Merge pull request #2146 from vtexdocs/EDU-15868

EDU-15868: GraphQL builder 2.x

Author: henriquessb

docs/guides/vtex-io/GraphQL/graphql-authorization-in-io-apps.mdx

@@ -4,52 +4,120 @@ slug: "graphql-authorization-in-io-apps"
 hidden: false
 excerpt: "Learn to implement and use protected GraphQL operations with IO apps."
 createdAt: "2025-06-30T14:00:00.000Z"
-updatedAt: "2025-06-30T14:00:00.000Z"
+updatedAt: "2025-09-30T11:00:00.000Z"
 ---
-Authenticated GraphQL requests are crucial for securing access to your VTEX IO app's data and functionalities. Authentication ensures that only authorized users or applications can interact with your GraphQL endpoints, protecting sensitive information and preventing unauthorized actions. Besides authentication, app developers can implement authorization to control who can access specific resources and what operations they can perform.
+Authenticated GraphQL requests are crucial for securing access to your VTEX IO app's data and functions. Authentication ensures that only authorized users or applications can interact with your GraphQL endpoints, protecting sensitive information and preventing unauthorized actions. In addition to authentication, app developers can implement authorization to control who can access specific resources and what operations they can perform.
 
-GraphQL authorization in VTEX IO apps works with auth tokens and [directives](https://graphql.org/learn/schema/#directives) within your GraphQL schema, enabling fine-grained access control based on [License Manager resources](https://help.vtex.com/en/tutorial/license-manager-resources--3q6ztrC8YynQf6rdc6euk3). The app identifies the requester by the [auth token](https://developers.vtex.com/docs/guides/app-authentication-using-auth-tokens) in [apps](https://developers.vtex.com/docs/guides/vtex-io-documentation-what-is-a-vtex-app) or the [user token](https://developers.vtex.com/docs/guides/api-authentication-using-user-tokens) in API calls, which will have [roles](https://help.vtex.com/en/tutorial/roles--7HKK5Uau2H6wxE1rH5oRbc) or [policies](https://developers.vtex.com/docs/guides/vtex-io-documentation-policies) associated with VTEX's resources.
+GraphQL authorization in VTEX IO apps works with auth tokens and [directives](https://graphql.org/learn/schema/#directives) within your GraphQL schema, enabling fine-grained access control based on [License Manager resources](https://help.vtex.com/en/tutorial/license-manager-resources--3q6ztrC8YynQf6rdc6euk3). The app identifies the requester by the [auth token](https://developers.vtex.com/docs/guides/app-authentication-using-auth-tokens) in [apps](https://developers.vtex.com/docs/guides/vtex-io-documentation-what-is-a-vtex-app) or the [user token](https://developers.vtex.com/docs/guides/api-authentication-using-user-tokens) in API calls. These tokens have [roles](https://help.vtex.com/en/tutorial/roles--7HKK5Uau2H6wxE1rH5oRbc) or [policies](https://developers.vtex.com/docs/guides/vtex-io-documentation-policies) associated with VTEX resources.
 
 In this guide, you will learn how to:
 
-1. Implement protected operations with GraphQL APIs in apps using authorization.
-2. Make requests in apps with the proper authorization.
-3. Make external requests with the appropriate authorization.
+1. Implement protected GraphQL API operations in apps using authorization.
+2. Make authorized requests from apps.
+3. Make external requests with appropriate authorization.
+
+> ℹ️ Only VTEX apps, Admin users, and [application keys](https://developers.vtex.com/docs/guides/api-authentication-using-api-keys) can be authorized to make GraphQL requests, as they must be associated with a role or policy that grants access to a License Manager resource. Store users don't have this type of access.
 
-> ℹ️ Only VTEX apps, Admin users, and [application keys](https://developers.vtex.com/docs/guides/api-authentication-using-api-keys) can be authorized in GraphQL requests, since they must be associated with a role or policy granting access to a License Manager resource. Store users don't have this type of access.
 ## Implementing GraphQL API authorization in apps
 
-By default, GraphQL APIs in VTEX apps don't require authorization. To enable authorization, you must add the `@auth` directive to the specific fields or operations in your GraphQL schema that require protection. This directive ensures that only requesters with access to the corresponding [License Manager resource](https://help.vtex.com/en/tutorial/license-manager-resources--3q6ztrC8YynQf6rdc6euk3) are allowed to execute the operation.
+The `@auth` directive has different implementation methods depending on the builder version.
+
+For the builder version `1.x`, the directive is optional. If a query or mutation doesn't have the directive, it's considered public by default. For the builder version `2.x`, the directive is mandatory.
+
+To enable authorization, you must add the `@auth` directive to the specific fields or operations in your GraphQL schema that need protection. This directive ensures that only requesters with access to the corresponding [License Manager resource](https://help.vtex.com/en/tutorial/license-manager-resources--3q6ztrC8YynQf6rdc6euk3) are allowed to execute the operation.
 
