Skip to main content
The router provides three different ways of customization:
  1. Configure the router runtime: You can specify a for convenience or pass environment variables. In both ways, you can configure the global behavior of the router. For a full reference of all available options see below or use your IDE of choice.
  2. Configure how your graph is served: This file can be provided as config option or is pulled automatically from the cdn. It contains information on how to resolve your federated schema. The engine uses the information to build a highly optimized query planner. For more information see to build the file locally for development or to download the latest production version.
  3. Customize the router programatically through Go modules. It is unlikely that we will provide every possible feature as an in-built functionality. For advanced use cases or more control, you can build Go modules and compile the Router in a few commands. If you are uncertain about if your use case should be implemented as a custom module, don’t hesitate to open an issue. We might already have a plan for this or can assist you with the implementation.
Recommendation Create a config file and use environment variable expansion to avoid storing secrets on the file system.

Config file

For convenience, you can create a config.yaml to specify all router options. Start the router in the same directory or pass the path to the file as a CONFIG_PATH environment variable.
Values specified in the config file have precedence over Environment variables. This also includes empty values so only specify values that should be overwritten. That means, you can see the config file as a single source of truth.

Expand Environment Variables

You can expand environment variables in the file like this:
This will replace the value of the environment variable LOG_LEVEL with the value of the key log_level in your config file. For numeric values, ensure quotes are omitted.

Config Validation & Auto-completion

We know configuration is hard, especially for a software component like the router that can be customized entirely to your needs. In order to simplify this, we use JSON schema to validate the router configuration. This comes with huge benefits, all right at your fingertips:
  • Auto-completion
  • Documentation (Usage, Examples)
  • Detect deprecated fields
  • Detect typos or invalid values.
Some options require the router to validate them. This requires starting the router. Once your router has started successfully, you can be sure that your configuration is valid.

IDE Configuration

  • VsCode: Install the YAML extension in your IDE.
  • JetBrains: Support out of the box but in some circumstances it conflicts with other default mappings. Go to Languages & Frameworks -> Schemas and DTDs -> JSON Schemas Mappings configure the mapping yourself.
As the next step, add the following line to the head of your config.yamlfile. This line informs your IDE, to download the correct JSON schema file to validate the config file.
If you want to pin to a specific router version use the following URL:
Now, you should get auto-completion .

Environment Variables

Many configuration options can be set as environment variables. For a complete list of options, please look at the Router config tables.

Router

The following sections describe each configuration in detail with all available options and their defaults.
Intervals, timeouts, and delays are specified in Go duration syntax e.g 1s, 5m or 1h.Sizes can be specified in 2MB, 1mib.

Example configuration:

Config watcher hot reloading

The router is capable of reloading itself using an updated config without a full process restart. You can trigger a reload in one of two ways:
  • Sending a SIGHUP signal to the router process.
  • Configuring the watch_config section to automatically check the configuration for changes at regular intervals.
config.yaml

watch_config options

Hot reloading has some limitations:
  • Changes to the watch_config section are not hot-reloaded.
  • Changes to flags and environment variables are not possible.
  • watch_config based reloads are based on the filesystem’s modification time, edits that somehow circumvent this mechanism will not trigger a reload.

Access Logs

For a detailed example, please refer to the Access Logs section.

Example YAML config:

Telemetry

Graph

Overall configuration for the Graph that’s configured for this Router. Example YAML config:

MCP (Model Context Protocol)

The Model Context Protocol (MCP) server allows AI models to discover and interact with your GraphQL API in a secure way. Example YAML config:
For more details on how to use the MCP server, see the MCP Integration documentation.

TLS

The Router supports TLS and mTLS for secure communication with your clients and infrastructure components like load balancer.

Server TLS

Example YAML config:

Client Authentication

Example YAML config:

Compliance

The configuration for the compliance. Includes for example the configuration for the anonymization of the IP addresses.

IP Anonymization

Example YAML config:

Cluster

Example YAML config:

Telemetry

Example YAML config:

Tracing

Example YAML config:

Exporters

Example YAML config:

Propagation

Example YAML config:

Metrics

OTLP

Attributes

Example YAML config:

Prometheus

Example YAML config:

Exporter

Example YAML config:

GraphQL Metrics

Example YAML config:

CORS

Example YAML config:

Cache Control Policy

Configure your cache control policy. More information on this feature can be found here: #cache-control-policy

Example YAML Config:

Custom Modules

Configure your custom Modules. More information on this feature can be found here: Custom Modules

Example YAML config:

gRPC Plugins

The configuration for the router gRPC plugins. To learn more about the gRPC plugins, see the gRPC plugins documentation.

