View on npm npm downloads Dependencies Build Status codecov NSP StatusKnown Vulnerabilities FOSSA Status

bunjil.js.org | Getting Started

Bunjil is a public facing GraphQL server.

It comes with Policy Based authorization, and hook for your own authentication (Passport.js, Auth0, database).

It’s purpose is to allow the stitching of one or more private GraphQL Schemas into a public one.


  • Documentation
  • Merge multiple GraphQL schemas into one public schema
  • Ability to hide Types
  • Ability to hide fields (masking)
  • Policy based authorization down to the field/edge level
  • Ability to deny access to fields based on roles with a policy
  • Caching, and caching policies down to the field level
  • Authentication hook
  • Authorization hook

Getting Started

yarn add bunjil

npm install bunjil

// Import Bunjil and the Policy Types
import { Bunjil, Policy, PolicyCondition, PolicyEffect } from "bunjil";

// Create a schema

const typeDefs: string = `
  type User {
    id: ID
    name: String
    password: String
    posts(limit: Int): [Post]

  type Post {
    id: ID
    title: String
    views: Int
    author: User

  type Query {
    author(id: ID): User
    topPosts(limit: Int): [Post]

// Resolvers are not shown in this example.
const schema = makeExecutableSchema({

// Create a simple policy allowing public access to the data
const policies: Policy[] = [
        id: "public:read-all",
        resources: ["Query::topPosts", "Post::*", "User::*"],
        actions: ["query"],
        effect: PolicyEffect.Allow,
        roles: ["*"],
        // Explicitly deny access to the password field.
        // This will superseed any other policy
        id: "deny:user::password",
        resources: ["User::password"],
        actions: ["query"],
        effect: PolicyEffect.Deny,
        roles: ["*"],

// Create our bunjil server
const bunjil: Bunjil = new Bunjil({
    // Server config
    server: {
        port: 3000,
        tracing: true,
        cacheControl: true,
    // Optionally in DEV you can enable the GraphQL playground
    playgroundOptions: {
        enabled: false,
    // Set the endpoints where GraphQL is available at
    endpoints: {
        graphQL: "/graphql",
        subscriptions: "/graphql/subscriptions",
        playground: "/playground",

// Add our schema to the Bunjil instance
bunjil.addSchema({ schemas: [schema] });

// Now start Bunjil
await bunjil.start();


Running the tests

Use yarn test or npm run test.

Tests are written with ava, and we would strongly like tests with any new functionality.


Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.


We use SemVer for versioning. For the versions available, see the tags on this repository.



FOSSA Status

This project is licensed under the MIT License - see the LICENSE.md file for details



A GraphQL bastion server with schema merging, authentication and authorization with Policy Based Access Control

Bunjil Info

⭐ Stars 24
πŸ”— Homepage bunjil.js.org
πŸ”— Source Code github.com
πŸ•’ Last Update 2 years ago
πŸ•’ Created 4 years ago
🐞 Open Issues 28
βž— Star-Issue Ratio 1
😎 Author ojkelly