Logo
Configuring the plugin
Configuring the pluginDisabling introspection

Disabling introspection

The introspection __schema field is exposed in the Access Control Lists:

__schema field in the Access Control List

This allows us to disable introspection for the single endpoint or custom endpoints, following any of the already available rules, such as:

  • Disable always
  • Disable for logged-out users
  • Disable for users without a certain role or capability

Disabling the __schema field in the Access Control List

For instance, opening the GraphiQL client on a custom endpoint after disabling access to __schema we get an error:

Uncaught (in promise) Error: Invalid or incomplete introspection result. Ensure that you are passing "data" property of introspection response and no "errors" was returned alongside: { __schema: null }

GraphiQL error from disabled introspection