Hi, Allen.
The short answer is “yes it is accessible outside … but that’s a good thing”. In fact, you rely on that to make your app used by people all around the world.
Let’s look at:
As you know, Redwood currently has two sides: web and api.
Your web is typically deployed to a CDN (via Netlify Netlify Edge, Vercel, Render, etc) which makes your React (JS) app available on global edge nodes for speedy download to your users’ devices/clients. That’s the bottom row in the above diagram.
The top row is where your api is deployed, which is often AWS or other infra via Netlify, Vercel, Render, or even your own serverful deploy on hardware you manage.
I might be in Boston, Buenos Aires, Budapest, Brazzaville, Baku, Beijing, or Billings and my device is going to pull down the parts of the React app is needs from the closes part of the CDN it can reach anywhere it might be.
Once that client starts talking to the api, though, it is talking to where the API is deployed and say I deployed to Netlify, it’s probably sitting on some AWS machines in northern Virginia USA waiting for requests to come in.
Now, the api is simply a set of serverless functions – or API endpoints out there in the cloud. It’s going to talk to anything that asks it a question, that is formed in a way it can understand – and that you allow it to. More often than not, your data and features are completely public. But, in many cases it isn’t.
This is where securing your API is important. It’s going to be accessible – meaning pretty much any client can reach it, ie make an HTTP request … but that doesn’t mean it has to answer back or answer back nicely. If you don’t let it, it can return a 401 unauthorized (ok as we know GraphQL always responds with a 200 for some bizarro reason but it will also provide an error message).
It’s important to know that the RW GraphQL API is just a serverless function. This is why it is important to use authentication and require auth on the services and resolvers that are sensitive or should only be run by trusted actors. When you use Redwood auth, every GraphQL requests sends up in Authorization headers a Bearer access token that the API side will decode and can use to judge if some action or data is allowed by the user identified by that token.
These trusted actors can be authentication users (w/ or w/out roles and permissions). Or, these actors can be other systems like via Webhooks or even other apps using your API to enhance their experience.
So, TLDR; yes the api is accessible, but that’s to your app’s benefit however you need to be aware of what functions are open and limit their actions to trusted authorized actors.
Redwood will help you do this in a few ways:
Hope this helps and again – making it accessible is a good, even great, even amazing thing – you just need, as with anything you build, to make sure you keep sensitive data or actions behind something that checks if they are trusted.
If you have any questions or concerns, please let me or the Redwood Team know and happy to get on a chat to explain in more detail.