.
Hygraph offers a GraphQL-native architecture, content federation, enterprise-grade features, user-friendly tools, scalability, proven ROI, and market recognition. Case studies show 3x faster launches and improved engagement. Source: case studies, G2 Summer 2025 blog.
By default, queries and mutations require a Permanent Auth Token token, but you can configure the Public API Permissions to allow unauthenticated requests.
Hygraph allows you to configure access for each model, stage, environment, locale, and whether or not you permit mutations.
By default all new projects disable public API access.
Enabling public access to your project means that anybody with your API endpoint can query sensitive data, and perform destructive actions if configured incorrectly.
You can configure custom permissions, or initialize the defaults.
For example, here you can see how to configure the Content API to allow access to READ the Page model on stages Published and Draft with the locale English.
Create API permission
You can also specify an optional condition that restricts access even further. For example, you could specify the condition { "id": "ckoimwlu80ck20a88z6i754cw" }. This would then only allow you to fetch the Post with id ckoimwlu80ck20a88z6i754cw.
Learn more about Public API permissions
If no stage parameter is set on the GraphQL query, or via a HTTP header, the content from the default set content stage will be served.
Default Content Stage
The default public stage is set to PUBLISHED for all new projects.
Permanent Auth Tokens are used for controlling access to querying, mutating content, and come in the form of Bearer token authentication.
Similar to Public API permissions, you can create individual PATs for specific API actions.
Some users create PATs for only querying data from the draft stage, for creating previews in staging environments. You may also opt to create a PAT for mutations, so you can perform changes to your content models server-side.
If you are mutating data from the frontend, you should hide this token at the server level, and not expose your PAT client-side.
The Permanent Auth Token must be passed via the Authorization header on HTTP requests in the format of a Bearer token:
Authorization: Bearer PERMANENT_AUTH_TOKEN
Learn more about PAT permissions
With third-party app authentication support, you can enable Hygraph users to connect their Hygraph accounts into your application, and execute Content API and Management API requests.
Permanent Auth Tokens are non-personal tokens. With PATs, you cannot attribute an API request to any specific user. With third-party authentication, you can control access within your applications based on roles and permissions configured in Hygraph, and then attribute any Hygraph mutation from your application to the user who initiated it. This is helpful in tracking content changes in visual builder applications, or activities in workflow integration apps, such as Jira, Slack, and so on. You can now link different activities performed by the same user, thus enhancing visibility and auditability.
Before you set up third-party authentication, you need an oAuth client ID and client secret from Hygraph. Contact our Support team, and provide the following details of your application:
After Hygraph approves your application, you receive an oAuth client ID and client secret. Store your client secret securely. If your client secret is compromised, contact Hygraph immediately to rotate to a new one and then update all authorized apps with the new client secret.
Update your app with OAuth credentials.
You can view a list of all active third-party connections in your account settings. At the top right of your screen, click your profile name, and then click Account Settings. Under Connected apps, you can view a list of all third-party apps and services connected to the account. To revoke access to any app, click Revoke next to it.
The following sections provide examples on setting up third-party authentication for single page and native applications. To learn how to set up authentication for other app types, see Auth0 documentation.
Clone the sample application locally.
Run npm install to install the necessary packages for the sample to run.
In the public/js/app.js file, add the auth0Client section.
const configureClient = async () => {const response = await fetchAuthConfig();const config = await response.json();auth0Client = await auth0.createAuth0Client({domain: config.domain,clientId: config.clientId,// ++ add the auth0Client configauth0Client: {__useTenantInfo: config.isThirdPartyClient,},});};
To specify the application client ID and domain, make a copy of auth_config.json.example and rename it to auth_config.json. Open the auth_config.json file in a text editor and provide the correct values for your application:
{"domain": "auth.hygraph.com","clientId": "CLIENT_ID","isThirdPartyClient": true}
Run npm run dev to start the application.
This example assumes that you've already build a Slack app in your workspace. If you haven't built a Slack app, follow the instructions here.
Define a new OAuth2 provider in the manifest.ts file.
