Access Control

The GraphQL endpoint, which can return any piece of data accessible through the schema, could potentially allow malicious actors to retrieve private information. Hence, we must implement security measures to protect the data.

With access control lists, we can define who can access each operation, field and directive in the schema:

• Disable access to everyone
• Grant access if the user is logged-in, or logged-out
• Grant access if the user has some role
• Grant access if the user has some capability
• Grant access if the visitor comes from some IP or IP range