Disclaimer: This website requires Please enable JavaScript in your browser settings for the best experience.

Dev guideRecipesUser Guides
Dev guideRecipesAPI ReferenceChangelog
Dev guideRecipesUser GuidesNuGetDev CommunityOptimizely AcademySubmit a ticketLog In
Dev guide
NuGetDev CommunityOptimizely AcademySubmit a ticket
Start typing to search…

HMAC

The most secure administrative access

Authorization: "epi-hmac {appKey}:{timestamp}:{nonce}:{signature}"

HMAC (Hash-based Message Authentication Code) provides strong security by ensuring message integrity and authenticity. It combines a secret key with a cryptographic hash function, making it suitable for applications that handle sensitive data, such as financial services. HMAC protects communications from unauthorized access and tampering.

Use your {appKey} and {secret} credentials to implement HMAC.

HMAC query behavior

When you authenticate requests using HMAC, Optimizely Graph returns content based on the following default rules:

  • The content is not deleted (_deleted = false).
  • The content has not expired (StopPublish is null or set to a future date).

By default, querying with HMAC is equivalent to querying as a super user. Graph returns all content regardless of publication status or role-based access control (RBAC) restrictions.

Modify query behavior with request headers

Include specific request headers to change how Graph evaluates access and filtering. These headers let you enforce RBAC rules or include content that is normally excluded.

Apply role-based access control (RBAC)

Use the cg-username and cg-roles headers together to apply RBAC filtering.

Required headers

  • cg-username – The Optimizely CMS username.
  • cg-roles – A comma-separated list of CMS roles.

When both headers are present, Graph returns only content that the specified user or roles can access.

A content item is returned if it includes at least one of the following permissions:

  • u:{USERNAME}:Read
  • r:{ROLE}:Read

Example

cg-username: Tom
cg-roles: Editors,Reviewers

In this example, Graph returns content that meets any of the following conditions:

  • Includes u:Tom:Read in its RBAC list
  • Includes r:Editors:Read in its RBAC list
  • Includes r:Reviewers:Read in its RBAC list

Include deleted or expired content

Use the following optional headers to expand the result set:

  • cg-include-deleted Returns content items where _deleted = true.
  • cg-include-hard-deleted Returns hard-deleted content items.
  • cg-include-expired Returns content items where StopPublish is set to a past date.

Example: HMAC request with RBAC headers

The following example shows a GraphQL query authenticated with HMAC and filtered using RBAC headers.

curl -X POST "https://cg.optimizely.com/content/v2" \
  -H "Authorization: hmac YOUR_SIGNATURE" \
  -H "cg-username: [email protected]" \
  -H "cg-roles: editor,author" \
  -H "Content-Type: application/json" \
  -d '{"query": "{ Article { items { title } } }"}'

With HMAC authentication, Optimizely Graph supports both unrestricted access for system-level integrations and fine-grained access control through request headers. This flexibility allows you to securely query content while aligning results with CMS permissions when required.

Updated 11 days ago