Skip to main content

How to set target authentication: GraphQL

Learn how to configure Snyk API & Web to authenticate and scan an API using a GraphQL schema.

Written by Antonio Sergio Azevedo
Updated this week

If your GraphQL API requires authentication, Snyk API & Web can be configured to run authenticated requests and scan the API endpoints.

After adding an API target, you can configure the authentication before starting the scan. Setting authentication before starting the scan is especially important when you select the introspection option for your schema, as it is best practice to allow introspection only to authenticated requests.

NOTE: GraphQL Introspection enabled is considered a Low Severity vulnerability. When enabled, we recommend that you restrict access to your GraphQL API using authentication.

The scenarios described in How to set target authentication: OpenAPI will work the same way for your GraphQL API:

  • Authenticate with an API token in the request header

    Using application/json or application/x-www-form-urlencoded media types.

  • Authenticate with a static header/cookie

  • Authenticate with a fixed API key in a request parameter

You can also use application/graphql as the authentication media type. This format is supported by GraphQL servers.

Authenticate with an API token in the request header (using application/graphql media type)

When using application/graphql as the authentication media type, the request body contains only the raw GraphQL query or mutation string.

To configure this option, proceed as follows:

  1. In the Snyk API & Web app, go to the Targets menu and click on the cogwheel to open the target settings.

  2. On the Authentication tab locate the API TARGET AUTHENTICATION module.

API target authentication using application/graphql media type

Fill out the form as follows:

  1. Select application/graphql as the AUTHENTICATION MEDIA TYPE of the payload/request to the authentication endpoint.

  2. Type the authentication URL in the LOGIN URL field.

  3. In the AUTHENTICATION PAYLOAD, enter the GraphQL mutation to be sent in the body of the POST request to the LOGIN URL.

  4. Click Fetch to authenticate, and the TOKEN SELECTOR is filled with a list of fields obtained in the authentication response. If the authentication fails, an error is displayed.

  5. In the TOKEN SELECTOR, choose the field that contains the authentication token.

  6. In the PLACE TOKEN IN, choose where to place the token in the API requests.
    In most cases, the token is placed in the header. The other option is cookie.

  7. In the FIELD NAME, enter the name of the field in the header or cookie that will hold the token.

  8. Optionally, set a VALUE PREFIX for the token value.
    This is often needed for JWTs. For instance, if your API requires you to send a header like: Authorization: JWT <token>, set the following values:
    ​

    1. FIELD NAME: Authorization

    2. VALUE PREFIX: JWT
      ​

  9. Click on Save and enable.

You can turn this authentication on/off at any time using the Off/On toggle button, or delete the configuration using the Delete button.

Did this answer your question?