Project keys can absolutely be used by the GQL API, as that's exactly what the CLI is doing.. calling the GQL API.

I see! Thanks for the info.

There's nothing in your documentation saying the project tokens can't be used with the GraphQL API. It's something I assumed because I noticed the CLI used two distinct env vars (`RAILWAY_TOKEN` vs `RAILWAY_API_TOKEN`) for each token type. The naming made me think a project token is not considered an "API token", and therefore couldn't be used with the public API.

Anyway, so I tried using a project token against the GraphQL API, and I'm getting a `Not Authorized` error. The same query using a user token works as expected.

Here's the query:

{
    service(id: "dd38d648-8883-4ef6-bfd1-2b94cd6c73c0") {
        name
    }
}

Response when authenticating with user key:

{
    "data": {
        "service": {
            "name": "my-service"
        }
    }
}

Response when authenticating with project key:

{
    "errors": [
        {
            "message": "Not Authorized",
            "locations": [
                {
                    "line": 2,
                    "column": 5
                }
            ],
            "path": [
                "service"
            ],
            "extensions": {
                "code": "INTERNAL_SERVER_ERROR"
            },
            "traceId": "9093324820529050768"
        }
    ],
    "data": null
}

This particular service (dd38d648-8883-4ef6-bfd1-2b94cd6c73c0) exists in the same project and environment as the project key I created, so I thought this would work. There must be something I'm missing.

Thanks!

How are you passing in the authorization?

The same way in both cases, by setting the `Authorization` HTTP header to `Bearer ${myToken}`

I'm able to make the request just fine using a project token -

query GetServiceName($id: String!) {
  service(id: $id) {
    name
  }
}

And the variables -

{
  "id": "bc2febff-a726-4d6b-8f90-900234407164"
}

Make sure you have your token scoped to the correct environment in your project, and that you are sending the bearer token as a header correctly.

I'm also able to do the same request, targeting the "bc2febff-a726-4d6b-8f90-900234407164" service, while being unauthenticated. I'm getting "MySite - Caddy Proxy" back as the name.
Looks like this service is in a public project? Are you able to do the same with a private project?

Yes I am, feel free to use an account token if you are having difficulties.

I'd really like to have a scoped token and avoid using an account token if possible. I'm still trying to figure out why project tokens wouldn't work, and I can't spot anything wrong with my setup.

Here's my project token page:A you can see in the URL, this project token is associated to:

• Project ID 6af2fdbf-d327-4d6c-a690-e29f69f348a1

• Environment ID 16904e0d-f9e3-4adb-a193-a717746499f4.

Now, if I use the GraphQL API with a user token (which works for me) to find more about the service I'm targeting, here's what I get back:
Note that the Project ID and Environment ID are the same as noted above. So it seems that my project token is properly scoped for the service I'm targeting.
Yet, I'm still getting Not Authorized errors the moment I start making the very same request using my project token:
I understand that it might be hard for you to reproduce the issue. I don't mind privately sharing my project key if that makes troubleshooting any easier.

Otherwise, maybe are you able to pull more details about the error using that traceId of 2478361968296824329 ?

I'm at a loss for what might be wrong here.

We can't reproduce this here. And we don't debug people's individual code. Please use an account token if the project token doesn't work for you.

I see!

I ended up finding a solution after troubleshooting this myself by looking at how the CLI does it.

I made two findings, both of which appear to be undocumented:

1. Project tokens must be set with the project-access-token HTTP header, not with Authorization.

2. Project access tokens apparently don't allow querying the service object directly. They do allow querying the project object however, which indirectly gives access to service data.

This works when using a project token:

query GetProjectServiceNames($id: String!) {
  project(id: $id) {
    services {
      edges {
        node {
          name
        }
      }
    }
  }
}

This doesn't (Not Authorized error):

query GetServiceName($id: String!) {
    service(id: $id) {
        name
    }
}

So it looks like project tokens aren't allowed all queries, even when targeting a service within the token's scope.

Glad you found a solution.

If you'd like to update your docs to mention the project-access-token header needing to be set, I've opened a PR here.

Thanks for sending in the PR, we'll take a look at it.

Thank you again for the PR, sorry it took so long for us to get to it, but it's been merged!