Overview
An inline argument is an argument whose value is written directly into the operation as a literal instead of being supplied through a variable.validate_inline_arguments detects these arguments during operation normalization. Depending on the mode,
the router logs the findings, returns them to the client, or rejects the operation.
Modes
The feature has three modes:Configuration
The feature is configured underengine.validate_inline_arguments:
What counts as an inline argument
Detection runs during normalization and covers every argument whose value is not a variable:- Field arguments, including introspection fields such as
__type(name: "User"). - Directive arguments, including the built-in
@skipand@includeand any custom directive.
- Arguments supplied through a variable, for example
userById(userId: $userId). - Variable default values, for example
query($first: Int = 10). A default value is not an argument.
@skip and @include prune the selection set. An inline argument on a field or
directive that normalization later removes is still reported.
Qualified names
Findings are reported using a qualified name that identifies where the argument was used:Non-enforcing mode
Inpermissive mode the operation executes normally. The router surfaces the findings in two ways.
Warning log
For every operation that contains inline arguments, the router emits a warning. This happens regardless of thereturn_in_response_extensions setting.
Response extensions
Whenreturn_in_response_extensions is true, the findings are also returned to the client under
extensions.inlineArguments. The count field is the number of inline arguments, and arguments lists their
qualified names.
return_in_response_extensions has no effect in enforcing mode, because offending operations are rejected
before a response is produced.
Enforcing mode
Instrict mode the router rejects any operation that uses an inline argument value. The operation
is rejected during normalization, so no subgraph requests are made.
The rejection is generic. The router stops at the first inline argument and does not name the argument or
point at its location. The response uses the configured error_message, error_code, and
enforce_http_status_code.
Persisted operations
Persisted operations are exempt by default. They are authored and registered ahead of time, so inline values in a persisted operation are a controlled, reviewable input rather than arbitrary client traffic. Setinclude_persisted_operations: true to apply the policy to persisted operations as well. This applies to
both non-enforcing and enforcing modes.
Rollout
Start inpermissive mode to understand your traffic without breaking clients.
extensions.inlineArguments to find operations that still send inline values and
migrate them to variables. Once the offending operations are gone, switch to strict.