Skip to content

Commit 663b671

Browse files
Liam-DoodsonLiam-Doodson
committed
Add docs on CORS
1 parent 7fae8f6 commit 663b671

File tree

1 file changed

+31
-2
lines changed

1 file changed

+31
-2
lines changed

modules/ROOT/pages/aura-graphql-data-apis/using-your-api.adoc

Lines changed: 31 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,10 @@
11
= Using your GraphQL API
22

3+
== Query your GraphQL API
4+
35
Once the status for the GraphQL API is `ready` you can send GraphQL requests to it. As all requests are subject to authentication, you must include an API key or JWT token.
46

5-
== With an API Key Authentication Provider
7+
=== With an API Key Authentication Provider
68

79
Add `x-api-key: YOUR_API_KEY` to the header of the request. For example, with curl replacing the UPPERCASE values with those of your own:
810

@@ -11,7 +13,7 @@ Add `x-api-key: YOUR_API_KEY` to the header of the request. For example, with cu
1113
curl --location YOUR_GRAPHQL_API_URL --header 'Content-Type: application/json' --header 'x-api-key: YOUR_API_KEY' --data 'YOUR_GRAPHQL_QUERY'
1214
----
1315

14-
== With a JWKS Authentication Provider
16+
=== With a JWKS Authentication Provider
1517

1618
Obtain a JWT from your identity provider. Using the JWT, add `Authorization: Bearer YOUR_JWT` to the headers of the request.
1719

@@ -21,3 +23,30 @@ For example, with curl replacing the UPPERCASE values with those of your own:
2123
----
2224
curl --location YOUR_GRAPHQL_API_URL --header 'Authorization: Bearer YOUR_JWT'--header 'Content-Type: application/json --data 'YOUR_GRAPHQL_QUERY'
2325
----
26+
27+
== Query your GraphQL API from a Browser
28+
29+
=== CORS (Cross-Origin Resource Sharing) Policy
30+
31+
For security reasons, browsers restrict cross-origin requests to servers. This means that by default, if you configure a web app to make a request to your GraphQL APIs from a browser, it will fail. This is because your web app will be hosted at a different origin from your GraphQL API.
32+
33+
However, most modern browsers support Cross-Origin Resource Sharing. This involves the browser sending a “preflight” request to the server to check that it will allow the actual request. You can configure your GraphQL APIs to allow cross-origin requests from your web app by adding it to the list of allowed origins. For example, if you expect requests to be made by a web app hosted at https://example.com, this should be added to the list of allowed origins for your GraphQL API.
34+
35+
[NOTE]
36+
====
37+
Only exact matches for allowed origins are supported - wildcards (*) will not work
38+
====
39+
40+
This can be done using the aura-cli using the following command, replacing the UPPERCASE values as required:
41+
42+
[source, bash, indent=0]
43+
----
44+
aura-cli data-api graphql cors-policy allowed-origin add NEW_ALLOWED_ORIGIN --data-api-id YOUR_GRAPHQL_API_ID --instance-id YOUR_AURA_INSTANCE_ID
45+
----
46+
47+
Allowed origins that are no longer required can be removed with the following command, replacing the UPPERCASE values as required:
48+
49+
[source, bash, indent=0]
50+
----
51+
aura-cli data-api graphql cors-policy allowed-origin remove OLD_ALLOWED_ORIGIN --data-api-id YOUR_GRAPHQL_API_ID --instance-id YOUR_AURA_INSTANCE_ID
52+
----

0 commit comments

Comments
 (0)