We recommend every API to be protected. That includes API that are public and the API keys are visible. A classic example is the Shopify Storefront API, used to get the unauthenticated data of a particular store (details, products etc). This API is exposed through any frontend application, but still comes with a storefront API key that is used by the frontend. This is to ensure that the access to the API can still be controlled by rotating the key.
For any API that provides authenticated data, securing the API is obviously an important and early step.
Authentication and authorization in GraphQL
Authentication is the process of verifying the identity of a user attempting to access an application. Authorization is the process of determining what actions a user is allowed to perform within an application.
In this lesson, we will not delve into the details of authentication and authorization — for example, where we verify passwords and assign JWTs to users. We highly recommend using a third-party authentication solution (such as Supabase or Auth0) for user management, as they are safer and more reliable. Also note that in some cases such as the storefront API of Shopify, we may verify access to an API by static API keys.
We have a detailed article where we discuss AuthN/Z Fundamentals and evaluate the top service providers.
