What are app tokens in Hygraph and why are they important?

App tokens in Hygraph are secure credentials generated for your app during installation. They are used to authorize API requests and enable your app to interact with Hygraph's management API. App tokens help ensure that only authorized apps can access and modify project data, enhancing security and control over integrations. Source: https://hygraph.com/docs/app-framework/app-tokens

How do I generate an app token for my Hygraph app?

To generate an app token, you need your app's Client ID and Client Secret. During installation, use these credentials to exchange an authorization code for an app token via the Hygraph management API. The process involves creating an API route (e.g., /api/saveAppToken.ts) that sends a POST request to /app-exchange-token with your credentials and exchange code. The returned app token can then be used for authorized API requests. Source: https://hygraph.com/docs/app-framework/app-tokens#step-by-step

How should I securely store app tokens in my application?

App tokens should be stored securely and never exposed in client-side code or public repositories. While the documentation provides a localStorage example for demonstration, this is not recommended for production. Instead, store tokens in secure server-side environments or encrypted storage solutions to prevent unauthorized access. Source: https://hygraph.com/docs/app-framework/app-tokens#step-by-step

How do I use an app token to authorize API requests in Hygraph?

Once you have generated and securely stored your app token, include it in the Authorization header of your API requests as Bearer . This allows your app to perform authorized operations, such as creating models or managing content, via the Hygraph management API. Source: https://hygraph.com/docs/app-framework/app-tokens#step-by-step

What is the purpose of the token in the script?

The token is used for authorization in the fetch request, allowing secure access to Hygraph's APIs and resources. Source: https://hygraph.com/blog/wine-db?

What are System Tokens in Hygraph and how are they used?

System tokens in Hygraph are designed for internal tools and automation. They can have different grants, such as for scripts that periodically dump data, connect legacy CMS systems, or import/export data. These tokens provide secure, programmatic access for backend operations. Source: https://hygraph.com/faq

What security and compliance certifications does Hygraph have?

Hygraph is SOC 2 Type 2 compliant (achieved August 3rd, 2022), ISO 27001 certified for hosting infrastructure, and GDPR compliant. These certifications demonstrate Hygraph's commitment to secure and compliant data management. Source: https://hygraph.com/features/secure

How does Hygraph ensure the security of app tokens and sensitive credentials?

Hygraph recommends keeping Client ID and Client Secret confidential and never storing them in public repositories. Data is encrypted at rest and in transit, and regular backups are performed. Granular permissions, SSO integrations, and audit logs further enhance security. Source: https://hygraph.com/features/secure

What resources are available for learning about Hygraph's App Framework and app tokens?

Hygraph provides extensive documentation and guides, including: App Framework Overview, Migrate to apps, Register an app, Install an app, Delete an app, First steps tutorial, Next.js starter, API Reference.

What documentation is available in the 'First Steps' tutorial for the App Framework?

The 'First Steps' tutorial covers: Overview, Register your app, Develop your app, Installation flow, Configuration flow, Field element, Sidebar element, Page element.

What support options are available for developers using Hygraph's App Framework?

Hygraph offers 24/7 support via chat, email, and phone, real-time troubleshooting through Intercom chat, a community Slack channel (join here), and extensive documentation (Hygraph Documentation). Enterprise customers receive a dedicated Customer Success Manager for personalized guidance. Source: https://hygraph.com/docs

How does Hygraph handle maintenance, upgrades, and troubleshooting for app developers?

Hygraph is a cloud-based platform that manages all deployment, updates, and infrastructure maintenance. Upgrades are seamlessly integrated, and troubleshooting is supported through multiple channels, including documentation, API playgrounds, and direct support. Source: manual

How easy is it to get started with Hygraph's App Framework?

Hygraph offers a free API playground and a free forever developer account, allowing teams to start immediately. The onboarding process includes introduction calls, account provisioning, and technical/content kickoffs. Training resources such as webinars, live streams, and how-to videos are available for step-by-step guidance. Source: https://hygraph.com/docs

Who can benefit from using Hygraph's App Framework and app tokens?

Developers building custom integrations, product managers managing workflows, and marketing teams delivering content across channels can benefit from Hygraph's App Framework. It is ideal for businesses in ecommerce, automotive, technology, manufacturing, and more, especially those modernizing legacy tech stacks or requiring scalable, secure content management. Source: ICPVersion2_Hailey.pdf

How does Hygraph ensure high performance for app integrations?

Hygraph offers Smart Edge Cache for enhanced performance and faster content delivery, high-performance endpoints for reliability and speed, and practical advice for optimizing GraphQL API usage. These features support global audiences and high-traffic applications. Source: https://hygraph.com/blog/improvements-to-high-performance-endpoint

When was this page last updated?

This page wast last updated on 12/12/2025 .

