Skip to main content
OWASP Nest provides a GraphQL API that allows you to query and mutate data using a flexible, type-safe interface.

GraphQL Endpoint

The GraphQL API is available at: 
POST https://nest.owasp.org/graphql/
All GraphQL requests are made to this single endpoint using HTTP POST with a JSON body.

Authentication

Many queries and mutations require authentication. OWASP Nest uses session-based authentication via GitHub OAuth2.

Authenticating

First, authenticate using the githubAuth mutation: 
mutation {
  githubAuth(accessToken: "your_github_access_token") {
    ok
    message
    user {
      username
      isOwaspStaff
    }
  }
}
Once authenticated, your session cookie will be used for subsequent requests.

Logging Out

mutation {
  logoutUser {
    ok
    message
  }
}

Schema Introspection

You can explore the entire GraphQL schema using introspection queries. This is useful for discovering available types, fields, and operations.

Full Schema Query

query {
  __schema {
    types {
      name
      kind
      description
    }
  }
}

Query Type Fields

Discover all available queries: 
query {
  __type(name: "Query") {
    name
    fields {
      name
      description
      type {
        name
        kind
      }
    }
  }
}

Mutation Type Fields

Discover all available mutations: 
query {
  __type(name: "Mutation") {
    name
    fields {
      name
      description
      args {
        name
        type {
          name
          kind
        }
      }
    }
  }
}

GraphQL Features

Query Depth Limiting

OWASP Nest GraphQL API enforces a maximum query depth of 5 levels to prevent performance issues. Queries exceeding this depth will be rejected.

Introspection

Introspection is enabled in development mode but disabled in production for security reasons.

CSRF Protection

All GraphQL requests require a valid CSRF token. You can obtain a CSRF token from the /csrf/ endpoint before making GraphQL requests.

Error Handling

GraphQL errors are returned in the errors array of the response: 
{
  "errors": [
    {
      "message": "You must be an admin of this program to update it.",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "path": ["updateProgram"]
    }
  ],
  "data": null
}
Common error types:
  • Authentication errors: User not logged in or lacks permissions
  • Validation errors: Invalid input data (e.g., dates, limits)
  • Not found errors: Requested resource doesn’t exist
  • Permission errors: User lacks required permissions

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us