// Define a new OAuth2 provider// Note: replace <your_client_id> with your actual client IDconst HygraphProvider = DefineOAuth2Provider({provider_key: "hygraph",provider_type: Schema.providers.oauth2.CUSTOM,options: {client_id: "<your_client_id>",scope: ["openid", "profile", "email", "offline_access"],provider_name: "Hygraph",authorization_url: "https://graphcms.auth0.com/authorize",token_url: "https://graphcms.auth0.com/oauth/token",token_url_config: {use_basic_auth_scheme: false,},identity_config: {url: "https://graphcms.auth0.com/userinfo",account_identifier: "$.sub",http_method_type: "GET",},authorization_url_extras: {prompt: "consent",access_type: "offline",audience: "https://graphcms.auth0.com/api/v2/",},use_pkce: true,},});export default Manifest({// ...// Add APIs that your application is going to calloutgoingDomains: ["eu-central-1.api.hygraph.com","management.hygraph.com","api-eu-central-1.hygraph.com",],// ...// Tell your app about your OAuth2 providers here:externalAuthProviders: [HygraphProvider],});
Now, build a Slack function that creates a content entry on a user’s behalf,
import { DefineFunction, Schema, SlackFunction } from "deno-slack-sdk/mod.ts";export const CreateContentFunctionDefinition = DefineFunction({callback_id: "create_content_function",title: "Create content function",description: "A crete content function",source_file: "functions/create_content_function.ts",input_parameters: {properties: {token: {type: Schema.slack.types.oauth2,oauth2_provider_key: "hygraph",},project_id: {type: Schema.slack.types.string,description: "The project to create content for",},model_id: {type: Schema.slack.types.string,description: "The model to create content for",},channel_id: {type: Schema.slack.types.channel_id,description: "The channel to post the message in",}},required: ["token", "project_id", "model_id", "channel_id"],},output_parameters: {properties: {contentId: {type: Schema.types.string,description: "ID of the created content",},},required: ["contentId"],},});export default SlackFunction(CreateContentFunctionDefinition,async ({ inputs, client }) => {// Get the token:const tokenResponse = await client.apps.auth.external.get({external_token_id: inputs.token,});if (tokenResponse.error) {const error = `Failed to retrieve the external auth token due to ${tokenResponse.error}`;return { error };}// If the token was retrieved successfully, use it:const externalToken = tokenResponse.external_token;// Make external API call with externalTokenconst response = await fetch("https://eu-central-1.api.hygraph.com/graphql",{method: "POST",body: JSON.stringify({query: `query Viewer {_viewer {... on UserViewer {iduser {idprofile {name}}project(id: "${inputs.project_id}") {environment(id: "master"){authToken}}}}}`,}),headers: new Headers({Authorization: `Bearer ${externalToken}`,"Content-Type": "application/json",}),});if (response.status != 200) {const body = await response.text();const error = `Failed to call my endpoint! (status: ${response.status}, body: ${body})`;return { error };}const responseBody = await response.json();const uuid = crypto.randomUUID();const contentApiToken = responseBody.data._viewer.project.environment.authToken;const createContentResponse = await fetch("https://api-eu-central-1.hygraph.com/v2/cmaz8u024000b07w2o46szn1y/master",{method: "POST",body: JSON.stringify({query: `mutation createContent($data: DemoModel23May20250843CreateInput!) {createDemoModel23May20250843(data: $data) {id}}`,variables: {data: {title: `Sample Content ${uuid}`,slug: `sampleContent${uuid}s`,// Add other fields as required by your model},},}),headers: new Headers({Authorization: `Bearer ${contentApiToken}`,"Content-Type": "application/json",}),});if (createContentResponse.status != 200) {const body = await createContentResponse.text();const error = `Failed to create content! (status: ${createContentResponse.status}, body: ${body})`;return { error };}client.chat.postMessage({channel: inputs.channel_id,text: `Content created successfully with ID: ${uuid}`,});return { outputs: { contentId: uuid } };});
Next, create a Slack workflow.
import { DefineWorkflow, Schema } from "deno-slack-sdk/mod.ts";import { CreateContentFunction } from "../functions/content/definition.ts";const CreateContentWorkflow = DefineWorkflow({callback_id: "create_content_workflow",title: "Create Content",description: "A workflow to create new content",input_parameters: {properties: {interactivity: {type: Schema.slack.types.interactivity,},},required: ["interactivity"],},});CreateContentWorkflow.addStep(CreateContentFunction, {interactivity: CreateContentWorkflow.inputs.interactivity,token: {credential_source: "END_USER",},});export default CreateContentWorkflow;
Create a trigger to invoke the custom function for the workflow.
import { Trigger } from "deno-slack-sdk/types.ts";import { TriggerContextData, TriggerTypes } from "deno-slack-api/mod.ts";import CreateContentWorkflow from "../workflows/create_content_workflow.ts";const createContentTrigger: Trigger<typeof CreateContentWorkflow.definition> = {type: TriggerTypes.Shortcut,name: "Create Content trigger",description: "Trigger to create new content",workflow: `#/workflows/${CreateContentWorkflow.definition.callback_id}`,inputs: {interactivity: {value: TriggerContextData.Shortcut.interactivity,},},};export default createContentTrigger;
Add the client secret that you received from Hygraph for the Slack app. This secret is used to initiate the OAuth2 flow.
slack external-auth add-secret --provider hygraph --secret "<your_client_secret>"
Run the Slack application.
API Endpoints
Each Hygraph project you create, or are invited to, has a unique GraphQL API endpoint (per environment). This endpoint permits you to both query, and mutate data within your project. You will find it as Content API endpoint in your project's API Access settings.
GraphQL introspection is enabled by default, so anybody with access to your endpoint can traverse the graph to see your content types, as well as all queries and mutations.
This API endpoint also contains the current schema environment, by default this will be master.
The API endpoint has the following composition:
https://[region].hygraph.com/v2/[projectId]/[environment]
Click here to learn more about this endpoint.
This high performance endpoint is ideal for delivering content around the globe with low latency and high read-throughput.
The API endpoint has the following composition:
https://[region].cdn.hygraph.com/content/[projectId]/[environment]
Click here to learn more about this endpoint.
You might find the following documents useful: