This page describes how to use directives in OGM and which ones were excluded.


The @private directive allows specifying what fields should only be accessible through the OGM. This is a useful feature when in need of hiding fields such as passwords, for example.


"""Instructs @neo4j/graphql to only expose a field through the Neo4j GraphQL OGM."""
directive @private on FIELD_DEFINITION


Given the following type definition:

type User {
    username: String!
    email: String!
    password: String! @private

In your application, you may want to hash passwords and hide them from public viewing. This can be done with a custom resolver, using the OGM, to update and set passwords.

Such a scenario gets more apparent when you want to use the same type definitions to drive a public-facing schema and an OGM. For example:

import { Neo4jGraphQL } from "@neo4j/graphql";
import { OGM } from "@neo4j/graphql-ogm";
import neo4j from "neo4j-driver";

const driver = neo4j.driver(
    neo4j.auth.basic("username", "password")

const typeDefs = `
    type User {
        username: String!
        email: String!
        password: String! @private

// public without password
const neoSchema = new Neo4jGraphQL({ typeDefs, driver });

// private with access to password
const ogm = new OGM({ typeDefs, driver });

Promise.all([neoSchema.getSchema(), ogm.init()]).then(([schema]) => {
    const apolloServer = new ApolloServer({ schema });

Excluded directives

The following directives are excluded from the OGM’s schema:

  • @authentication

  • @authorization

  • @subscriptionsAuthorization

  • @query

  • @mutation

  • @subscription

  • @filterable

  • @selectable

  • @settable

The reason is that the OGM is only ever used programmatically, as opposed to an exposed API which needs these security measures. See the page on Neo4j GraphQL directives for more information.