Skip to main content


Apollo GraphQL Grants

Because we need to set and check Grants (LunaDefend's token specific permissions), the server needs to know what fields are tokens. We provide a schema directive to make this straightforward. Behind the scenes, the directive calls the Dedicated Tokenizer. If there is a problem with the session or the Grant, it will throw an error that Apollo will handle and send to the client.

Automatically create and verify token grants for any field with the @token directive.

const server = new ApolloServer({
schemaDirectives: {token: lunaSec.tokenDirective}, // our initialized instance of the @lunasec/node-sdk
// ... other apollo options

Here's an example schema that has the @token directive. Note that both input fields and normal fields should be decorated with the @token directive. Don't forget to decorate every field that contains a token, or it could be vulnerable. Arrays of tokens are supported.

const typeDefs = gql`
directive @token(duration: String) on FIELD_DEFINITION | INPUT_FIELD_DEFINITION

type Query {
getFormData: FormData

type FormData {
text_area: String @token(duration: "5m30s")
email: String @token
insecure_field: String
files: [String] @token # @token directive also works on arrays of tokens

type Mutation {
setFormData(formData: FormDataInput): FormData

input FormDataInput {
email: String @token
insecure_field: String
text_area: String @token
files: [String] @token


Passing a custom grant duration is optional, just make sure it is below the maximum set in your Tokenizer Backend's configuration.