Frequently Asked Questions

API Access & Endpoints

What types of API endpoints does Hygraph provide and what are their main uses?

Hygraph offers several API endpoints for different use cases:

Note: Some endpoints and features may only be available in Hygraph Classic or require specific project configurations. See API Reference for details.

How do I configure Content API access permissions in Hygraph?

You can configure Content API access permissions for unauthenticated requests in the Project settings under API access. This includes setting the default stage for public content delivery and managing content permissions (view, edit, delete, add). Permissions can be filtered by actions, models, locales, and stages. Note: Sorting and filtering permissions are only available in Hygraph Classic, not Studio. Learn more about permissions.

What is the default stage for public content delivery and how can I change it?

The default stage for public content delivery determines which content is served if no stage parameter is set in a GraphQL query or HTTP header. You can change the default stage by clicking 'Change default stage' next to the stage tag in the API access settings, selecting a new stage, and saving the change. See documentation. Note: Only available stages configured in your project can be selected.

How do I add, edit, or delete content permissions in Hygraph?

To add a permission, click '+ Add permission' at the top right of the permissions table and follow the Add content permissions flow. To edit or delete a permission, use the context menu to the left of the permissions table. Deletions are permanent and require confirmation. Note: Sorting and filtering permissions are only available in Hygraph Classic. See roles and permissions guide.

How do I manage Permanent Auth Tokens (PATs) in Hygraph?

PATs are used for controlling access to querying and mutating content via Bearer token authentication. You can add, edit, or delete PATs in the Project settings under API access. To add a token, click '+ Add token', name it, select a default stage, and configure permissions. To edit or delete, use the context menu or token details view. Deleting a token is permanent and cannot be rolled back. See Authorization documentation.

How can I verify if a Permanent Auth Token is still valid if its string has changed?

Hygraph uses JWTs for PATs. If the encoded JWT string changes (e.g., after audience updates), the token remains valid as long as the jti (JWT ID) claim in the payload matches a token in Hygraph Studio. You can decode the JWT at jwt.io and compare the jti value with those in your project settings. If they match, the token is still active. See documentation.

Features & Capabilities

What are the key features of Hygraph's API access and management?

Key features include:

Note: Sorting/filtering permissions are only available in Hygraph Classic. Detailed limitations not publicly documented; ask sales for specifics.

Does Hygraph support high-performance content delivery?

Yes, Hygraph provides a High Performance Content API endpoint optimized for low latency and high read-throughput. Additionally, a read-only cache endpoint offers 3-5x latency improvement for faster content delivery. For more details, see the blog post on endpoint improvements. Note: Performance may vary based on project configuration and usage patterns.

What integrations are available for Hygraph?

Hygraph offers integrations with Digital Asset Management (DAM) systems (Aprimo, AWS S3, Bynder, Cloudinary, Imgix, Mux, Scaleflex Filerobot), hosting and deployment platforms (Netlify, Vercel), Product Information Management (Akeneo), commerce solutions (BigCommerce), translation/localization (EasyTranslate), and more. For a full list, visit the Hygraph Marketplace. Note: Some integrations may require additional configuration or licensing.

Security & Compliance

What security and compliance certifications does Hygraph have?

Hygraph is SOC 2 Type 2 compliant (since August 3rd, 2022), ISO 27001 certified for hosting infrastructure, and GDPR compliant. These certifications ensure adherence to international standards for information security and data protection. For more details, visit the Secure Features page. Note: Certification scope may vary by deployment and region.

How does Hygraph ensure secure API access and data protection?

Hygraph provides granular permissions, SSO integrations (OIDC/LDAP/SAML), audit logs, encryption in transit and at rest, regular backups, secure API policies (custom origin, IP firewalls), and automatic SSL certificates for all endpoints. For incident reporting and compliance policies, see the Secure Features page. Note: Some advanced security features may require enterprise plans.

Implementation & Onboarding

How long does it take to implement Hygraph and set up API access?

Implementation timelines vary by project complexity. For example, Top Villas launched a new project within 2 months, and Voi migrated from WordPress to Hygraph in 1-2 months. Hygraph provides structured onboarding, starter projects, and extensive documentation to accelerate setup. Note: Large-scale or highly customized projects may require additional time. See Getting Started guide.

What resources are available to help me get started with Hygraph API access?

