Skip to main content

Signing Requests

Once you've authenticated a user and have the JWT to hand, you're ready to start signing your requests.

JWTs currently need to be passed into the Authorization header as follows:

Authorization: JWT ${token}

Craft has its own internal logic for validating GraphQL authorization headers, so if passed in as Authorization: Bearer ${token}, it will step in and throw an Invalid Authorization Header error.


If you are using Apache to handle your network, make sure you've enabled CGIPassAuth or modified your .htaccess file as seen here, to ensure the authorization header isn't blocked.


Craft's built-in GraphiQL doesn't allow you to send custom headers, so a quick way of testing your authorization flow is to use


You'll need to add to your allowedGraphqlOrigins setting in general.php.