The Neo4j GraphQL Library expects an authorization header in the request object, which means you can authenticate users however you like. You could have a custom sign-in mutation, integrate with Auth0, or roll your own SSO server. The point here is that it’s just a JWT which the library decodes to make sure it’s valid - but it’s down to the user to issue tokens.

The example at Custom Resolvers demonstrates a hypothetical sign-up/sign-in flow using the OGM, which will be a good starting point for inspiration.


This is the most basic of authentication, used to ensure that there is a valid decoded JWT in the request. The most basic of type definitions could look something like the following, which states you must be authenticated to access Todo objects:

type Todo {
    id: ID
    title: String

extend type Todo @auth(rules: [{ isAuthenticated: true }])


In some cases, you may want to allow unauthenticated requests while also having auth-based rules. You can use the allowUnauthenticated parameter to avoid throwing an exception if no auth is present in the context.

In the example below, only the publisher can see his blog posts if it is not published yet. Once the blog post is published, anyone can see it:

type BlogPost
        rules: [
                operations: [READ]
                where: { OR: [{ publisher: "$jwt.sub" }, { published: true }] }
                allowUnauthenticated: true
    ) {
    id: ID!
    publisher: String!
    published: Boolean!