Authentication and Authorization

Learn how to handle authentication and authorization with GraphQL, cookies vs. header-based authentication, and common security issues.

In this chapter of the course, we’ll start looking into how we can implement authentication with GraphQL. Authentication is an involved topic, and before we write our first line of code, we need to weigh our options and make a few decisions regarding how our authentication will work.

Authentication and authorization

Authentication and authorization are commonly confused concepts that mean different things.

  • Authentication: A process of verifying the identity of a user. It answers the question, “Who are you?” For example, a user can be asked to enter a username and password to authenticate, and if these credentials are correct, we can identify who the user sending a particular request is.

  • Authorization: A process verifying which operations a particular user can do. It answers the question, “What can you do?” For example, we might allow an admin to view the profile information of other users and disallow it for regular users.

This course mainly focuses on implementing authentication in our application.

Authentication in GraphQL

Now, you might be wondering how authentication should be implemented in a GraphQL API. This is entirely up to us! The GraphQL specification doesn’t describe how it should be implemented, so we need to make all the decisions.

The first choice we have to make is whether we want to implement authentication using GraphQL or if we want to keep it separate from our GraphQL API.

If we implement it using GraphQL, a user has to send a GraphQL mutation to authenticate. This mutation returns a security token that a user must include with subsequent requests.

Get hands-on with 1400+ tech skills courses.