Signing Requests

Once you've authenticated a user and have the JWT to hand, you're ready to start signing your requests.

JWTs currently need to be passed into the Authorization header as follows:

Authorization: JWT ${token}

Craft has its own internal logic for validating GraphQL authorization headers, so if it's passed in as Authorization: Bearer ${token}, it will step in and throw an Invalid Authorization Header error.


Craft's built-in GraphiQL doesn't allow sending custom headers, so a quick way of testing your authorization flow is to use


You'll need to add to your allowedGraphqlOrigins setting in general.php.