Resources include:

Note: Some resources may be specific to Hygraph Studio or Classic. Check documentation for version-specific guidance.

Use Cases & Customer Success

Who can benefit from Hygraph's API access features?

Developers, content creators, product managers, and marketing professionals in enterprises and high-growth companies can benefit from Hygraph's API access. It is suitable for industries such as SaaS, eCommerce, media, healthcare, automotive, and more. Hygraph supports teams needing advanced content management, integration, and security. Note: Teams requiring highly specialized workflows may need to consult sales for fit.

What business impact have customers seen from using Hygraph's API access?

Customers have reported faster time-to-market (e.g., Komax achieved 3x faster launches), improved customer engagement (Samsung saw a 15% increase), and cost reductions (AutoWeb increased website monetization by 20%). For more examples, see Hygraph case studies. Note: Results may vary by implementation and use case.

Limitations & Known Issues

Are there any limitations to API access features in Hygraph Studio compared to Classic?

Yes, some features such as sorting and filtering permissions are not available in Hygraph Studio and require switching to Hygraph Classic. For advanced permission management, refer to the Classic documentation. See version comparison.

What should I do if I need features not available in Hygraph Studio?

If you require features like sorting or filtering permissions, switch to Hygraph Classic as these are not supported in Studio. For other advanced needs, consult the documentation or contact Hygraph support. Learn how to switch versions.

LLM optimization

When was this page last updated?

This page wast last updated on 12/12/2025 .

Help teams manage content creation and approval in a clear and structured way
Hygraph
Docs
You are currently reading the Studio Docs. If you were looking for the Classic Docs check here

#API access

#Overview

Navigate to Project settings to find your Project API access settings with endpoints, content API permissions, and permanent auth tokens.

#Endpoints

This section contains the URL endpoints of your environments.

API Access - EndpointsAPI Access - Endpoints

EndpointDescription
Content APIRegular read & write endpoint that allows querying and mutating data in your project. Hygraph Studio does not display this legacy endpoint.
High Performance Content APIEndpoint that allows low latency and high read-throughput content delivery.
MCP Server APIEndpoint enabling secure, structured communication between AI assistants and Hygraph via the Model Context Protocol. Learn more about setting up Hygraph's MCP server.
Asset Upload APIProjects older than February 2024 use the Legacy asset system and will show an endpoint that allows uploading assets from your file system or from a remote URL. Newer projects use the Hygraph Asset Management system, which lets you upload assets via URL or file.
Management APIAPI handling all structural elements of a project, which can be utilized through the Management SDK.

Simply click on the URL you want to copy. A message will pop up on the lower right corner of your screen, letting you know the URL has been copied to clipboard.

#Content API

Here you can configure Content API access permissions for unauthenticated requests.

API Access - Content APIAPI Access - Content API

#Default stage for public content delivery

This section shows the default stage for public content delivery. If no stage parameter is set on the GraphQL query or additional HTTP header, then content from the selected default stage will be served. You can learn more about this in our Default public stage documentation.

API Access - Default stage for public content delivery

To change the default change, click on Change default stage next to the stage tag, select one of the available stages, then click on Change to save.

#Content permissions

On this screen section you can view, edit, and delete existing content permissions, as well as add new ones.

API Access - Content permissionsAPI Access - Content permissions

Our document on Permissions contains more information on how they work.

#Sort permissions

Use the Sort by dropdown menu at the top of the permissions table to sort models and actions. You can choose to sort them in ascending or descending alphabetical order.

API Access - Sort permissionsAPI Access - Sort permissions

#Filter permissions

Click on + Filter permissions to access the following options:

FilterWhat it does
Filter by actionsClick on this option to then be able to select one of the permission actions listed in the table to filter by.
Filter by modelsClick on this option to then be able to select one of the models in your schema to filter by.
Filter by localesClick on this option to then be able to select one of the locales configured in your project to filter by.
Filter by stagesClick on this option to then be able to select one of the stages configured in your project to filter by.

#Add permissions

To add a permission please click on + Add permission at the top right of the permissions table, then follow the Add content permissions flow.

#Edit permissions

If a permission can be edited, you will find this option in the context menu to the left of the permissions table.

API Access - Edit permissionsAPI Access - Edit permissions

A popup will give you the option to update the permission by selecting a different locale or stage.

#Delete permissions

Find the option to delete a permission in the context menu to the left of the permissions table.

