The CommerceQL boilerplate by design doesn't handle authentication or authorization logic.

Some use only the Checkout and Pay mutations, totally ignoring the need for queries. Other users perform complex queries where only certain users are permitted to perform custom actions, you'll need to handle this logic yourself.


You can use the context object to get the request headers to authenticate users. You could use the example Prisma getUserId function to sit alongside your queries and mutations to prevent unauthorized access.

import jwt from 'jsonwebtoken'
function getUserId(ctx) {
const Authorization = ctx.request.get('Authorization')
if (Authorization) {
const token = Authorization.replace('Bearer ', '')
const { userId } = jwt.verify(token, APP_SECRET)
return userId
throw new AuthError()
class AuthError extends Error {
constructor() {
super('Not authorized')