Skip to content

feat(api): project and personal scoped access tokens #7206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 30 commits into
base: main
Choose a base branch
from
Open

feat(api): project and personal scoped access tokens #7206

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
543cfae
feat(api): project and personal scoped access tokens
n1ru4l Nov 3, 2025
1209a93
typo
n1ru4l Nov 3, 2025
b52fdf7
feat: project access token ui
n1ru4l Nov 3, 2025
0601a06
reuse component
n1ru4l Nov 3, 2025
a7f6a60
ui ui ui
n1ru4l Nov 3, 2025
9bb1cde
fixtures
n1ru4l Nov 3, 2025
2f6a702
fix
n1ru4l Nov 3, 2025
2489b5c
fix ts
n1ru4l Nov 3, 2025
26631fe
mr lint
n1ru4l Nov 3, 2025
3dd3bd4
feat: prevent using personal access token if permissions are lacking
n1ru4l Nov 3, 2025
8c1fa9c
no emoji?
n1ru4l Nov 3, 2025
456836f
ui feedback for assign based on viewer
n1ru4l Nov 3, 2025
a70bf6c
add some descriptions
n1ru4l Nov 3, 2025
9c42536
tests tests tests
n1ru4l Nov 3, 2025
11f3daf
changeset
n1ru4l Nov 3, 2025
25a0db3
dem fixtures
n1ru4l Nov 3, 2025
f00f785
include userId and projectId in audit log types
n1ru4l Nov 3, 2025
ea2f9f3
Apply suggestion from @n1ru4l
n1ru4l Nov 4, 2025
a2f23cb
Apply suggestion from @n1ru4l
n1ru4l Nov 4, 2025
ca2d5c0
remove outdated comment
n1ru4l Nov 4, 2025
caad8cb
lint
n1ru4l Nov 4, 2025
831f5f6
assert delete based on access token type
n1ru4l Nov 4, 2025
bcb1e3d
add type debug info
n1ru4l Nov 4, 2025
08d2bca
remove dev debug code remains
n1ru4l Nov 4, 2025
35a2a46
fix dem types
n1ru4l Nov 4, 2025
70df3b0
l like my errors
n1ru4l Nov 4, 2025
78e66d5
schema adjustments
n1ru4l Nov 4, 2025
f3c14d8
no breaking schema changes :)
n1ru4l Nov 4, 2025
e681a12
lint
n1ru4l Nov 4, 2025
fc0e1b4
review works
n1ru4l Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/five-hoops-punch.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@graphql-hive/cli': minor
---

Improve output of the `hive whoami` command. It now also handles the new access token format.
Copy link
Collaborator

@jdolle jdolle Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a change for hive also for the token scoping.

11 changes: 10 additions & 1 deletion integration-tests/testkit/seed.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ import {
import { execute } from './graphql';
import { UpdateSchemaPolicyForOrganization, UpdateSchemaPolicyForProject } from './schema-policy';
import { collect, CollectedOperation, legacyCollect } from './usage';
import { generateUnique } from './utils';
import { generateUnique, getServiceHost } from './utils';

export function initSeed() {
function createConnectionPool() {
Expand Down Expand Up @@ -89,6 +89,15 @@ export function initSeed() {
},
authenticate,
generateEmail: () => userEmail(generateUnique()),
async purgeOrganizationAccessTokenById(id: string) {
const registryAddress = await getServiceHost('server', 8082);
await fetch(
'http://' + registryAddress + '/cache/organization-access-token-cache/delete/' + id,
{
method: 'POST',
},
).then(res => res.json());
},
async createOwner() {
const ownerEmail = userEmail(generateUnique());
const auth = await authenticate(ownerEmail);
Expand Down
9 changes: 9 additions & 0 deletions integration-tests/testkit/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,3 +111,12 @@ export function assertNonNull<T>(
throw new Error(message);
}
}

export function assertNonNullish<T>(
value: T | null | undefined,
message = 'Expected non-null value.',
): asserts value is T {
if (value === null) {
throw new Error(message);
}
}
243 changes: 98 additions & 145 deletions ...ts/api/organization-access-tokens.spec.ts → .../access-tokens/organization-level.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,8 @@
import { graphql } from '../../testkit/gql';
import * as GraphQLSchema from '../../testkit/gql/graphql';
import { execute } from '../../testkit/graphql';
import { initSeed } from '../../testkit/seed';