 The `@auth` directive uses the following arguments:
 
-- `productCode`: The numeric code that identifies the product in License Manager (for example, `"66"` for **VTEX IO**).
-- `resourceCode`: The License Manager resource identifier (for example, `"workspace-read-write"` for **Workspace CRUD**).
+<table>
+  <thead>
+    <tr>
+      <th>Argument</th>
+      <th>Description</th>
+      <th><a href="https://developers.vtex.com/docs/guides/vtex-io-documentation-graphql-builder#versioning" target="_blank">Builder version</a> details</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td><code>scope</code></td>
+      <td>
+        The authorization scope of the query or mutation. It has two possible values:
+        <ul>
+          <li><code>PUBLIC</code>: The query is public, so it doesn't require any authorization. This scope is mostly used for shoppers browsing a store.</li>
+          <li><code>PRIVATE</code>: The query is private, which requires authorization for a specific License Manager resource and product. This scope should be used for scenarios other than store browsing by a shopper, such as in the Admin.</li>
+        </ul>
+      </td>
+      <td>Works only on version <code>2.x</code>, and is mandatory.</td>
+    </tr>
+    <tr>
+      <td><code>productCode</code></td>
+      <td>The numeric code that identifies the product in License Manager (for example, <code>"66"</code> for <b>VTEX IO</b>). See the product codes in the <b>Product ID</b> column of the table in <a href="https://help.vtex.com/en/tutorial/license-manager-resources--3q6ztrC8YynQf6rdc6euk3" target="_blank">License Manager resources</a>.</td>
+      <td>Works on versions <code>1.x</code> and <code>2.x</code>. For <code>2.x</code>, this argument is mandatory if scope is set to <code>PRIVATE</code>.</td>
+    </tr>
+    <tr>
+      <td><code>resourceCode</code></td>
+      <td>The License Manager resource identifier (for example, <code>"workspace-read-write"</code> for <b>Workspace CRUD</b>). See the resource codes in the <b>Key</b> column of the table in <a href="https://help.vtex.com/en/tutorial/license-manager-resources--3q6ztrC8YynQf6rdc6euk3" target="_blank">License Manager resources</a>.</td>
+      <td>Works on versions <code>1.x</code> and <code>2.x</code>. For <code>2.x</code>, this argument is mandatory if scope is set to <code>PRIVATE</code>.</td>
+    </tr>
+  </tbody>
+</table>
+
+Examples:
+
+With version `1.x`:
+
+```graphql
+type Mutation {
+  createWorkspace(account: String, workspace: String): GenericResponse
+    @auth(productCode: "66", resourceCode: "workspace-read-write")
+}
+```
 
-Example:
+Public with version `2.x`:
 
-```graphql graphql/schema.graphql mark=2
-createWorkspace(account: String, workspace: String): GenericResponse
-  @auth(productCode: "66", resourceCode: "workspace-read-write")
+```graphql
+type Query {
+  source(id: ID!): String
+    @auth(scope: PUBLIC)
+}
 ```
 
-In this example, when the user requests the `createWorkspace` mutation, VTEX will check if this user has access to the `workspace-read-write` resource from License Manager. If the user has this access, the endpoint will process as intended. Otherwise, the request will be denied.
+In this example, there is no verification of whether the requester has access to a specific License Manager resource.
+
+Private with version `2.x`:
+
+```graphql
+type Mutation {
+  createWorkspace(account: String, workspace: String): GenericResponse
+    @auth(scope: PRIVATE, productCode: "66", resourceCode: "workspace-read-write")
+}
+```
+
+In this example, when the user requests the `createWorkspace` mutation, VTEX checks if the user has access to the `workspace-read-write` resource from License Manager. If the user has this access, the endpoint will be processed as intended. Otherwise, the request will be denied.
 
 You can see the available products and resources in [License Manager resources](https://help.vtex.com/en/tutorial/license-manager-resources--3q6ztrC8YynQf6rdc6euk3).
 
+### Error scenarios
+
+If a developer tries to build an app with the GraphQL builder `2.x`, the [VTEX IO CLI](https://developers.vtex.com/docs/guides/vtex-io-documentation-vtex-io-cli-installation-and-command-reference) will show an error message in the following cases:
+
+- Any query or mutation lacks the `@auth` directive.
+- The `scope` argument is missing in the directive.
+- When `scope` is `PRIVATE` in the directive and the `productCode` or `resourceCode` arguments are missing.
+
+![GraphQL auth directive error](../../images/graphql-auth-directive-error.png)
+
 ## Making requests to protected GraphQL APIs from a VTEX IO app
 
-When making requests to a protected GraphQL API from another VTEX IO app, you must export a [custom Client](https://developers.vtex.com/docs/guides/vtex-io-documentation-how-to-create-and-use-clients) that extends the `AppGraphQLClient` type and declare the auth token in the [Client](https://developers.vtex.com/docs/guides/vtex-io-documentation-clients)'s `VtexIdClientAutCookie` header. The requester must have the role or policy that includes the `resourceCode` and `productCode` defined in the target operation's `@auth` directive.
+When making requests to a protected GraphQL API from another VTEX IO app, you must export a [custom Client](https://developers.vtex.com/docs/guides/vtex-io-documentation-how-to-create-and-use-clients) that extends the `AppGraphQLClient` type and set the `VtexIdclientAutCookie` header with the auth token in the [Client](https://developers.vtex.com/docs/guides/vtex-io-documentation-clients). The requester must have the role or policy that includes the `resourceCode` and `productCode` defined in the target operation's `@auth` directive.
 
-Declare the token considering the requester context:
+Declare the token based on the requester's context:
 
 - **App**: `ctx.authToken`.
 - **Admin user**: `ctx.adminUserAuthToken`.
 
 Example
 
