gatewayclientqueryparse · validateschema ownershipdag plannercircuit breakerbatch 2hr-subgraphemployee datacompliancestatus datapayrollpayslip datapersonnelorg dataresp. mergeentity stitchunify · returnJSONteal = parallel batch 1amber dashed = batch 2 (dependent)
1 · Query arrives at the gateway
The client sends a GraphQL query over HTTPS. Caddy terminates TLS and forwards to the gateway port. OnePass validates the JWT bearer token — checking signature, expiry, and RBAC claims — before any subgraph is contacted. An invalid or expired token is rejected here with a 401; the subgraph layer never sees it.
POST /graphql  HTTP/1.1
Authorization: Bearer eyJhbGci...
Content-Type: application/json

{ employee { name payslips { amount } department }
  complianceStatus }
1 / 5