Example YAML config:

config.yaml

Headers

Configure Header propagation rules for all Subgraphs or individual Subgraphs by name. When Cookieis a propagated header, you may want to filter the keys that are forwarded to the subgraph from the client, you can do this via the cookie_whitelistoption, which is a list of string cookie keys that will not be discarded. An empty value means allow all. If you’d like to block all cookies, disable the header propagation entirely.
The cookie whitelist can also affect custom modules that read request cookies, even if propagation is disabled for the Cookie header. This is because the whitelisting happens very early in the request lifecycle, before it reaches subgraphs or custom modules.
Example YAML config:

Global Header Rules

Apply to requests/responses to/from “all” Subgraphs. These will be applied globally in the graph

Example YAML config:

Header Rule Example Using Template Expression:

This example sets the X-User-ID header based on the sub claim from the JWT token, if the user is authenticated. Learn more about template expressions.

Request Header Rule

Apply to requests to specific Subgraphs.

Example YAML config:

Response Header Rule

These rules can be applied to all responses, as well as just to specific subgraphs, and used to manipulate and propagate response headers from subgraphs to the client. By configuring the rule, users can define how headers should be handled when multiple subgraphs provide conflicting values for a specific header.

Example YAML config:

Storage Providers

Storage providers allow you to configure different backends for persisted operations, router execution config and MCP operations.

Example YAML config:

Storage Provider Types

File System Storage Provider

This provider allows you to load files from the local file system. This is particularly useful for the MCP server to load GraphQL operations.
The file system storage provider is currently only supported by the MCP feature. It cannot be used for persisted operations or execution configurations.

Redis Storage Provider

Used for distributed caching like automatic persisted queries.

S3 Storage Provider

For storing operations and configs in S3-compatible storage.

CDN Provider

For connecting to the Cosmo CDN.

Persisted Operations

The configuration for the persisted operations allows you to maintain a fixed set of GraphQL operations that can be queried against the router without exposing your entire graph to the public. This approach enhances security and performance.

Example YAML config:

Persisted Operations Configuration Options

These rules apply to requests being made from the Router to all Subgraphs.

Automatic Persisted Queries

The configuration for automatic persisted queries allows you to enable automated caching of select GraphQL operations that can be queried against the router, using both POST and GET requests. This approach enhances performance. It defaults to using a local cache (with the size defined in cache.size), but users can optionally use a Redis storage

Example YAML config:

Configuration Options

These rules apply to requests being made from the Router to all Subgraphs.

Execution Config

The configuration for the execution setup contains instructions for the router to plan and execute your GraphQL operations. You can specify the storage provider from which the configuration should be fetched.

Example YAML config:

config.yaml
or
config.yaml

Execution config options

Traffic Shaping

Configure rules for traffic shaping like maximum request body size, timeouts, retry behavior, etc. For more info, check this section in the docs: Traffic shaping

Example YAML config:

Subgraph Request Rules

These rules apply to requests being made from the Router to all Subgraphs.

Subgraph specific request rules

In addition to the general traffic shaping rules, we also allow users to set subgraph specific timeout options, overriding the default traffic rules defined in all(if present)

Jitter Retry

Client Request Request Rules

These rules apply to requests being made from clients to the Router.

WebSocket

Configure WebSocket handlers, protocols, and more.

WebSocket Configuration

Absinthe Protocol Configuration

Legacy WebSocket clients that use the Absinthe protocol might not be able to send a Subprotocol Header. For such clients, you can use the Absinthe Endpoint which automatically chooses the Subprotocol for them so that no Subprotocol Header needs to be set.

WebSocket Authentication

It’s possible that Authentication for a WebSocket connection is not possible at the HTTP layer. In such a case, you can enable Authentication “from_initial_payload”. This will extract a value from the “initial_payload” field in the first WebSocket message which is responsible for negotiating the protocol between client and server. In addition, it’s possible to export the extracted value into a Request Header, which allows the Router to propagate it using Header Propagation Rules in subsequent Subgraph Requests.

WebSocket Client Info Configuration

Configure how to extract client info from the initial WebSocket payload. This allows you to set client name and version information from the initial connection payload, which can then be forwarded to request headers if needed.

Example WebSocket YAML config:

Authentication

Configure different authentication providers.

New Authentication Config (Router Version ≥ 0.169.0)

JWKS

JWT

Header Sources

Example YAML config V2:

Old Authentication Config (Router Version < 0.XXX.X)

Provider

JWK Provider

Example YAML config:

Authorization

Example YAML config:

CDN

Example YAML config:

Events

The Events section lets you define Event Sources for Event-Driven Federated Subscriptions (EDFS). We support NATS and Kafka as event bus provider.