 ```typescript node/clients/catalogGraphQL/index.ts mark=9
-
 import { AppGraphQLClient, InstanceOptions, IOContext } from '@vtex/api'
 export class CatalogGQL extends AppGraphQLClient {
     constructor(ctx: IOContext, options?: InstanceOptions) {
@@ -68,17 +136,17 @@ For details about token types, see [App authentication using auth tokens](https:
 
 > ⚠️ Use the user token (Admin) whenever possible to properly identify the requester. The app token (`ctx.authToken`) should only be used when the user can't access the requested service.
 
-## Making requests to protected GraphQL API apps
+## Making requests to protected GraphQL APIs of apps
 
-When making external requests to a GraphQL API app, declare the [user token](https://developers.vtex.com/docs/guides/api-authentication-using-user-tokens) in the `VtexIdClientAutCookie` HTTP header. The requester must have a role that includes the resource and product defined in the endpoint's `@auth` directive.
+When making external requests to a GraphQL API of an app, include the [user token](https://developers.vtex.com/docs/guides/api-authentication-using-user-tokens) in the `VtexIdclientAutCookie` HTTP header. The requester must have a role that includes the resource and product defined in the endpoint's `@auth` directive.
 
 Example (cURL):
 
 ```sh terminal mark=4
 curl -X POST \
   'https://https://app.io.vtex.com/vtex.rewriter/v1/{account}/_v/graphql' \
     -H 'Content-Type: application/json' \
-    -H 'VtexIdClientAutCookie: {your_user_token}' \
+    -H 'VtexIdclientAutCookie: {your_user_token}' \
     -d '{
       "query": "
           mutation SaveInternal($route: InternalInput!) {

docs/guides/vtex-io/Reference/concepts/vtex-io-documentation-builders/vtex-io-documentation-graphql-builder.md

@@ -4,19 +4,32 @@ slug: "vtex-io-documentation-graphql-builder"
 excerpt: "Learn how to use the GraphQL builder."
 hidden: false
 createdAt: "2025-05-05T12:00:00.000Z"
-updatedAt: "2025-05-05T12:00:00.000Z"
+updatedAt: "2025-09-30T11:00:00.000Z"
 category: "App Development"
 ---
 
-The `graphql` builder handles the GraphQL app [schema](https://graphql.org/learn/schema/) and serves as an interface between frontend applications and backend [services](https://developers.vtex.com/docs/guides/vtex-io-documentation-service). This guide provides a comprehensive overview of how to use this builder effectively. For more information, check [Using GraphQL to retrieve data from Master Data](https://developers.vtex.com/docs/guides/services-6-graphql-retrieving-data-from-master-data) and the [official GraphQL documentation](https://graphql.com/learn/what-is-graphql/).
+The `graphql` builder handles the GraphQL app [schema](https://graphql.org/learn/schema/) and serves as an interface between frontend applications and backend [services](https://developers.vtex.com/docs/guides/vtex-io-documentation-service). This guide provides a comprehensive overview of how to use this builder effectively. For more information, see [Developing a GraphQL API in service apps](https://developers.vtex.com/docs/guides/developing-a-graphql-api-in-service-apps) and the [official GraphQL documentation](https://graphql.com/learn/what-is-graphql/).
 
 > ℹ️ The `graphql` builder is used only when developing an app's GraphQL API. You don't need this builder to consume GraphQL APIs in IO apps.
 
+## Versioning
+
+The `graphql` builder is available in the following versions:
+
+| Builder version | Mandatory `@auth` directive\* | Status |
+| :- | :- | :- |
+| `1.x` | No | Unavailable for new apps and new major versions of existing apps. Available for linking apps and publishing new minor and patch [versions](https://developers.vtex.com/docs/guides/vtex-io-documentation-releasing-a-new-app-version#understanding-app-versioning) of existing apps until January 7, 2026. |
+| `2.x` | Yes | Active |
+
+\* The `@auth` directive adds an authorization step to GraphQL queries and mutations. For more details, see [GraphQL authorization in IO apps](https://developers.vtex.com/docs/guides/graphql-authorization-in-io-apps).
+
+> ⚠️ Apps using deprecated builder versions can still run on the VTEX platform, but developers can't build or create new app versions using these builder versions.
