
Mercurius Auth Plugin

Primary LanguageJavaScriptMIT LicenseMIT


CI workflow

Mercurius Auth is a plugin for Mercurius that adds configurable Authentication and Authorization support.


  • Define auth directives on fields anywhere in your schema and this plugin will apply custom policies against these protected fields when a GraphQL request is made.
  • Works in both normal and gateway mode.
  • In addition to the matching auth directive, auth policies have access to the same GraphQL information that any GraphQL resolver has access to.
  • Build up an auth context to load identities onto the context before policies are applied.
  • Define custom errors.
  • GraphQL spec compliant.



npm i fastify mercurius mercurius-auth

Quick Start

'use strict'

const Fastify = require('fastify')
const mercurius = require('mercurius')
const mercuriusAuth = require('mercurius-auth')

const app = Fastify()

const schema = `
  directive @auth(
    requires: Role = ADMIN,

  enum Role {

  type Query {
    add(x: Int, y: Int): Int @auth(requires: USER)

const resolvers = {
  Query: {
    add: async (_, { x, y }) => x + y

app.register(mercurius, {

app.register(mercuriusAuth, {
  authContext (context) {
    return {
      identity: context.reply.request.headers['x-user']
  async applyPolicy (authDirectiveAST, parent, args, context, info) {
    return context.auth.identity === 'admin'
  authDirective: 'auth'



Check GitHub repo for more examples.


Normal GraphQL Server Mode | Without Auth

Last run: 2021-04-21

│ Stat    │ 2.5% │ 50%  │ 97.5% │ 99%   │ Avg     │ Stdev   │ Max   │
│ Latency │ 4 ms │ 5 ms │ 9 ms  │ 13 ms │ 5.21 ms │ 2.01 ms │ 57 ms │
│ Stat      │ 1%      │ 2.5%    │ 50%     │ 97.5%   │ Avg      │ Stdev   │ Min     │
│ Req/Sec   │ 11135   │ 11135   │ 18223   │ 18671   │ 17550.19 │ 2049.52 │ 11134   │
│ Bytes/Sec │ 5.86 MB │ 5.86 MB │ 9.58 MB │ 9.82 MB │ 9.23 MB  │ 1.08 MB │ 5.86 MB │

Req/Bytes counts sampled once per second.
193k requests in 11.03s, 102 MB read

Normal GraphQL Server Mode | With Auth

Last run: 2021-04-21

│ Stat    │ 2.5% │ 50%  │ 97.5% │ 99%   │ Avg     │ Stdev  │ Max   │
│ Latency │ 5 ms │ 5 ms │ 10 ms │ 14 ms │ 5.59 ms │ 2.1 ms │ 64 ms │
│ Stat      │ 1%      │ 2.5%    │ 50%     │ 97.5%   │ Avg      │ Stdev   │ Min     │
│ Req/Sec   │ 9463    │ 9463    │ 17279   │ 17583   │ 16586.55 │ 2260.65 │ 9459    │
│ Bytes/Sec │ 4.98 MB │ 4.98 MB │ 9.08 MB │ 9.25 MB │ 8.72 MB  │ 1.19 MB │ 4.98 MB │

Req/Bytes counts sampled once per second.
182k requests in 11.03s, 96 MB read

Gateway GraphQL Server Mode | Without Auth

Last run: 2021-04-21

│ Stat    │ 2.5%  │ 50%   │ 97.5% │ 99%   │ Avg      │ Stdev    │ Max    │
│ Latency │ 29 ms │ 32 ms │ 66 ms │ 88 ms │ 34.96 ms │ 11.57 ms │ 195 ms │
│ Stat      │ 1%     │ 2.5%   │ 50%     │ 97.5%  │ Avg    │ Stdev  │ Min    │
│ Req/Sec   │ 1286   │ 1286   │ 3039    │ 3135   │ 2819.5 │ 543.65 │ 1286   │
│ Bytes/Sec │ 450 kB │ 450 kB │ 1.06 MB │ 1.1 MB │ 987 kB │ 190 kB │ 450 kB │

Req/Bytes counts sampled once per second.
28k requests in 10.03s, 9.87 MB read

Gateway GraphQL Server Mode | With Auth

Last run: 2021-04-21

│ Stat    │ 2.5%  │ 50%   │ 97.5% │ 99%   │ Avg      │ Stdev    │ Max    │
│ Latency │ 29 ms │ 33 ms │ 69 ms │ 93 ms │ 35.92 ms │ 12.46 ms │ 209 ms │
│ Stat      │ 1%     │ 2.5%   │ 50%     │ 97.5%  │ Avg    │ Stdev  │ Min    │
│ Req/Sec   │ 1216   │ 1216   │ 2943    │ 3129   │ 2744.7 │ 552.54 │ 1216   │
│ Bytes/Sec │ 426 kB │ 426 kB │ 1.03 MB │ 1.1 MB │ 961 kB │ 193 kB │ 426 kB │

Req/Bytes counts sampled once per second.
27k requests in 10.03s, 9.61 MB read
