Emran Alhaddad
🔐 Secure your Statamic GraphQL endpoint
A lightweight, production-ready addon that protects Statamic’s /graphql endpoint using a token-based middleware with optional IP allow-listing.
Perfect for headless setups (Next.js, Nuxt, mobile apps) where public GraphQL access must be locked down without changing existing queries.
👉 Statamic Marketplace:
https://statamic.com/addons/emran-alhaddad/statamic-graphql-protect
📦 Package Information
🚀 Features
- 🔐 Token-protected
/graphqlendpoint - 🛡️ Optional IP allow-list
- 🧩 Works with Statamic’s GraphQL layer (Rebing GraphQL under the hood)
- ⚙️ Fully configurable via
.env - 🗂️ Middleware-based (no route overrides)
- 🧼 No Statamic core hacks or forks
📦 Installation
Install via Composer:
composer require emran-alhaddad/statamic-graphql-protectPublish the config file:
php artisan vendor:publish --tag=statamic-graphql-protect⚙️ Configuration
Published config file:
config/statamic-graphql-protect.phpExample .env configuration:
STATAMIC_GRAPHQL_PROTECT_ENABLED=trueSTATAMIC_GRAPHQL_TOKEN=long-secreat-tokenSTATAMIC_GRAPHQL_TOKEN_HEADER=X-Statamic-GraphQL-TokenSTATAMIC_GRAPHQL_ALLOWED_IPS=127.0.0.1,1.2.3.4Your frontend must send the header:
X-Statamic-GraphQL-Token: <your-token>⚠️ REQUIRED: Register Middleware in Statamic GraphQL Config
This addon does not automatically inject itself into every Statamic install.
You must manually register the middleware.
Open:
config/statamic/graphql.phpAdd the middleware to the middleware array:
return [ // ... 'middleware' => [ \Emran\StatamicGraphqlProtect\Http\Middleware\ProtectGraphql::class, // other GraphQL middleware (if any) ], // ...];❗ Without this step,
/graphqlwill remain public.
🧪 Example Usage
❌ Request without token (blocked)
curl https://your-domain.com/graphql \ -H "Content-Type: application/json" \ -d '{"query":"{ ping }"}'Response:
{ "message": "Invalid or missing GraphQL token." }✅ Request with token (allowed)
curl https://your-domain.com/graphql \ -H "Content-Type: application/json" \ -H "X-Statamic-GraphQL-Token: your-token" \ -d '{"query":"{ ping }"}'Response:
{ "data": { "ping": "pong" } }🔧 Postman Setup
- Headers
| Key | Value |
|---|---|
| X-Statamic-GraphQL-Token | your-token |
| Content-Type | application/json |
- Body → Raw → JSON
{ "query": "{ ping }" }- Send ✅
⚠️ IMPORTANT: Disable Statamic GraphQL Cache
Statamic’s GraphQL cache does NOT respect request headers.
If enabled:
- First unauthenticated request → 401 cached → everyone gets 401
- First authenticated request → 200 cached → endpoint effectively public
✅ Disable it:
Edit:
config/statamic/graphql.php'cache' => false,or:
'cache' => [ 'expiry' => 0,],Then clear caches:
php artisan config:clearphp artisan cache:clearphp artisan statamic:stache:clear✅ Recommended: cache at Next.js / CDN / Edge level, not inside Statamic.
🔄 Compatibility
- ✅ Statamic v4 / v5
- ✅ PHP 8.1+
- ✅ Headless & traditional installs
- ✅ Next.js / Nuxt / Mobile apps
📁 Directory Structure
statamic-graphql-protect/├─ src/│ ├─ Http/Middleware/ProtectGraphql.php│ └─ ServiceProvider.php├─ config/statamic-graphql-protect.php├─ composer.json├─ README.md└─ LICENSE🩺 Troubleshooting
“Invalid or missing GraphQL token”
- Header name mismatch
- Token contains whitespace
- Middleware not registered in
config/statamic/graphql.php
Works in cURL but not Postman
- Use Body → Raw → JSON
- Ensure headers are manually added
Random 200 / 401 responses
- GraphQL cache still enabled
- Disable it and clear caches
👤 Author
Emran Alhaddad GitHub: https://github.com/emran-alhaddad Statamic Addons: https://statamic.com/addons/emran-alhaddad
📄 License
MIT License
See the LICENSE file for full details.
