Skip to content
The main framework for using GraphQL in OXID
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Build Status PHP Version Stable Version

This module provides:

  • a basic GraphQL implementation for the OXID eShop
  • authorization and authentication using JWT
  • a query to log you in and get a JWT for further authentication


This assumes you have the OXID eShop (at least OXID-eSales/oxideshop_ce: v6.5.0, which is part of the 6.2.0 compilation) up and running.


$ composer require oxid-esales/graphql-base --no-update
$ composer update

After requiring the module, you need to head over to the OXID eShop admin and activate the GraphQL Base module.

How to use

You can use your favourite GraphQL client to explore the API, if you do not already have one installed, you may use Altair GraphQL Client or you could simply just fire up your terminal and use curl to do a basic check if the GraphQL base module is up and running as epxected. To retrieve a valid token you need to replace the username and password below with valid login credentials.

$ curl http://oxideshop.local/widget.php?cl=graphql \
  -H 'Content-Type: application/json' \
  --data-binary '{"query":"query {token(username: \"admin\", password: \"admin\")}"}'

You should see a response similar to this:


This token is then to be send as your authorization with every request in the HTTP Authorization header like this:

Authorization: Bearer a-very-long-jwt

How to extend

See oxid-esales/graphql-example for an exemplary implementation.


Linting, Syntax and static analysis

$ composer test

Unit tests

  • install this module into a running OXID eShop
  • change the test_config.yml
    • add oe/graphql-base to the partial_module_paths
    • set activate_all_modules to true
$ ./vendor/bin/runtests


Apache HTTP Authorization

php-cgi under Apache does not pass HTTP Basic user/pass to PHP by default. For this workaround to work, add these lines to your .htaccess file:

RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Query String gets swallowed

When you call the API endpoint with a query string, for example /graphql/?lang=1 and that lang parameter gets swallowed by apache, it is due to the missing QSA-RewriteRule-Flag. Find the RewriteRule that looks like this:

RewriteRule ^(graphql/)    widget.php?cl=graphql   [NC,L]

and make it look like this:

RewriteRule ^(graphql/)    widget.php?cl=graphql   [QSA,NC,L]

Composer can not resolve requirements

Composer Problem

If you see something like this when trying to install the module, you tried to install with composer require oxid-esales/graphql-base which is not working correctly because composer will not do downgrades upon composer require.

Build with


GPLv3, see LICENSE file.

You can’t perform that action at this time.