docs(router): TLS Support#94
Merged
Merged
Conversation
Agent-Logs-Url: https://github.com/graphql-hive/docs/sessions/2a78286b-923b-434b-9926-6a4b74b41842 Co-authored-by: ardatan <20847995+ardatan@users.noreply.github.com>
…fic_shaping.mdx Agent-Logs-Url: https://github.com/graphql-hive/docs/sessions/ee9f550d-537c-4286-8472-9f1aa79e222b Co-authored-by: ardatan <20847995+ardatan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/graphql-hive/docs/sessions/10e496a1-75e1-449c-a873-60a9d2c1fc7b Co-authored-by: ardatan <20847995+ardatan@users.noreply.github.com>
…s pages Agent-Logs-Url: https://github.com/graphql-hive/docs/sessions/25db3e1a-1457-468f-9c33-65757317f84a Co-authored-by: ardatan <20847995+ardatan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
ardatan
April 17, 2026 13:07
View session
ardatan
changed the title
ardatan
added
the
waits for release
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds TLS/mTLS documentation for Hive Router and connects it to existing WebSocket and configuration docs.
Changes:
- Added a new “TLS & mTLS” security page covering inbound (client→router) and outbound (router→subgraphs) TLS configuration.
- Updated WebSockets docs to clarify
wss://usage when inbound TLS is enabled. - Expanded
traffic_shapingconfiguration reference with inboundrouter.tlsand outboundtlssections, plus a warning callout for insecure verification bypass.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/documentation/content/docs/router/subscriptions/websockets.mdx | Adds a TLS/wss:// note and example for WebSocket clients. |
| packages/documentation/content/docs/router/security/tls.mdx | Introduces a new TLS & mTLS documentation page with examples and operational guidance. |
| packages/documentation/content/docs/router/security/meta.json | Adds the new TLS page to the security docs navigation. |
| packages/documentation/content/docs/router/configuration/traffic_shaping.mdx | Documents inbound router.tls and outbound subgraph tls configuration options and warnings. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ardatan
had a problem deploying
to
storybook-preview
GitHub Actions
Error
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ckets.mdx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
ardatan
temporarily deployed
to
storybook-preview
GitHub Actions
Inactive
kamilkisiela
pushed a commit
to graphql-hive/router
that referenced
this pull request
Apr 17, 2026
Ref ROUTER-100 Ref ROUTER-118 Closes #340 Documentation graphql-hive/docs#94 # TLS Support Adds TLS support to Hive Router for both client and subgraph connections, including mutual TLS (mTLS) authentication. This allows secure communication between clients, the router, and subgraphs by encrypting data in transit and optionally verifying identities. ## TLS Directions TLS Support has implementations for the following 4 directions: ### Router -> Client - Regular TLS Router has an `identity` (`cert`, `key`), and client has `cert`, then Client validates the router's `identity` ### Client -> Router - mTLS Router has the `cert`, client has the `identity`, mTLS/Client Auth then the router validates the client's `identity` ### Subgraph -> Router - Regular TLS Subgraph has the `identity` (`cert`, `key`), and router has `cert`, then Router validates the subgraph's `identity`. ### Router -> Subgraph - mTLS Subgraph has the `cert`, router(which is the client this time) has the `identity`, then subgraph validates the router's `identity`. ## TLS Directions Diagram ```mermaid flowchart LR Client["Client"] Router["Router"] Subgraph["Subgraph"] %% Router -> Client: Regular TLS Router -- "TLS\n(cert_file + key_file)" --> Client Client -. "validates router identity\n(cert_file)" .-> Router %% Client -> Router: mTLS / Client Auth Client -- "mTLS\n(client identity)" --> Router Router -. "validates client identity\n(client_auth.cert_file)" .-> Client %% Subgraph -> Router: Regular TLS Subgraph -- "TLS\n(cert_file)" --> Router Router -. "validates subgraph identity\n(all/subgraphs.cert_file)" .-> Subgraph %% Router -> Subgraph: mTLS Router -- "mTLS\n(client_auth.cert_file + key_file)" --> Subgraph Subgraph -. "validates router identity\n(cert_file)" .-> Router ``` ## Configuration Structure ```yaml traffic_shaping: router: key_file: # Router server private key cert_file: # Router server certificate(s) client_auth: # mTLS: Client -> Router cert_file: # Trusted client CA certificate(s) all: # Default TLS for all subgraph connections cert_file: # Trusted subgraph CA certificate(s) client_auth: # mTLS: Router -> Subgraph cert_file: # Router client certificate(s) key_file: # Router client private key subgraphs: SUBGRAPH_NAME: # Per-subgraph TLS override cert_file: # Trusted subgraph CA certificate(s) client_auth: # mTLS: Router -> Subgraph cert_file: # Router client certificate(s) key_file: # Router client private key ``` --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: theguild-bot <bot@the-guild.dev>
dotansimha
approved these changes
Apr 20, 2026
Copilot AI
added a commit
to graphql-hive/router
that referenced
this pull request
May 5, 2026
Ref ROUTER-100 Ref ROUTER-118 Closes #340 Documentation graphql-hive/docs#94 # TLS Support Adds TLS support to Hive Router for both client and subgraph connections, including mutual TLS (mTLS) authentication. This allows secure communication between clients, the router, and subgraphs by encrypting data in transit and optionally verifying identities. ## TLS Directions TLS Support has implementations for the following 4 directions: ### Router -> Client - Regular TLS Router has an `identity` (`cert`, `key`), and client has `cert`, then Client validates the router's `identity` ### Client -> Router - mTLS Router has the `cert`, client has the `identity`, mTLS/Client Auth then the router validates the client's `identity` ### Subgraph -> Router - Regular TLS Subgraph has the `identity` (`cert`, `key`), and router has `cert`, then Router validates the subgraph's `identity`. ### Router -> Subgraph - mTLS Subgraph has the `cert`, router(which is the client this time) has the `identity`, then subgraph validates the router's `identity`. ## TLS Directions Diagram ```mermaid flowchart LR Client["Client"] Router["Router"] Subgraph["Subgraph"] %% Router -> Client: Regular TLS Router -- "TLS\n(cert_file + key_file)" --> Client Client -. "validates router identity\n(cert_file)" .-> Router %% Client -> Router: mTLS / Client Auth Client -- "mTLS\n(client identity)" --> Router Router -. "validates client identity\n(client_auth.cert_file)" .-> Client %% Subgraph -> Router: Regular TLS Subgraph -- "TLS\n(cert_file)" --> Router Router -. "validates subgraph identity\n(all/subgraphs.cert_file)" .-> Subgraph %% Router -> Subgraph: mTLS Router -- "mTLS\n(client_auth.cert_file + key_file)" --> Subgraph Subgraph -. "validates router identity\n(cert_file)" .-> Router ``` ## Configuration Structure ```yaml traffic_shaping: router: key_file: # Router server private key cert_file: # Router server certificate(s) client_auth: # mTLS: Client -> Router cert_file: # Trusted client CA certificate(s) all: # Default TLS for all subgraph connections cert_file: # Trusted subgraph CA certificate(s) client_auth: # mTLS: Router -> Subgraph cert_file: # Router client certificate(s) key_file: # Router client private key subgraphs: SUBGRAPH_NAME: # Per-subgraph TLS override cert_file: # Trusted subgraph CA certificate(s) client_auth: # mTLS: Router -> Subgraph cert_file: # Router client certificate(s) key_file: # Router client private key ``` --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: theguild-bot <bot@the-guild.dev> Co-authored-by: kamilkisiela <8167190+kamilkisiela@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Documentation for graphql-hive/router#810
Ref ROUTER-289