When you add a client, you also associate a secret with that client. You can use the default or provide your own and you can update a client secret at any time. By updating a secret, old secrets become invalid.

This secret is used to add an authorization header, generated with HMAC-SHA256. With this header, the server can assert:

For more info about HMAC, see Wikipedia or Ruby’s OpenSSL::HMAC support.

The Authorization header takes the form:

"GraphQL::Pro #{client_name} #{hmac}"

graphql-ruby-client adds this header to outgoing requests by using the provided --client and --secret values.