+
 ## Folder structure
 
-The `graphql` builder uses a `graphql` folder in the app’s root folder. This folder contains `.graphql` files with the schema definitions. Developers can structure the whole schema in a single file or split it into multiple files and subfolders.
+The `graphql` builder uses a `graphql` folder in the app's root folder. This folder contains `.graphql` files with the schema definitions. Developers can structure the whole schema in a single file or split it into multiple files and subfolders.
 
-Our recommendation is to:
+We recommend you to:
 
 - Define only the endpoints ([queries](https://graphql.org/learn/queries/), [mutations](https://graphql.org/learn/mutations/), and [subscriptions](https://graphql.org/learn/subscriptions/)) in `schema.graphql`.
 - Handle [directives](https://graphql.org/learn/schema/#directives) separately in `directives.graphql`.
@@ -35,13 +48,15 @@ graphql
 
 To develop an app using the `graphql` builder, follow the steps below:
 
-1. **Start with a template:** Download an app template such as [`graphql-example`](https://github.com/vtex-apps/graphql-example) or create a new project using the [`vtex init CLI command`](https://developers.vtex.com/docs/guides/vtex-io-documentation-vtex-io-cli-usage#starting-a-new-project) and choose the `graphql-example` option.
-2. **Add the schema files**: Add the `.graphql` files with the schema definitions, including the endpoints (queries, mutations, and subscriptions), directives, and other types you want to define.
-3. **Add the API implementation logic**: Add the code that implements and instantiates the resolver functions. There's an example available in [Using GraphQL to retrieve data from Master Data](https://developers.vtex.com/docs/guides/services-6-graphql-retrieving-data-from-master-data).
-    1. **Create the resolvers**: Create the resolver functions that will run when your GraphQL endpoints are called. The functions must have the same names as the endpoints defined in the schema. If you're developing a Node service, you should add the TypeScript code (`.ts` files) in the `node/resolvers` folder.
-    2. **Instantiate the resolvers**: Add the code to instantiate the resolvers. If you're developing a Node service, in the `Service` class of the `node/index.ts` file, you should add a `graphql` field with the resolvers for each endpoint implemented along with the directives.
+1. **Start with a template:** Download an app template such as [`graphql-example`](https://github.com/vtex-apps/graphql-example) or create a new project using the [`vtex init` CLI command](https://developers.vtex.com/docs/guides/vtex-io-documentation-vtex-io-cli-usage#starting-a-new-project) and select the `graphql-example` option.
+2. **Add the schema files:** Add the `.graphql` files with the schema definitions, including the endpoints (queries, mutations, and subscriptions), directives, and other custom types.
+3. **Add the API implementation logic**: Add the code that implements and instantiates the resolver functions.
+    1. **Create the resolvers**: Create the resolver functions that will run when your GraphQL endpoints are called. The functions must have the same names as the endpoints defined in the schema. If you're developing a Node service, add the TypeScript code (`.ts` files) in the `node/resolvers` folder.
+    2. **Instantiate the resolvers**: Add the code to instantiate the resolvers. If you're developing a Node service, in the `node/index.ts` file, within the `Service` class, you should add a `graphql` field that includes the resolvers for each implemented endpoint and the directives.
 4. **Testing**: [Link the app](https://developers.vtex.com/docs/guides/vtex-io-documentation-linking-an-app) to a development workspace for testing. Test the endpoints with the [GraphQL IDE](https://developers.vtex.com/docs/guides/graphql-ide).
 
+For a more detailed tutorial on implementing an app with this builder, see [Developing a GraphQL API in service apps](https://developers.vtex.com/docs/guides/developing-a-graphql-api-in-service-apps).
+
 ## Use case examples
 
 Below are some app examples that use the `graphql` builder: