guides/operation_store/access_control.md
The OperationStore has a built-in mechanism for authenticating incoming sync requests. This way, you can be sure that all registered queries came from legitimate sources.
When you [add a client]({{ site.base_url }}/operation_store/client_workflow#add-a-client), you also associate a secret with that client. You can use the default or provide your own and you can update a client secret at any time. By updating a secret, old secrets become invalid.
This secret is used to add an authorization header, generated with HMAC-SHA256. With this header, the server can assert:
For more info about HMAC, see Wikipedia or Ruby's OpenSSL::HMAC support.
The Authorization header takes the form:
"GraphQL::Pro #{client_name} #{hmac}"
{% internal_link "graphql-ruby-client", "/javascript_client/sync" %} adds this header to outgoing requests by using the provided --client and --secret values.