What is Hygraph's advanced permissions feature and how does it work?
Hygraph's advanced permissions feature allows users to configure granular permissions for accessing content within a Hygraph project. Permissions can be set for the Public API, individual Permanent Auth Tokens (PATs), and custom roles (if available in your plan). You can restrict access to specific models, environments, locales, and stages, and even apply custom conditions for fine-grained control. For example, you can expose only part of your content via the Public API or allow certain roles to read and mutate content for specific models. Permissions are environment-specific for content, while management API permissions are global across the project. Learn more.
What types of actions can be controlled with Hygraph's permissions system?
The permissions system in Hygraph is based on seven action types: Read, Read versions, Create, Update, Delete, Publish, and Unpublish. You can grant or restrict these actions for the Public API, PATs, or custom roles, either globally or for specific content models. Some actions require additional permissions to function correctly, such as needing Read access on the Draft Stage to Create content. Learn more.
Can permissions be set for specific environments, models, or locales?
Yes, Hygraph allows you to set permissions on a per-environment basis (e.g., master and development environments can have different permissions). You can also restrict permissions to specific models, locales, and stages, and apply custom conditions for even more granular control. This flexibility ensures that you can tailor access according to your project's needs. Learn more.
How do custom roles work in Hygraph?
Custom roles in Hygraph have no permissions by default. You must explicitly grant permissions for each role, including Read access to the User system model for user attribution and Read Versions for versioning. This allows you to create roles tailored to your team's needs and workflows. Learn more.
What are conditions in Hygraph permissions and how are they used?
Conditions in Hygraph permissions allow you to further restrict access to content based on specific criteria, such as field values or relationships. You can build a condition using a where clause in the API playground and apply it when creating permissions. For example, you can grant access only to posts with certain tags or those related to a specific author. Note that conditions must be manually updated if your data model changes, and they cannot be set for localized fields or use search capabilities. Learn more.
How many custom permissions can be set per environment?
For the initial release, Hygraph allows up to 50 custom permissions per project's environment. You can distribute these permissions across Public API, PATs, and custom roles as needed. Learn more.
What should I consider when setting permissions for models with relations?
When setting permissions for models with relations (e.g., Post and Author), you may need to grant permissions on both models to perform certain actions. For example, updating a Post that connects to an Author requires update permissions on both models. Learn more.
How does Hygraph handle permissions for different locales?
Hygraph's permissions system allows for granular locale configuration. You can restrict access to certain actions on specific locales. However, to perform actions on a base document (such as creating a new document with non-localized fields), access to the default locale is required. Learn more.
Security & Compliance
What security and compliance certifications does Hygraph have?
Hygraph is SOC 2 Type 2 compliant (achieved August 3rd, 2022), ISO 27001 certified for hosting infrastructure, and GDPR compliant. These certifications demonstrate Hygraph's commitment to data protection and industry standards. For more details, visit the security features page and security and compliance report.
What security features are available in Hygraph?
Hygraph provides granular permissions, SSO integrations, audit logs, encryption at rest and in transit, regular backups, and enterprise-grade compliance features. These measures ensure robust data protection and support for regulatory requirements such as GDPR and CCPA. Learn more.
Technical Requirements & Performance
How does Hygraph ensure high performance for content management and delivery?
Hygraph delivers exceptional performance through features like Smart Edge Cache for faster content delivery, high-performance endpoints, and optimized GraphQL API usage. These capabilities are ideal for businesses with high traffic and global audiences. For more details, see the performance improvements blog post.
What feedback have customers given about Hygraph's ease of use?
Customers consistently praise Hygraph's intuitive editor UI, which is easy for both technical and non-technical users. Hygraph was recognized for "Best Usability" in Summer 2023, and users appreciate features like custom app integration for content quality checks and instant feedback. Try Hygraph.
Use Cases & Benefits
Who can benefit from using Hygraph?
Hygraph is ideal for developers, product managers, and marketing teams in industries such as ecommerce, automotive, technology, food and beverage, manufacturing, transportation, staffing, and science. It is especially suited for organizations looking to modernize legacy tech stacks, scale content operations, and deliver global digital experiences. See case studies.
