⚡️ Pro Feature ⚡️ This feature is bundled with GraphQL-Pro.
The OperationStore has a built-in mechanism for authenticating incoming sync requests. This way, you can be sure that all registered queries came from legitimate sources.
When you add a client, you also associate a secret with that client. You can use the default or provide your own and you can update a client secret at any time. By updating a secret, old secrets become invalid.
This secret is used to add an authorization header, generated with HMAC-SHA256. With this header, the server can assert:
For more info about HMAC, see Wikipedia or Ruby’s OpenSSL::HMAC support.
The Authorization header takes the form:
"GraphQL::Pro #{client_name} #{hmac}"
graphql-ruby-client adds this header to outgoing requests by using the provided --client and --secret values.