GraphQL endpoint handling authorization with JWT via HTTP Headers

Hi there,

I am delighted with how the GraphQL components are currently functioning. The first phase of our project, setting up a GraphQL endpoint to facilitate data exchange between our ERP platform and webshops, is currently in the testing phase.

The subsequent phase of the project involves implementing a security layer, utilizing JSON Web Tokens within the HTTP header.

I'm uncertain about where to initiate this process. Is there an available example that illustrates how to extract the contents from the received HTTP header? Any guidance to help me begin moving in the correct direction would be immensely appreciated.

Kind Regards,

Hi @Stefan_van_Roosmalen, thank you for the kind words about GraphQL for Delphi.

The security should be implemented as an outside layer. If you use TMS Sparkle for the HTTP server, it can be used with the middleware approach, using JWT middleware.

If you use Web Broker, then you should maybe use BeforeDispatch event to handle the token before it's forwarded to the GraphQL dispatcher.

I am trying to follow this route... I believe this is the biggest challenge so far...
To be continued...

Hi there,

Despite extensively searching the web and experimenting with various code snippets from both the TMS website, blogs, manuals, and the GitHub pages of the Delphi JOSE and JWT Library, I'm still unable to establish security for my GraphQL endpoint using JSON Web Tokens (JWT) and the HS256 hashing algorithm. The documentation seems straightforward, leaving me to believe that I've overlooked something during my troubleshooting process.

I would greatly appreciate it if you could review the attached project files and provide guidance on rectifying this issue to successfully implement the required JWT functionality. For the sake of simplicity, I've copied my code into the "Bookshelf" demo project. The actual project where I'm implementing this involves a GraphQL endpoint that serves as an interface between a website and a database.

Building upon your initial advice, I attempted to utilize the BeforeDispatch approach to validate the JWT before it reaches the GraphQL dispatcher. However, upon compiling the project and launching the browser, I encountered a "signature algorithm header (alg) not set" error.

Here's the HTTP header I've prepared for testing the attached project sources:

  "Authorization": "Bearer 

I eagerly await your response as it's becoming increasingly evident that I might have made several mistakes in the code. Your assistance would be immensely valuable in untangling this situation.

Kind regards,
bookshelf with (95.7 KB)

Here is the modified project with the correct code. (10.7 KB)

However, I see that you have added units and components from TMS Sparkle and TMS XData. If you do have licenses for those products, I strongly recommend to get rid of Web Broker at all and use GraphQL with TMS Sparkle. There is a demo for that, although it uses the Hello schema. But you can simply modify it to use the Bookshelf schema - of course you will have to do that to use your own real schema.

Using TMS Sparkle is way easier, and then all you need to do is to add a JWT middleware to the server - indeed, then all the documentation for Sparkle about JWT applies. For Web Broker, that is not true and you will have to do it yourself (like I did for you in the example).

Dear Wagner,

I am delighted to inform you that my security layer (utilizing JSON Web Tokens) is now functioning perfectly! While it did take some time to accomplish, I have managed to implement it quite smoothly in the end. I appreciate your prompt response and the guidance you provided, which helped me achieve this milestone.

Although I am eager to delve deeper into the TMS Sparkle solution, I have currently opted to adopt the solution based on the Web Broker example. However, as previously mentioned, I hold TMS GraphQL in high regard, and I intend to explore its combination with TMS Sparkle at a later moment.

Best Regards,


1 Like

Excelent, @Stefan_van_Roosmalen.
Thank you for the follow up and the kind words. A usual, don't hesitate to open new topics if you need help with other issues.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.