Provider

NATS Provider

Kafka Provider

Nats Provider

Router Engine Configuration

Configure the GraphQL Execution Engine of the Router.

Example YAML config:

Debug Configuration

Example YAML config:

Rate Limiting

Configures a rate limiter on the outgoing subgraphs requests. When enabled, a rate of 10 req/s with a burst of 10 requests is configured.
The rate limiter requires Redis version 3.2 or newer since it relies on replicate_commands feature. ElastiCache for Redis only works in non-clustered mode. You can enable a failover instance to achieve high availability.

Key Suffix Expression

As you can see in the config table below, you can define an expression to generate the a rate limiting key suffix. The evaluation of the expression must return a string, which will be appended to the key prefix. Using a key suffix expression, you’re able to dynamically choose a rate limiting key, e.g. based on the user authentication, a header, or a combination. Here’s an example expression that uses the sub claim if available, and a Header as the fallback.
For mor information on how to use the expression language, please refer to the Template Expressions section.

General Rate Limiting Configuration

Rate Limiting Redis Storage

Rate Limiting Simple Strategy

Rate Limit Error Extension Code

Rate Limiting Example YAML configuration

Subgraph Error Propagation

The configuration for the subgraph error propagation. Errors can be exposed to the client in a “wrapped” form to hide Subgraph internals, or it’s possible to “pass-through” Subgraph errors directly to the client.

Example YAML configuration:

Security

The configuration for the security. The security is used to configure the security settings for the Router.

Example YAML Configuration

Query Depth is now deprecated. We recommend using the security.complexity_calculation_cache and security.complexity_limits configurations instead, which provide that functionality.

Complexity Calculation Cache

The configuration for the in-memory complexity cache, to help speed up the calculation process in the event of a recurring query

Complexity Limits

The configuration for adding a complexity limits for queries. We currently expose 4 limits:
  • Query Depth - How many nested levels you can have in a query. This limit prevents infinite querying, and also limits the size of the data returned.
  • Total Fields in Query
  • Root Fields in Query
  • Root Field Aliases in Query
For all of the limits, if the limit is 0, or enabled isn’t true, the limit isn’t applied. All of them have the same configuration fields:

File Upload

The configuration for file upload. Configure whether it should be enabled along with file size and number of files.

Example YAML Configuration

Client Header

The configuration for custom names for client name and client version headers.

Example YAML Configuration

By default, we support Graphql-Client-Name , Graphql-Client-Version, Apollo-Graphql-Client-Name, Apollo-Graphql-Client-Version. The custom names are given more precedence.

Apollo Compatibility Flags

This configuration is used to enable full compatibility with Apollo Federation, Apollo Gateway and Apollo Router, you can enable certain compatibility flags, allowing you to use Cosmo Router as a drop-in replacement for Apollo.

Apollo Compatibility Value Completion

Invalid __typename values will be returned in extensions.valueCompletion instead of errors.

Apollo Compatibility Truncate Floats

Truncate floats like 1.0 to 1, 2.0 to 2, etc.. Values like 1.1 or 2.2 will not be truncated.

Apollo Compatibility Suppress Fetch Errors

Suppresses fetch errors. When enabled, only the ‘data’ object is returned, suppressing errors. If disabled, fetch errors are included in the ‘errors’ array.

Apollo Compatibility Replace Undefined Op Field Errors

Produces the same error message as Apollo when an invalid operation field is included in an operation selection set. Extension code: “GRAPHQL_VALIDATION_FAILED” Status code: 400

Apollo Compatibility Replace Invalid Var Errors

Produces the same error message as Apollo when an invalid variable is supplied. Extension code: “BAD_USER_INPUT”

Apollo Compatibility Replace Validation Error Status

Produces the same error status as Apollo when validation fails. Error status: 400 Bad Request Minimum router version: 0.175.0

Example YAML Configuration

Apollo Router Compatibility Flags

Apollo Router Compatibility Flags can be enabled alongside Apollo Compatibility Flags, but some will override their counterpart’s functionality. This means you can safely use enable_all: true alongside these flags.

Apollo Router Compatibility Replace Invalid Var Errors

Produces the same error messages as Apollo Router when an invalid variable is supplied. Extension code: “VALIDATION_INVALID_TYPE_VARIABLE”

Example YAML Configuration

Cache warmer

Example YAML config:

Source

The source of the cache warmup items. Only one can be specified. If empty, the cache warmup source is the Cosmo CDN and it requires a graph to be set.

Example YAML config: