There are various ways of implementing authorization for a GraphQL server. In this talk, I’ll review different approaches and problems. Eg: authz might result in making multiple calls to the database not just to resolve data but also to fetch authorisation constraints. I will finally share our learnings in building a flexible rule engine in Hasura that avoids these pitfalls.

In this talk, we will review approaches and challenges of implementing authorization in your GraphQL server. We will survey well-known patterns of authorization. I will then share our learnings from building the rule engine we have built at Hasura, describe how it avoids performance pitfalls and the pros and cons of this approach.