const CreateOrganizationAccessTokenMutation = graphql(`
mutation CreateOrganizationAccessToken($input: CreateOrganizationAccessTokenInput!) {
createOrganizationAccessToken(input: $input) {
ok {
privateAccessKey
createdOrganizationAccessToken {
id
title
description
permissions
createdAt
}
}
error {
message
details {
title
description
}
}
}
}
`);
import { createOrganizationAccessToken } from 'testkit/flow';
import { graphql } from '../../../testkit/gql';
import * as GraphQLSchema from '../../../testkit/gql/graphql';
import { execute } from '../../../testkit/graphql';
import { initSeed } from '../../../testkit/seed';

const OrganizationProjectTargetQuery = graphql(`
query OrganizationProjectTargetQuery(
Expand Down Expand Up @@ -60,7 +37,6 @@ const PaginatedAccessTokensQuery = graphql(`
id
title
description
permissions
createdAt
}
}
Expand All @@ -77,21 +53,19 @@ test.concurrent('create: success', async () => {
const { createOrg, ownerToken } = await initSeed().createOwner();
const org = await createOrg();

const result = await execute({
document: CreateOrganizationAccessTokenMutation,
variables: {
input: {
organization: {
byId: org.organization.id,
},
title: 'a access token',
description: 'Some description',
resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
permissions: [],
const result = await createOrganizationAccessToken(
{
organization: {
byId: org.organization.id,
},
title: 'a access token',
description: 'Some description',
resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
permissions: [],
},
authToken: ownerToken,
}).then(e => e.expectNoGraphQLErrors());
ownerToken,
).then(e => e.expectNoGraphQLErrors());

expect(result.createOrganizationAccessToken.error).toEqual(null);
expect(result.createOrganizationAccessToken.ok).toEqual({
privateAccessKey: expect.any(String),
Expand All @@ -109,21 +83,18 @@ test.concurrent('create: failure invalid title', async ({ expect }) => {
const { createOrg, ownerToken } = await initSeed().createOwner();
const org = await createOrg();

const result = await execute({
document: CreateOrganizationAccessTokenMutation,
variables: {
input: {
organization: {
byId: org.organization.id,
},
title: ' ',
description: 'Some description',
resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
permissions: [],
const result = await createOrganizationAccessToken(
{
organization: {
byId: org.organization.id,
},
title: ' ',
description: 'Some description',
resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
permissions: [],
},
authToken: ownerToken,
}).then(e => e.expectNoGraphQLErrors());
ownerToken,
).then(e => e.expectNoGraphQLErrors());
expect(result.createOrganizationAccessToken.ok).toEqual(null);
expect(result.createOrganizationAccessToken.error).toMatchInlineSnapshot(`
{
Expand All @@ -140,21 +111,18 @@ test.concurrent('create: failure invalid description', async ({ expect }) => {
const { createOrg, ownerToken } = await initSeed().createOwner();
const org = await createOrg();

const result = await execute({
document: CreateOrganizationAccessTokenMutation,
variables: {
input: {
organization: {
byId: org.organization.id,
},
title: 'a access token',
description: new Array(300).fill('A').join(''),
resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
permissions: [],
const result = await createOrganizationAccessToken(
{
organization: {
byId: org.organization.id,
},
title: 'a access token',
description: new Array(300).fill('A').join(''),
resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
permissions: [],
},
authToken: ownerToken,
}).then(e => e.expectNoGraphQLErrors());
ownerToken,
).then(e => e.expectNoGraphQLErrors());
expect(result.createOrganizationAccessToken.ok).toEqual(null);
expect(result.createOrganizationAccessToken.error).toMatchInlineSnapshot(`
{
Expand All @@ -172,21 +140,18 @@ test.concurrent('create: failure because no access to organization', async ({ ex
const actor2 = await initSeed().createOwner();
const org = await actor1.createOrg();

const errors = await execute({
document: CreateOrganizationAccessTokenMutation,
variables: {
input: {
organization: {
byId: org.organization.id,
},
title: 'a access token',
description: 'Some description',
resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
permissions: [],
const errors = await createOrganizationAccessToken(
{
organization: {
byId: org.organization.id,
},
title: 'a access token',
description: 'Some description',
resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
permissions: [],
},
authToken: actor2.ownerToken,
}).then(e => e.expectGraphQLErrors());
actor2.ownerToken,
).then(e => e.expectGraphQLErrors());
expect(errors).toMatchObject([
{
extensions: {
Expand All @@ -204,21 +169,18 @@ test.concurrent('query GraphQL API on resources with access', async ({ expect })
const org = await createOrg();
const project = await org.createProject(GraphQLSchema.ProjectType.Federation);

const result = await execute({
document: CreateOrganizationAccessTokenMutation,
variables: {
input: {
organization: {
byId: org.organization.id,
},
title: 'a access token',
description: 'a description',
resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
permissions: ['organization:describe', 'project:describe'],
const result = await createOrganizationAccessToken(
{
organization: {
byId: org.organization.id,
},
title: 'a access token',
description: 'a description',
resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
permissions: ['organization:describe', 'project:describe'],
},
authToken: ownerToken,
}).then(e => e.expectNoGraphQLErrors());
ownerToken,
).then(e => e.expectNoGraphQLErrors());
expect(result.createOrganizationAccessToken.error).toEqual(null);
const organizationAccessToken = result.createOrganizationAccessToken.ok!.privateAccessKey;

Expand Down Expand Up @@ -253,29 +215,26 @@ test.concurrent('query GraphQL API on resources without access', async ({ expect
const project1 = await org.createProject(GraphQLSchema.ProjectType.Federation);
const project2 = await org.createProject(GraphQLSchema.ProjectType.Federation);

const result = await execute({
document: CreateOrganizationAccessTokenMutation,
variables: {
input: {
organization: {
byId: org.organization.id,
},
title: 'a access token',
description: 'a description',
resources: {
mode: GraphQLSchema.ResourceAssignmentModeType.Granular,
projects: [
{
projectId: project1.project.id,
targets: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
},
],
},
permissions: ['organization:describe', 'project:describe'],
const result = await createOrganizationAccessToken(
{
organization: {
byId: org.organization.id,
},
title: 'a access token',
description: 'a description',
resources: {
mode: GraphQLSchema.ResourceAssignmentModeType.Granular,
projects: [
{
projectId: project1.project.id,
targets: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
},
],
},
permissions: ['organization:describe', 'project:describe'],
},
authToken: ownerToken,
}).then(e => e.expectNoGraphQLErrors());
ownerToken,
).then(e => e.expectNoGraphQLErrors());
expect(result.createOrganizationAccessToken.error).toEqual(null);
const organizationAccessToken = result.createOrganizationAccessToken.ok!.privateAccessKey;

Expand Down Expand Up @@ -317,41 +276,35 @@ test.concurrent('pagination', async ({ expect }) => {
},
});

await execute({
document: CreateOrganizationAccessTokenMutation,
variables: {
input: {
organization: {
byId: org.organization.id,
},
title: 'first access token',
description: 'a description',
resources: {
mode: GraphQLSchema.ResourceAssignmentModeType.All,
},
permissions: ['organization:describe'],
await createOrganizationAccessToken(
{
organization: {
byId: org.organization.id,
},
title: 'first access token',
description: 'a description',
resources: {
mode: GraphQLSchema.ResourceAssignmentModeType.All,
},
permissions: ['organization:describe'],
},
authToken: ownerToken,
}).then(e => e.expectNoGraphQLErrors());
ownerToken,
).then(e => e.expectNoGraphQLErrors());

await execute({
document: CreateOrganizationAccessTokenMutation,
variables: {
input: {
organization: {
byId: org.organization.id,
},
title: 'second access token',
description: 'a description',
resources: {
mode: GraphQLSchema.ResourceAssignmentModeType.All,
},
permissions: ['organization:describe'],
await createOrganizationAccessToken(
{
organization: {
byId: org.organization.id,
},
title: 'second access token',
description: 'a description',
resources: {
mode: GraphQLSchema.ResourceAssignmentModeType.All,
},
permissions: ['organization:describe'],
},
authToken: ownerToken,
}).then(e => e.expectNoGraphQLErrors());
ownerToken,
).then(e => e.expectNoGraphQLErrors());

paginatedResult = await execute({
document: PaginatedAccessTokensQuery,
Expand Down
Loading
Loading