We're transitioning Studio from Beta to Early Availability

You are currently reading the Studio Docs. If you were looking for the Classic Docs check here


By default, queries and mutations require a Permanent Auth Token token, but you can configure the Public API Permissions to allow unauthenticated requests.

Hygraph allows you to configure access for each model, stage, environment, locale, and whether or not you permit mutations.

#Public API permissions

By default all new projects disable public API access.

You can configure custom permissions, or initialize the defaults.

For example, here you can see how to configure the Content API to allow access to READ the Page model on stages Published and Draft with the locale English.

Create API permissionCreate API permission

You can also specify an optional condition that restricts access even further. For example, you could specify the condition { "id": "ckoimwlu80ck20a88z6i754cw" }. This would then only allow you to fetch the Post with id ckoimwlu80ck20a88z6i754cw.

Learn more about Public API permissions

#Default public stage

If no stage parameter is set on the GraphQL query, or via a HTTP header, the content from the default set content stage will be served.

Default Content StageDefault Content Stage

The default public stage is set to PUBLISHED for all new projects.

#Permanent auth tokens

Permanent Auth Tokens are used for controlling access to querying, mutating content, and come in the form of Bearer token authentication.

Similar to Public API permissions, you can create individual PATs for specific API actions.

Some users create PATs for only querying data from the draft stage, for creating previews in staging environments. You may also opt to create a PAT for mutations, so you can perform changes to your content models server-side.

If you are mutating data from the frontend, you should hide this token at the server level, and not expose your PAT client-side.

The Permanent Auth Token must be passed via the Authorization header on HTTP requests in the format of a Bearer token:

Authorization: Bearer PERMANENT_AUTH_TOKEN

Learn more about PAT permissions

#API endpoints

API EndpointsAPI Endpoints

#Regular read & write endpoint

Each Hygraph project you create, or are invited to, has a unique GraphQL API endpoint (per environment). This endpoint permits you to both query, and mutate data within your project. You will find it as Content API endpoint in your project's API Access settings.

GraphQL introspection is enabled by default, so anybody with access to your endpoint can traverse the graph to see your content types, as well as all queries and mutations.

This API endpoint also contains the current schema environment, by default this will be master.

The API endpoint has the following composition:


Click here to learn more about this endpoint.

#High performance endpoint

This high performance endpoint is ideal for delivering content around the globe with low latency and high read-throughput.

The API endpoint has the following composition:


Click here to learn more about this endpoint.


You might find the following documents useful:

  • Permissions: This document contains information on permissions, how they work, and their limits.
  • Roles and permissions: This document contains information on how to work with roles and permissions in the Hygraph app.
  • API access: This document covers the API access section of the Hygraph app as well as its subsections: Endpoints, Content API, and Permanent auth tokens.