#API access
The API Access section of your project settings is where you find your API endpoints, configure unauthenticated Content API permissions, and manage Permanent Auth Tokens (PATs). Navigate to Project Settings > Access to get started.
For a conceptual overview of authorization and authentication in Hygraph, see Authorization.
#Endpoints
The Endpoints section lists the API URLs for your project's environments. Click any URL to copy it to your clipboard.
| Endpoint | Description |
|---|---|
| High Performance Content API | Low-latency, high-read-throughput endpoint for content delivery. |
| MCP Server API | Enables structured communication between AI assistants and Hygraph via the Model Context Protocol. See setting up Hygraph's MCP server. |
| Management API | Handles all structural elements of a project. Use it via the Management SDK. |
#Content API
The Content API section lets you configure access permissions for unauthenticated requests to your project's Content API, that is, requests made without a PAT.
API Access - Content API
#Default stage for public content delivery
This setting determines which content stage is served when no stage parameter is included in a query or HTTP header. To change it:
- Click Change default stage next to the current stage tag.
- Select a stage from the available options.
- Click Change to save.
Learn more about the default public stage.
#Content permissions
Content permissions determine what unauthenticated users can read from your Content API. This section lets you view, add, edit, and delete permissions.
API Access - Content permissions
For a full explanation of how content permissions work, see Content permissions.
#Add a permission
Click + Add permission at the top right of the permissions table, then follow the Add content permissions flow.
#Edit a permission
Click the context menu to the left of a permission row and select Edit. A dialog will appear where you can update the locale or stage.
API Access - Edit permissions
#Delete a permission
Click the context menu to the left of a permission row and select Delete. Confirm the deletion in the dialog that appears. This action is permanent and cannot be undone.
API Access - Delete permissions
#Permanent Auth Tokens
Permanent Auth Tokens (PATs) provide authenticated access to the Content API and Management API using Bearer token authentication. Each token can be configured with its own set of content and Management API permissions.
The tokens table lists all existing tokens for the project. Click the copy icon to the right of a token to copy it to your clipboard.
See Authorization — Permanent auth tokens for a conceptual overview of how PATs work.
API Access - Permanent Auth Tokens
#Add a token
- Click + Add token at the top of the tokens table.
- Enter a name and optional description for the token.
- Select a default stage for content delivery using the radio buttons.
- Click Add & configure permissions to create the token.
The token details screen opens, where you configure content API access and Management API permissions.
#Configure Content API permissions
When a PAT is created, default content permissions are enabled: Read access on all models for all locales with PUBLISHED as the default content stage.
From the token detail view you can:
- Change the default content delivery stage by clicking Change default stage and selecting a different option.
- Add a custom permission by clicking + Add permission and following the Add content permissions flow.
#Configure Management API permissions
To configure Management API permissions for a token:
- On the token details screen, scroll to the Management API Permissions section.
- Click Show all permissions to view the full list. Only enabled permissions are shown by default.
- Use the toggles to enable or disable individual permissions.
- To bulk-enable or bulk-disable permissions, use the checkboxes to select multiple rows. The Enable selected or Disable selected action appears at the top of the table.
For a full reference of all available permissions, see Management API permissions.
#Edit a token
Click a token row in the table, or select Edit from its context menu. The token detail view will open, where you can update permissions as described above.
API Access - Edit token
#Delete a token
Select Delete from the token's context menu, or click Delete from within the token detail view. Confirm the deletion in the dialog that appears. Deleting a token is permanent and invalidates all JWTs (JSON Web Tokens) associated with it.
API Access - Delete token
#Can’t find your token in Hygraph?
If you copied a PAT a while ago and can’t find the same token string in Hygraph today, the token may still be active even if it looks different.
Hygraph uses JWTs (JSON Web Tokens) for Permanent Auth Tokens (PATs). In cases such as audience updates or issuer migrations, the encoded JWT string may change while still representing the same underlying token. Even after such changes, the token remains valid as long as the jti (JWT ID) claim within the token's payload remains unchanged. The jti claim serves as the authoritative identifier for the token.
To verify whether two tokens refer to the same underlying token, follow these steps:
- Go to https://jwt.io and paste the token that you want to check. This token is no longer visible in Hygraph Studio.
- Decode the token and locate the
jticlaim in the payload. - In Hygraph Studio, go to Project settings > Access > Permanent Auth Tokens and check the
jtivalues for the tokens listed there. - Compare the
jtivalues. If thejtivalue found in Step 2 matches thejtiof a token available in Hygraph Studio, it is the same underlying Permanent Auth Token, even if the encoded JWT differs. The token is still active and has not been revoked. You can then decide whether to keep it or revoke it.- If you want to keep the token, you can replace the deleted JWT with the one that matches from Hygraph Studio.
- If you want to revoke the token, you can delete it from Hygraph Studio. This action invalidates all JWTs associated with that token, including any previously issued ones.
Permanent Auth Tokens list
#What's next
- Content permissions: How content permissions work and their limits.
- Roles and permissions: Create and configure roles, assign permissions, and set up role-based access.
- Authorization: Public API permissions, PATs, and endpoints.