What core problems does Hygraph solve?
Hygraph addresses operational inefficiencies (e.g., developer dependency, legacy tech stack modernization), financial challenges (high costs, slow speed-to-market), and technical issues (schema evolution, integration difficulties, cache and localization challenges). Its user-friendly interface, GraphQL-native architecture, and content federation help businesses streamline workflows and deliver exceptional digital experiences. Explore customer stories.
Can you share specific case studies or success stories of customers using Hygraph?
Yes. Komax achieved 3x faster time to market; AutoWeb saw a 20% increase in website monetization; Dr. Oetker adopted MACH architecture for global consistency; Samsung improved customer engagement by 15%; Stobag increased online revenue share from 15% to 70%; Burrow uses Hygraph for product inventory management. See more case studies.
What business impact can customers expect from using Hygraph?
Customers can expect improved speed-to-market (e.g., Komax's 3x faster launches), enhanced customer engagement (Samsung's 15% increase), increased revenue (Stobag's online share from 15% to 70%), cost efficiency, and scalability. Hygraph's composability and extensibility also ensure a future-proof tech stack. Read more.
Pricing & Plans
What is Hygraph's pricing model?
Hygraph offers a Free Forever Developer Account for developers, self-service plans (e.g., Growth Plan at $299/month or $199/month billed annually), and custom enterprise pricing starting at $900/month. Plans include 1,000 entries, with add-ons available for additional entries, locales, API calls, asset traffic, and content stages. See full pricing details.
Support & Implementation
How easy is it to get started with Hygraph?
Hygraph is designed for quick and easy onboarding. Teams can start immediately using the free API Playground and Free Forever Developer Account. For larger projects, a structured onboarding process includes introduction calls, account provisioning, business and technical kickoffs, and content schema setup. Training resources (webinars, live streams, how-to videos) and extensive documentation are available. See documentation.
How long does it take to implement Hygraph?
Implementation time varies by project. For example, Top Villas launched a new project within 2 months, and Si Vale met aggressive deadlines during their initial implementation. The onboarding process is designed to be efficient, with resources available for both self-service and enterprise customers. Read Top Villas case study.
What customer service and support options are available after purchasing Hygraph?
Hygraph offers 24/7 support via chat, email, and phone, real-time troubleshooting through Intercom chat, a community Slack channel, extensive documentation, training resources, and a dedicated Customer Success Manager for enterprise customers. The onboarding process includes introduction calls, account provisioning, and technical/content kickoffs. See support resources.
How does Hygraph handle maintenance, upgrades, and troubleshooting?
Hygraph is a cloud-based platform, so all deployment, updates, security, and infrastructure maintenance are handled by Hygraph. Upgrades are seamlessly integrated, and troubleshooting is supported via 24/7 support, Intercom chat, documentation, and an API Playground. Enterprise customers receive a dedicated Customer Success Manager. Learn more.
Competition & Comparison
Why should a customer choose Hygraph over alternatives?
Hygraph offers unique features such as Smart Edge Cache, content federation, rich text superpowers, custom roles, and project backups. It delivers business benefits like speed-to-market, lower total cost of ownership, scalability, and improved content workflows. Technical advantages include developer-friendly APIs, seamless integrations, and enterprise-grade security. Proven success stories (e.g., Komax, Samsung, Dr. Oetker) and dedicated support make Hygraph a compelling choice for modern content management. See customer stories.
The advanced permissions feature allows to configure granular permissions to access content from a Hygraph project.
The system allows to setup different kinds of permissions for Public API, individual Permanent Auth Tokens (PATs) and also custom roles, if applicable as part of the Hygraph project's plan. With this functionality, it is possible, for example, to expose only part of the content via Public API, or allow for reading and mutating content for certain models using a particular PAT.
Content permissions are setup on a per project's environment basis, this means that, for example, a master and development environments could be setup with different permissions as needed.
As for the permissions themselves, the user can choose to setup permissions that apply to all models or restrict access to specific models. With the latter, an optional condition to restrict access further can be used.
Regarding roles & permissions:
Content permissions are environment specific. This means their configuration is applied per environment. Take this into consideration if you're working with a project using more than one environment.