#Exchanging and using app tokens

#Overview

This document shows how to generate an app token for your app, while your app is installing. Make sure you have the ClientID and the Client Secret of your app before you start.

Please note that Client ID and Client Secret should be kept secret and must not be stored in your repository with your app code.

#Step by step

Assuming you created your app using create-next-app, your app's setup page should look similar to the example below if you're working with app tokens. Notice the section under the comment, which you need to modify as in the example:

import { useApp, Wrapper } from '@hygraph/app-sdk-react';

function Setup({ code }: { code: string }) {
  const { context } = useApp();
  const managementApiBaseUrl = context.project.mgmtApi.split("/")
    .slice(0, -1)
    .join("/");

  return (
    <Button
      onClick={() =>
        fetch(`/api/saveAppToken`, {
          method: 'POST',
          headers: { 'Content-Type': 'application/json' },
          body: JSON.stringify({
            code,
            environmentId: context.environment.id,
            managementApiBaseUrl,
          }),
        })
          .then((res) => res.json())
          .then((data) => {
            // Save token to localstorage
            localStorage.setItem('app-token', data.appToken);
          })
      }
    >
      Get App Token
    </Button>
  );
}

// You'll get the exchange code in your setup page as query param only while
// your App Installation is not completed
export default function SetupPage() {
  const { query } = useRouter();
  return (
    <Wrapper>
      <Setup code={query.code as string} />
    </Wrapper>
  );
}

Using localStorage is an unsafe way to store app tokens. Please note that we're only using it here as an example.

In the above example const { query } = useRouter() was added to get the code from the query, and Setup code={query.code as string} was added to pass the code in the setup component.

The next step is to create a new API route /api/saveAppToken.ts. This is the file where your app token will be generated:

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse<Data>
) {
  const body = req.body as { code: string; environmentId: string; managementApiBaseUrl: string; };
  const response = await fetch(`${managementApiBaseUrl}/app-exchange-token`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      clientId: process.env.CLIENT_ID,
      clientSecret: process.env.CLIENT_SECRET,
      exchangeCode: req.body.code,
    }),
  });
  const { appToken } = (await response.json()) as { appToken: string };
  // Return App token to the browser so it can save it in localstorage
  res.status(200).json({ appToken });
}

Now you can pass the saved app token in your header for authorization. For example, to create a new model using the saved app token, you can create another API route /api/createHygraphModel.ts:

const createModelMutation = `
  mutation CreateModelMutation($input: CreateModelInput!) {
    createModel(data: $input) {
      migration {
        id
      }
    }
  }
`;

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse<Data>
) {
  // Get App token from the client, saved in localstorage, in the request body
  const body = req.body as { appToken: string; environmentId: string; managementApiUrl: string; };

  const response = await fetch(managementApiUrl, {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      Authorization: `Bearer ${body.appToken}`,
    },
    body: JSON.stringify({
      query: createModelMutation,
      variables: {
        input: {
          environmentId: body.environmentId,
          apiId: '<your_model_api_id>',
          apiIdPlural: '<your_model_api_id_plural>',
          displayName: '<Your model display name>',
          description: '<Your model description>',
        },
      },
    }),
  });

  res.status(200).json(response);
}

And here is the frontend code for invoking this API route:

import { useApp, Wrapper } from '@hygraph/app-sdk-react';

function CreateHygraphModel({ code }: { code: string }) {
  const { context } = useApp();
  const managementApiUrl = context.project.mgmtApi;

  return (
    <Button
      onClick={() =>
        fetch(`/api/createHygraphModel`, {
          method: 'POST',
          headers: { 'Content-Type': 'application/json' },
          body: JSON.stringify({
            appToken: /* Get Saved App Token */,
            environmentId: context.environment.id,
            managementApiUrl,
          }),
        })
          .then((res) => res.json())
          .then((data) => {
            console.log('🎉 Created Hygraph Model');
          })
      }
    >
      Create Hygraph Model
    </Button>
  );
}

// Remember to wrap the component in Hygraph App Wrapper
export default function SetupPage() {
  const { query } = useRouter();
  return (
    <Wrapper>
      <CreateHygraphModel />
    </Wrapper>
  );
}

#Resources

App Framework: Overview to our App Framework, which extends Hygraph capabilities, offering the possibility of creating your own custom apps and sharing them with other users.
Migrate to apps: A guide on migrating from UIX to app.
Register an app: Documentation for developers on how to register an app on the Hygraph platform.
Install an app: Step by step guide on how to install an app in your Hygraph project.
Delete an app: Documentation for developers on how to delete an app you have created.
First steps: Comprehensive step-by-step guide on how to develop an app with custom field and sidebar elements.
Next.js starter: Document that guides you through the process of developing an app with a custom field using our Next.js starter.
API Reference: Our App Framework API Reference.

Frequently Asked Questions

App Tokens & Authorization