- Configure the router runtime: You can specify a for convenience or pass environment variables. In both ways, you can configure the global behavior of the router. For a full reference of all available options see below or use your IDE of choice.
- Configure how your graph is served: This file can be provided as config option or is pulled automatically from the cdn. It contains information on how to resolve your federated schema. The engine uses the information to build a highly optimized query planner. For more information see to build the file locally for development or to download the latest production version.
- Customize the router programatically through Go modules. It is unlikely that we will provide every possible feature as an in-built functionality. For advanced use cases or more control, you can build Go modules and compile the Router in a few commands. If you are uncertain about if your use case should be implemented as a custom module, don’t hesitate to open an issue. We might already have a plan for this or can assist you with the implementation.
Recommendation Create a config file and use environment variable expansion
to avoid storing secrets on the file system.
Config file
For convenience, you can create aconfig.yaml to specify all router options. Start the router in the same directory or pass the path to the file as a CONFIG_PATH environment variable.
Values specified in the config file have precedence over Environment
variables. This also includes empty values so only specify values that should
be overwritten. That means, you can see the config file as a single source of
truth.
Expand Environment Variables
You can expand environment variables in the file like this:LOG_LEVEL with the value of the key log_level in your config file. For numeric values, ensure quotes are omitted.
Config Validation & Auto-completion
We know configuration is hard, especially for a software component like the router that can be customized entirely to your needs. In order to simplify this, we use JSON schema to validate the router configuration. This comes with huge benefits, all right at your fingertips:- Auto-completion
- Documentation (Usage, Examples)
- Detect deprecated fields
- Detect typos or invalid values.
IDE Configuration
- VsCode: Install the YAML extension in your IDE.
- JetBrains: Support out of the box but in some circumstances it conflicts with other default mappings. Go to
Languages & Frameworks->Schemas and DTDs->JSON Schemas Mappingsconfigure the mapping yourself.
config.yamlfile. This line informs your IDE, to download the correct JSON schema file to validate the config file.
Environment Variables
Many configuration options can be set as environment variables. For a complete list of options, please look at the Router config tables.Router
The following sections describe each configuration in detail with all available options and their defaults.Intervals, timeouts, and delays are specified in Go duration syntax e.g 1s, 5m or 1h.Sizes can be specified in 2MB, 1mib.
Example configuration:
Config watcher hot reloading
The router is capable of reloading itself using an updated config without a full process restart. You can trigger a reload in one of two ways:- Sending a
SIGHUPsignal to the router process. - Configuring the
watch_configsection to automatically check the configuration for changes at regular intervals.
config.yaml
watch_config options
Hot reloading has some limitations:
- Changes to the
watch_configsection are not hot-reloaded. - Changes to flags and environment variables are not possible.
watch_configbased reloads are based on the filesystem’s modification time, edits that somehow circumvent this mechanism will not trigger a reload.
Access Logs
For a detailed example, please refer to the Access Logs section.Example YAML config:
Telemetry
Graph
Overall configuration for the Graph that’s configured for this Router.
Example YAML config:
MCP (Model Context Protocol)
The Model Context Protocol (MCP) server allows AI models to discover and interact with your GraphQL API in a secure way.
Example YAML config:
TLS
The Router supports TLS and mTLS for secure communication with your clients and infrastructure components like load balancer.Server TLS
Example YAML config:
Client Authentication
Example YAML config:
Compliance
The configuration for the compliance. Includes for example the configuration for the anonymization of the IP addresses.IP Anonymization
Example YAML config:
Cluster
Example YAML config:
Telemetry
Example YAML config:
Tracing
Example YAML config:
Exporters
Example YAML config:
Propagation
Example YAML config:
Metrics
OTLP
Attributes
Example YAML config:
Prometheus
Example YAML config:
Exporter
Example YAML config:
GraphQL Metrics
Example YAML config:
CORS
Example YAML config:
Cache Control Policy
Configure your cache control policy. More information on this feature can be found here: #cache-control-policyExample YAML Config:
Custom Modules
Configure your custom Modules. More information on this feature can be found here: Custom ModulesExample YAML config:
gRPC Plugins
The configuration for the router gRPC plugins. To learn more about the gRPC plugins, see the gRPC plugins documentation.Example YAML config:
config.yaml
Headers
Configure Header propagation rules for all Subgraphs or individual Subgraphs by name.Cookie Whitelist
WhenCookieis a propagated header, you may want to filter the keys that are forwarded to the subgraph from the client, you can do this via the cookie_whitelistoption, which is a list of string cookie keys that will not be discarded. An empty value means allow all. If you’d like to block all cookies, disable the header propagation entirely.
The cookie whitelist can also affect custom modules that read request cookies,
even if propagation is disabled for the
Cookie header. This is because the
whitelisting happens very early in the request lifecycle, before it reaches
subgraphs or custom modules.Global Header Rules
Apply to requests/responses to/from “all” Subgraphs. These will be applied globally in the graphExample YAML config:
Header Rule Example Using Template Expression:
This example sets theX-User-ID header based on the sub claim from the JWT token, if the user is authenticated.
Learn more about template expressions.
Request Header Rule
Apply to requests to specific Subgraphs.Example YAML config:
Response Header Rule
These rules can be applied to all responses, as well as just to specific subgraphs, and used to manipulate and propagate response headers from subgraphs to the client. By configuring the rule, users can define how headers should be handled when multiple subgraphs provide conflicting values for a specific header.Example YAML config:
Storage Providers
Storage providers allow you to configure different backends for persisted operations, router execution config and MCP operations.Example YAML config:
Storage Provider Types
File System Storage Provider
This provider allows you to load files from the local file system. This is particularly useful for the MCP server to load GraphQL operations.The file system storage provider is currently only supported by the MCP
feature. It cannot be used for persisted operations or execution
configurations.
Redis Storage Provider
Used for distributed caching like automatic persisted queries.S3 Storage Provider
For storing operations and configs in S3-compatible storage.CDN Provider
For connecting to the Cosmo CDN.Persisted Operations
The configuration for the persisted operations allows you to maintain a fixed set of GraphQL operations that can be queried against the router without exposing your entire graph to the public. This approach enhances security and performance.Example YAML config:
Persisted Operations Configuration Options
These rules apply to requests being made from the Router to all Subgraphs.Automatic Persisted Queries
The configuration for automatic persisted queries allows you to enable automated caching of select GraphQL operations that can be queried against the router, using both POST and GET requests. This approach enhances performance. It defaults to using a local cache (with the size defined incache.size), but users can optionally use a Redis storage
Example YAML config:
Configuration Options
These rules apply to requests being made from the Router to all Subgraphs.Execution Config
The configuration for the execution setup contains instructions for the router to plan and execute your GraphQL operations. You can specify the storage provider from which the configuration should be fetched.Example YAML config:
config.yaml
config.yaml
Execution config options
Traffic Shaping
Configure rules for traffic shaping like maximum request body size, timeouts, retry behavior, etc. For more info, check this section in the docs: Traffic shapingExample YAML config:
Subgraph Request Rules
These rules apply to requests being made from the Router to all Subgraphs.Subgraph specific request rules
In addition to the general traffic shaping rules, we also allow users to set subgraph specific timeout options, overriding the default traffic rules defined inall(if present)
Jitter Retry
Client Request Request Rules
These rules apply to requests being made from clients to the Router.WebSocket
Configure WebSocket handlers, protocols, and more.WebSocket Configuration
Absinthe Protocol Configuration
Legacy WebSocket clients that use the Absinthe protocol might not be able to send a Subprotocol Header. For such clients, you can use the Absinthe Endpoint which automatically chooses the Subprotocol for them so that no Subprotocol Header needs to be set.WebSocket Authentication
It’s possible that Authentication for a WebSocket connection is not possible at the HTTP layer. In such a case, you can enable Authentication “from_initial_payload”. This will extract a value from the “initial_payload” field in the first WebSocket message which is responsible for negotiating the protocol between client and server. In addition, it’s possible to export the extracted value into a Request Header, which allows the Router to propagate it using Header Propagation Rules in subsequent Subgraph Requests.WebSocket Client Info Configuration
Configure how to extract client info from the initial WebSocket payload. This allows you to set client name and version information from the initial connection payload, which can then be forwarded to request headers if needed.Example WebSocket YAML config:
Authentication
Configure different authentication providers.New Authentication Config (Router Version ≥ 0.169.0)
JWKS
JWT
Header Sources
Example YAML config V2:
Old Authentication Config (Router Version < 0.XXX.X)
Provider
JWK Provider
Example YAML config:
Authorization
Example YAML config:
CDN
Example YAML config:
Events
The Events section lets you define Event Sources for Event-Driven Federated Subscriptions (EDFS). We support NATS and Kafka as event bus provider.Provider
NATS Provider
Kafka Provider
Nats Provider
Router Engine Configuration
Configure the GraphQL Execution Engine of the Router.Example YAML config:
Debug Configuration
Example YAML config:
Rate Limiting
Configures a rate limiter on the outgoing subgraphs requests. When enabled, a rate of 10 req/s with a burst of 10 requests is configured.The rate limiter requires Redis version 3.2 or newer since it relies on
replicate_commands
feature. ElastiCache for Redis only works in non-clustered mode. You can
enable a failover instance to achieve high availability.
