⚡️ Pro Feature ⚡️ This feature is bundled with GraphQL-Pro.

Access Control


  1. Authentication

The OperationStore has a built-in mechanism for authenticating incoming sync requests. This way, you can be sure that all registered queries came from legitimate sources.


When you add a client, you also associate a secret with that client. You can use the default or provide your own and you can update a client secret at any time. By updating a secret, old secrets become invalid.

This secret is used to add an authorization header, generated with HMAC-SHA256. With this header, the server can assert:

For more info about HMAC, see Wikipedia or Ruby’s OpenSSL::HMAC support.

The Authorization header takes the form:

"GraphQL::Pro #{client_name} #{hmac}"

graphql-ruby-client adds this header to outgoing requests by using the provided --client and --secret values.