Skip to content

feat: add docs for introspection auth bypass #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add docs for introspection auth bypass #166

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d7310ed
feat: add docs for introspection auth bypass
dkorittki Sep 8, 2025
701ea18
fix: use better wording to describe default behaviour
dkorittki Sep 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions docs/router/authentication-and-authorization.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,55 @@ The router configuration facilitates the setup of multiple JWKS (JSON Web Key Se

For more information on the attributes, visit the auth configuration parameter section page [here](/router/configuration#authentication).

### Disabling Authentication for Introspection Operations

Cosmo Router supports bypassing authentication for introspection queries.

This is useful, for example, when you want to configure client tooling from within a secured environment without requiring valid authentication tokens.
Instead of having to disable authentication altogether, this feature allows you to keep the configuration as close to production as possible while still using introspection queries easily.

<Warning>
This feature is meant to be used in secure, internal environments. It is not recommended for use in a production environment.
By default introspection queries are not excluded from authentication, if authentication is enabled in the router.
</Warning>

To enable this feature, add the following configuration to your router configuration:

<CodeGroup>
```yaml config.yaml
introspection:
enabled: true # Introspection is enabled by default (explicitly shown here)
skip_authentication: true # Bypass authentication for introspection queries (default: false)
```
</CodeGroup>

Now when you make an introspection query, you will not need to provide an authentication token.

```bash
curl -X POST http://localhost:3002/graphql \
--header "Content-Type: application/json" \
--data '{"query": "{ __schema { types { name } } }"}'
```

Optionally, you can set a dedicated token for introspection queries.

<CodeGroup>
```yaml config.yaml
introspection:
enabled: true
skip_authentication: true
token: "dedicated_secret_for_introspection" # Optional, set a dedicated secret for introspection queries
```
</CodeGroup>

With the secret set, you will need to provide it via the `Authorization` header, without a Bearer prefix.

```bash
curl -X POST http://localhost:3002/graphql \
--header "Content-Type: application/json" \
--header "Authorization: dedicated_secret_for_introspection" \
--data '{"query": "{ __schema { types { name } } }"}'
```


## Old Router configuration (\< 0.168.1)
Expand Down
3 changes: 2 additions & 1 deletion docs/router/security/hardening-guide.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ By default introspection is enabled. The following configuration should be appli

<CodeGroup>
```yaml router.yaml
introspection_enabled: false
introspection:
enabled: false
```
</CodeGroup>

Expand Down