Key Suffix Expression
As you can see in the config table below, you can define an expression to generate the a rate limiting key suffix. The evaluation of the expression must return a string, which will be appended to the key prefix. Using a key suffix expression, you’re able to dynamically choose a rate limiting key, e.g. based on the user authentication, a header, or a combination. Here’s an example expression that uses thesub claim if available, and a Header as the fallback.
General Rate Limiting Configuration
Rate Limiting Redis Storage
Rate Limiting Simple Strategy
Rate Limit Error Extension Code
Rate Limiting Example YAML configuration
Subgraph Error Propagation
The configuration for the subgraph error propagation. Errors can be exposed to the client in a “wrapped” form to hide Subgraph internals, or it’s possible to “pass-through” Subgraph errors directly to the client.Example YAML configuration:
Security
The configuration for the security. The security is used to configure the security settings for the Router.Example YAML Configuration
Complexity Calculation Cache
The configuration for the in-memory complexity cache, to help speed up the calculation process in the event of a recurring queryComplexity Limits
The configuration for adding a complexity limits for queries. We currently expose 4 limits:- Query Depth - How many nested levels you can have in a query. This limit prevents infinite querying, and also limits the size of the data returned.
- Total Fields in Query
- Root Fields in Query
- Root Field Aliases in Query
enabled isn’t true, the limit isn’t applied. All of them have the same configuration fields:
File Upload
The configuration for file upload. Configure whether it should be enabled along with file size and number of files.Example YAML Configuration
Client Header
The configuration for custom names for client name and client version headers.Example YAML Configuration
Graphql-Client-Name , Graphql-Client-Version, Apollo-Graphql-Client-Name, Apollo-Graphql-Client-Version.
The custom names are given more precedence.
Apollo Compatibility Flags
This configuration is used to enable full compatibility with Apollo Federation, Apollo Gateway and Apollo Router, you can enable certain compatibility flags, allowing you to use Cosmo Router as a drop-in replacement for Apollo.Apollo Compatibility Value Completion
Invalid __typename values will be returned in extensions.valueCompletion instead of errors.Apollo Compatibility Truncate Floats
Truncate floats like 1.0 to 1, 2.0 to 2, etc.. Values like 1.1 or 2.2 will not be truncated.Apollo Compatibility Suppress Fetch Errors
Suppresses fetch errors. When enabled, only the ‘data’ object is returned, suppressing errors. If disabled, fetch errors are included in the ‘errors’ array.Apollo Compatibility Replace Undefined Op Field Errors
Produces the same error message as Apollo when an invalid operation field is included in an operation selection set. Extension code: “GRAPHQL_VALIDATION_FAILED” Status code: 400Apollo Compatibility Replace Invalid Var Errors
Produces the same error message as Apollo when an invalid variable is supplied. Extension code: “BAD_USER_INPUT”Apollo Compatibility Replace Validation Error Status
Produces the same error status as Apollo when validation fails. Error status: 400 Bad Request Minimum router version: 0.175.0Example YAML Configuration
Apollo Router Compatibility Flags
Apollo Router Compatibility Flags can be enabled alongside Apollo
Compatibility Flags, but some will override their counterpart’s functionality.
This means you can safely use
enable_all: true alongside these flags.