Schema Discovery

A headless storefront has to know what its Magento backend can actually do — which extensions are installed, what queries and mutations they add. Schema Discovery answers that programmatically: it scans every module’s GraphQL schema and returns a structured manifest of all queries and mutations (with their arguments, return types and source module), as a GraphQL query or a downloadable JSON — so your Astro frontend can adapt to whatever’s installed instead of hard-coding assumptions.

Compatibility

Magento

Open Source 2.4.9 GA (and later 2.4.x).

PHP

Tested on 8.4 and 8.5.

Coverage

Native Magento and every installed extension.

Output

GraphQL manifest + downloadable JSON.

What it reports

For every Query and Mutation field on the instance, the manifest lists its name, return type, arguments (with required-ness), description and source module — and separates extension-provided operations from native Magento ones, with counts of each.

It reads schema, not data

Discovery scans the GraphQL SDL (.graphqls) files that modules ship — it reports the API surface, never your catalogue data, configuration values or database structure.

Secure by default

This is the module’s most important property. Enumerating your whole API surface is useful reconnaissance for an attacker, so access is locked down:

Admin by default

The schemaDiscovery query requires an authenticated admin context. Anonymous access is OFF out of the box.

Optional shared token

For a headless build to pull the schema without a login, set a Schema Sync Token (≥32 chars) and pass it as the token argument — compared in constant time. No token, no schema.

Explicit opt-in only

Fully anonymous access exists only if an operator deliberately switches it on in configuration — it is never the default.

Admin download

The Download JSON action is permission-gated, so an operator can always grab the manifest offline even with the public query disabled.

How to use it

Admin

Open AgenticEcom → Sync Data → Schema Explorer to see the live counts and a searchable table of every query and mutation, then Download JSON for your build pipeline. (The admin menu entry is labelled Schema Explorer.)

GraphQL (token)

{
  schemaDiscovery(token: "your-32+char-sync-token") {
    total_query_count total_mutation_count
    queries { name type module args { name type required } }
    mutations { name type module }
  }
}

Returns extension operations first, with native counts alongside.

FAQ

Is my schema exposed to the public?

No — schemaDiscovery requires an admin context by default. A headless frontend can authenticate with a shared sync token (32+ characters, constant-time compared), and fully anonymous access only exists if you explicitly enable it. The secure default is admin-only.

Does it expose my data or database structure?

No — it reads the GraphQL schema definition files modules ship and reports the query/mutation API surface only. No catalogue data, config values or DB schema are ever included.

Why would a headless storefront need this?

So it can adapt to whatever’s installed — discover that BlogPro adds blogPosts, or that a feed module adds its mutations — and enable the matching frontend features automatically, instead of hard-coding which extensions exist.

How does it handle Magento’s tricky core schema files?

It extracts fields directly from the SDL with a brace-tracking parser rather than a strict GraphQL parser, so the dozen core files that use placeholder types or cross-file references don’t break discovery. Verified clean on PHP 8.4 and 8.5.