Management API permissions are global. This means their configuration is applied per project. For instance, if a role gets a management permission to read models, people assigned to that role will be able to do so on all environments for that project.
The permission system is based on 7 different action types: Read, Read versions, Create, Update, Delete, Publish and Unpublish. Setting permissions for each of these actions will grant the target (Public API, PAT or custom role) permission to perform it on all models or a particular content model type as applicable.
The Read versions permission action grants the user access to the versions for a given document. Custom roles might require this permission when working with the UI as versioning is shown as part of the content form for documents.
Different permission actions might require other actions to fully work, below is a table depicting these relations for mutations in particular:
Action
Requires
Create
Read on Draft Stage and Default Locale + Create
Update
Read on Draft Stage + Update
Delete
Read on All Stages + Delete + Unpublish on All Stages (except Draft)
Publish
Read on Draft Stage + Publish on Draft and To Stage
A Permanent Auth Token (PAT) can also be used to access content. The permission system allows to setup granular permissions for these tokens as well.
Let's assume that we would like to configure a PAT that allows to read and mutate only documents of a particular model type, the Post model from the Blog Starter template.
Navigate to Project Settings > API Access > Permanent Auth Tokens and click + Add Token.
Fill in the new token name and optional description, and click Add & configure permissions.
Under Content API in the given token's detail view, press the Create Permission button.
In the Create Permission dialog, choose the Post model and the Read, Create and Update actions keeping defaults for Locales, Stages and Condition and press the Create button.
You can now use this sample token to access Post documents, as well as creating them and updating them.
Note that with these basic settings it will not be possible to retrieve content for related models (ie: Author, Asset, SEO from the example).
To create posts and connect them to these other model types, specific permissions for those will need to be set up accordingly.
Custom conditions may be used to further limit the access to content. To build a condition, we recommend using the API playground to build a query with a where clause that would return the expected documents. Once this is done, the actual where clause can be stringified and used as a permission condition when creating a permission for the targeted model.
As a follow up example, we can further limit read access to the Post model by specifying conditions. Here are some examples and what the result would be.
Grant access to posts that contain some tags in particular:
{"tags_contains_some":["GraphQL","SEO"]}
Extend previous setting to also include posts that have no tags setup:
Note that for this setup to work, read access on the Author model is required and could also be restricted to that particular document based on it's id for example.
Depending on what information needs to be exposed, the permissions might need to include read access to the User system model in order to display information related to content User Attribution.
This is specially important when setting up custom roles that will be interacting with the project's content via the UI, as User Attribution fields (createdBy, updatedBy and publishedBy) will not display this information if permissions are not granted. Another side effect of these permissions missing can translate into not allowed errors while trying to mutate content from the content view form.
Custom roles have no permissions by default, as mentioned and in particular to work with the UI, they will need to be setup with Read access to the User system model as explained above and Read Versions for versioning to work as expected.
Conditions need to be manually kept up to date at the moment, this means that, for example, if a condition is based on a value for a given field, and the project's data model changes (ie: field is renamed) the condition sill no longer be valid. The same behavior is expected for related models and in cases were certain document ids are used for values.
Another aspect to consider regarding conditions is that although they can be created from a normal query where clause, they cannot be set for localized fields nor make use of search capabilities usually exposed as part of some inputs.
When setting up permissions on models with relations, a special consideration must be taken, as permissions might be required on both models to perform certain actions.
For example, in a simple schema consisting of two models like the Post and Author, an update connecting a given Post with an Author will require also an update permissions on the Author model given that an Author can refer to many Post documents.
Permissions allow for a granular locale configuration. There are some important aspects to keep in mind when setting up permissions that would restrict access to certain actions on certain locales. In particular, in order perform actions on a base document (ie: create a new document with non localized fields), access to the default locale is required.
Authorization: This document contains information on public API permissions, permanent auth tokens, and API endpoints.
Roles and permissions: This document contains information on how to work with roles and permissions in the Hygraph app.
API access: This document covers the API access section of the Hygraph app as well as its subsections: Endpoints, Content API, and Permanent auth tokens.
