Authorization strategies in GraphQL

question 3 connections

Audience question about authorization patterns in large GraphQL apps: field level vs layer level, how layers coordinate. Speaker: authentication happens once at the controller before execution. Authorization lives at resource (type/model) and field level; graphql-ruby supports both, integrating with Ruby authorization gems like Pundit. Meedan adopted GraphQL so early that such API-layer authorization didn't exist yet, so they enforce authorization one level below (Pundit in the models). The context object available in every resolver typically carries the current user and scope.

answer_summary

Authenticate at the controller; authorize at type/field level using graphql-ruby + Pundit. Meedan started before API-layer authz existed, so they enforce it below GraphQL. The context object carries current-user info.

question Authorization strategies in GraphQL

about

Pundit tool

Pundit is cited as the authorization gem Meedan uses.

question Authorization strategies in GraphQL

about

graphql-ruby tool

graphql-ruby's field-level authorization and context object are the core of the answer.

question Authorization strategies in GraphQL

asked_at

Optimizing performance in Rails apps with GraphQL layer talk

Q&A about authorization for flexible GraphQL queries.

Provenance

Created in: Optimizing Rails apps with a GraphQL layer (Caio Almeida,... 2026-04-17 23:20
Read by: 1 extraction