Retrieve a GraphQL Schema

🕵️ Enable Introspection¶

Enabling Introspection on Your Application¶

Using Apollo¶

When creating a new instance of the ApolloServer, you have to provide an object describing your resolvers and type definitions. This object can also include an introspection parameter.

const server = new ApolloServer({
  typeDefs,
  resolvers,
  introspection: true,
})

This option is documented in the ApolloServer reference

Fine-tuning¶

Using Apollo plugins, you can also have better access control over this query. Here is an example of a plugin that prevents access to the introspection query if the request does not feature the CLI header.

const introspectionPlugin = {
  requestDidStart() {
    return {
      async willSendResponse(requestContext) {
        const { request, response } = requestContext;

        if (request.http.headers.get('x-cli-access') !== 'true') {
          if (request.operationName === 'IntrospectionQuery') {
            response.data = null;
            response.errors = [
              {
                message: 'Introspection query not allowed',
                extensions: {
                  code: 'FORBIDDEN'
                }
              }
            ];
          }
        }
      }
    };
  }
}

Retrieving the Schema¶

You can retrieve the GraphQL schema using various methods:

Using cURL¶

curl --location 'https://example.com/graphql' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '{"query":"query IntrospectionQuery { __schema { queryType { name } mutationType { name } subscriptionType { name } types { ...FullType } directives { name description locations args { ...InputValue } } } } fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { ...TypeRef } } fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } } } } ","variables":{}}' \
> introspection.json

REST¶

Escape is compatible with:

Swagger v2
OpenAPI v3
Postman Collections

More input sources will be available soon, including the ability to scan undocumented APIs.