GraphCMS allows you to configure access to each stage, environment, and whether or not you permit mutations.
By default all new projects disable public API access. You can enable queries from your content stages, as well as specifying the default stage in which data is queried from.
Since all new content entries use
DRAFT as the default stage, you will need to enable querying drafts before you can enable mutations.
Enabling public access to your project means that anybody with your API endpoint can query sensitive data, and perform destructive actions.
Permanent Auth Tokens are used for controlling access to querying, mutating content, and comes in the form of Bearer token authentication.
Similar to Public API permissions, you can create individual PATs for specific API actions.
Some users create PATs for only querying data from the draft stage, for creating previews in staging environments. You may also opt to create a PAT for mutations, so you can perform changes to your content models server-side.
If you are mutating data from the frontend, you should hide this token at the server level, and not expose your PAT client-side.
The Permanent Auth Token must be passed via the
Authorization header on HTTP requests in the format of a Bearer token:
Authorization: Bearer PERMANENT_AUTH_TOKEN
With each GraphCMS project you create, or are invited to, it has a unique GraphQL API endpoint (per environment). These endpoint permits you to both query, and mutate data within your project.
GraphQL introspection is enabled by default, so anybody with access to your endpoint can traverse the graph to see your content types, as well as all queries and mutations.
The API endpoint also contains the current schema environment, by default this will be
Your endpoint will look something like: