graphql-hive
diff --git a/‎.changeset/authz-directives.md‎
Lines changed: 0 additions & 46 deletions b/‎.changeset/authz-directives.md‎
Lines changed: 0 additions & 46 deletions
diff --git a/‎Cargo.lock‎
Lines changed: 1 addition & 1 deletion b/‎Cargo.lock‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bin/router/CHANGELOG.md‎
Lines changed: 49 additions & 0 deletions b/‎bin/router/CHANGELOG.md‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎bin/router/Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎bin/router/Cargo.toml‎
Lines changed: 1 addition & 1 deletion
@@ -116,6 +116,55 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Other
 
 - *(deps)* update release-plz/action action to v0.5.113 ([#389](https://github.com/graphql-hive/router/pull/389))
+## 0.0.20 (2025-11-21)
+
+### Features
+
+- support authenticated and requiresScopes directives (#538)
+
+#### Directive-Based Authorization
+
+Introducing directive-based authorization. This allows you to enforce fine-grained access control directly from your subgraph schemas using the `@authenticated` and `@requiresScopes` directives.
+
+This new authorization layer runs before the query planner, ensuring that unauthorized requests are handled efficiently without reaching your subgraphs.
+
+#### Configuration
+
+You can configure how the router handles unauthorized requests with two modes:
+
+- **`filter`** (default): Silently removes any fields the user is not authorized to see from the query. The response will contain `null` for the removed fields and an error in the `errors` array.
+- **`reject`**: Rejects the entire GraphQL operation if it requests any field the user is not authorized to access.
+
+To configure this, add the following to your `router.yaml` configuration file:
+
+```yaml
+authentication:
+  directives:
+    unauthorized:
+      # "filter" (default): Removes unauthorized fields from the query and returns errors.
+      # "reject": Rejects the entire request if any unauthorized field is requested.
+      mode: reject
+```
+
+If this section is omitted, the router will use `filter` mode by default.
+
+#### JWT Scope Requirements
+
+When using the `@requiresScopes` directive, the router expects the user's granted scopes to be present in the JWT payload. The scopes should be in an array of strings or a string (scopes separated by space), within a claim named `scope`.
+
+Here is an example of a JWT payload with the correct format:
+
+```json
+{
+  "sub": "user-123",
+  "scope": [
+    "read:products",
+    "write:reviews"
+  ],
+  "iat": 1516239022
+}
+```
+
 ## 0.0.19 (2025-11-19)
 
 ### Features
 
@@ -1,6 +1,6 @@
 [package]
 name = "hive-router"
-version = "0.0.19"
+version = "0.0.20"
 edition = "2021"
 description = "GraphQL router/gateway for Federation"
 license = "MIT"