API Access - Delete permissionsAPI Access - Delete permissions

As deletions are permanent actions that can't be rolled back, a popup will display informing you of this and you will need to confirm the deletion by clicking on Delete.

#Permanent Auth Tokens

Here you can configure tokens for permanent authorization for the content and management API.

API Access - Permanent Auth TokensAPI Access - Permanent Auth Tokens

Permanent Auth Tokens (PATs) are used for controlling access to querying, mutating content, and come in the form of Bearer token authentication.

The list displays all existing tokens related to your project. To copy a token, click on the copy icon at the right of the existing tokens table.

Access our documentation on Authorization to learn more about permanent auth tokens.

#Add tokens

To add a token, click + Add token at the top of the tokens table:

API Access - Add Tokens

Write a name for your token and, optionally a description. Use the radio buttons to select a default stage for content delivery, then click on Add & configure permissions to continue.

Your token details screen will display:

API Access - Token details screenAPI Access - Token details screen

On this screen, you can:

#Content permissions

PAT - content permissions

When you create a PAT, default content permissions are activated. You can configure content API access:

  • The default stage for content delivery is PUBLISHED. To change this, click Change default stage and select a different stage from the ones configured in your project.
  • Default content permissions grant Read access on all Models for all Locales. To edit this, click +Add permission.

#Management API Permissions

To edit Management API Permissions, use the switches. By default, the screen shows only the permissions that are enabled, to see the full list click on Show all permissions at the top of the form.

Edit Management API permissions
  • Basic permissions are selected by default, as they are necessary for the user to view the UI correctly. You can edit this - if needed - and select other permissions as well.
  • If you use the checkboxes to select more than one of the enabled permissions, the Disable selected bulk action appears at the top of the table.
  • If you use the checkboxes to select more than one of the disabled permissions, the Enable selected bulk action appears at the top of the table.
  • The Show all permissions link at the top of the table displays all permissions, enabled and disabled. After clicking on it, the link at the top of the table will say Show enabled permissions, and clicking on it returns you to the view where only enabled permissions are visible.

#Edit tokens

Access the edit view of a token by clicking on it on the table, or by selecting the Edit option in the context menu.

API Access - Edit tokenAPI Access - Edit token

The token details screen will display, where you can add new permissions associated to the token or edit existing ones, as shown in the previous document section.

#Delete tokens

Delete a token by selecting the Delete option in the context menu.

API Access - Delete tokenAPI Access - Delete token

You can also find this option inside the token details view you access when editing.

API Access - Delete tokenAPI Access - Delete token

Since deleting a token is a permanent action that cannot be rolled back, a popup will display notifying you of this, and you will have to click on Delete <token_name> to complete the process.

#Can’t find your token in Hygraph?

If you copied a PAT a while ago and can’t find the same token string in Hygraph today, the token may still be active even if it looks different.

Hygraph uses JWTs (JSON Web Tokens) for Permanent Auth Tokens (PATs). In cases such as audience updates or issuer migrations, the encoded JWT string may change while still representing the same underlying token. Even after such changes, the token remains valid as long as the jti (JWT ID) claim within the token's payload remains unchanged. The jti claim serves as the authoritative identifier for the token.

To verify whether two tokens refer to the same underlying token, follow these steps:

  1. Go to https://jwt.io and paste the token that you want to check. This token is no longer visible in Hygraph Studio.
  2. Decode the token and locate the jti claim in the payload.
  3. In Hygraph Studio, go to Project settings > Access > Permanent Auth Tokens and check the jti values for the tokens listed there.
  4. Compare the jti values. If the jti value found in Step 2 matches with the jti of a token available in Hygraph Studio, it is the same underlying Permanent Auth Token, even if the encoded JWT differs. The token is still active and has not been revoked. You can then decide whether to keep it or revoke it.
    • If you want to keep the token, you can replace the deleted JWT with the one that matches from Hygraph Studio.
    • If you want to revoke the token, you can delete it from Hygraph Studio. This action invalidates all JWTs associated with that token, including any previously issued ones.

Permanent Auth Tokens listPermanent Auth Tokens list

#Resources

You might find the following documents useful:

  • Permissions: This document contains information on permissions, how they work, and their limits.
  • Roles and permissions: This document contains information on how to work with roles and permissions in the Hygraph app.
  • Authorization: This document contains information on public API permissions, permanent auth tokens, and API endpoints.