16 Oct 2023
In this tutorial, we'll learn how to use the GraphQL Yoga Plugin system to protect requests using API keys with Unkey.
Let's begin with a very simple GraphQL schema and server:
import { createSchema } from "graphql-yoga";
const schema = createSchema({
typeDefs: /* GraphQL */ `
type Query {
hello: String
}
`,
resolvers: {
Query: {
hello: () => "world",
},
},
});
import { createServer } from "node:http";
import { createYoga, createSchema } from "graphql-yoga";
const yoga = createYoga({
schema,
plugins: [],
});
const server = createServer(yoga);
server.listen(4000, () => {
console.info("Server is running on http://localhost:4000/graphql");
});
To get things started, we'll run the server locally using ts-node
:
npx ts-node server.ts
Go to Unkey.dev, signup and create a new API project.
Since we'll be veriying API keys only, we can use the @unkey/api
dependency to verify the API key. Let's install it:
npm install @unkey/api
Now add the following imports to the server.ts
file:
import { createYoga, createGraphQLError, type Plugin } from "graphql-yoga";
import { verifyKey } from "@unkey/api";
We'll be hooking into the onRequestParse
plugin hook to verify the API key. Let's create a plugin that does that:
function useUnkey(): Plugin {
return {
async onRequestParse({ request }) {
const token = request.headers.get("x-unkey-api-key") as string;
if (!token) {
throw createGraphQLError("No API Key provided");
}
// ... verify the API key
// ... throw if an error
/// ... throw if the API key is invalid
},
};
}
Let's add the following code to the onRequestParse
plugin hook to verify the API key using the @unkey/api
dependency:
function useUnkey(): Plugin {
return {
async onRequestParse({ request }) {
const token = request.headers.get("x-unkey-api-key") as string;
if (!token) {
throw createGraphQLError("No API Key provided");
}
const { result, error } = await verifyKey(token);
if (error) {
throw createGraphQLError(error.message);
}
if (!result.valid) {
throw createGraphQLError("API Key is not valid for this request");
}
},
};
}
That's it! We've successfully created a custom Yoga plugin that verifies the API key using Unkey for each request.
Now invoke useUnkey()
inside the plugins
array:
const yoga = createYoga({ schema, plugins: [useUnkey()] });
Before we can test the API you will need to generate an API key for each individual user. For the purposes of this tutorial, we'll do that manually using the Unkey Dashboard.
Once we have the API key we can pass the header x-unkey-api-key
to the request.