Back to Templates

Protect GraphQL APIs with Unkey

GraphQL Yoga Plugin system to protect your API

Typescript
Language
by notrab
GraphQL Yoga Plugin system to protect your API

GraphQL Yoga + Unkey

Learn how to use the GraphQL Yoga Plugin system to protect requests using API keys with Unkey in this video tutorial.

Usage

Create the following custom useUnkey plugin:

function useUnkey(): Plugin {
  return {
    async onRequestParse({ request }) {
      const token = request.headers.get("x-unkey-api-key") as string;

      if (!token) {
        throw createGraphQLError("No API Key provided");
      }

      const { result, error } = await verifyKey(token);

      if (error) {
        throw createGraphQLError(error.message);
      }

      if (!result.valid) {
        throw createGraphQLError("API Key is not valid for this request");
      }
    },
  };
}

Now invoke useUnkey() and pass it to the Yoga plugins:

import { createYoga, createGraphQLError, type Plugin } from "graphql-yoga";
import { verifyKey } from "@unkey/api";

const schema = createSchema({
  typeDefs: /* GraphQL */ `
    type Query {
      hello: String
    }
  `,
  resolvers: {
    Query: {
      hello: () => "world",
    },
  },
});

const yoga = createYoga({ schema, plugins: [useUnkey()] });

const server = createServer(yoga);

server.listen(4000, () => {
  console.info("Server is running on http://localhost:4000/graphql");
});

That's it! Make sure to pass your API key (provided by Unkey) for the header x-unkey-api-key with GraphQL requests.