Schema Discovery for Magento 2 — Safe GraphQL Introspection for Headless
Schema Discovery gives your headless team a clean map of everything Magento 2's GraphQL can do. A single query returns all available queries and mutations with their arguments, read straight from the schema definition — so developers and AI tools can see the full API surface without trawling so…
You can't build against an API you can't see
Magento's GraphQL is huge, and every module you add — including this suite — extends it further. When a developer or an AI coding assistant is wiring up a headless storefront, the first question is always the same: what queries and mutations actually exist here, and what do they take? Answering it usually means grepping through dozens of .graphqls files across core and third-party modules. Schema Discovery answers it in one query — safely.
What you'll use it for
- Onboard a headless build — hand developers the complete, current list of queries and mutations instead of a stale doc.
- Feed AI assistants — let an AI tool read the real API surface so generated GraphQL calls are valid first time.
- Audit what's exposed — see exactly which queries and mutations your installed modules add to the schema.
- Speed up integrations — discover the fields a third-party module registered without opening its source.
How it works
An introspection tool that's safe to ship
Schema introspection is useful to you — and to an attacker. So this one is locked down. It's admin-gated by default, anonymous access is off, and if you want to grant a build pipeline or an AI tool access without an admin session you set a single long shared token (compared safely), nothing weaker. Crucially, it only ever reads the schema definition — the .graphqls SDL that describes the API's shape. It never reads a product, a customer, a config value or a database row, so even when access is granted, there's no data to leak — only the public structure of the API.
Specifications
| Query | schemaDiscovery — lists all GraphQL queries and mutations with arguments |
|---|---|
| Source | Reads the GraphQL schema definition (SDL) only |
| No data access | Never reads products, customers, config or the database |
| Default access | Admin-gated; anonymous access off |
| Token option | Optional long shared token (compared with a constant-time check) |
| Use cases | Headless onboarding, integration discovery, AI tooling, API audit |
| Delivery & licence | Composer install, per-domain licence key, updates via Composer |
Works with
Part of the AgenticEcom suite for Headless & Astro:
The discovery companion to the headless bundles — it lists the very queries they add. Included in the Enterprise bundle and the Astro frontend licences.
Frequently asked questions
What does it return?
A single query lists every available GraphQL query and mutation — across Magento core and all installed modules — together with their arguments, so you can see the whole API surface at a glance.
Is it safe to expose?
It's locked down by default: admin-gated, anonymous access off, with an optional long shared token for trusted automation. And it only reads the schema definition — never products, customers, config or the database — so there's no data to leak.
Why is this useful for AI coding tools?
An AI assistant builds far better GraphQL when it knows exactly what exists. Pointing it at Schema Discovery gives it the real, current API surface, so generated queries and mutations are valid rather than guessed.
Does it read my catalogue or settings?
No. It reads only the GraphQL SDL — the definition of the API's shape. It never accesses product data, customer data, configuration values or the database.
Which Magento and PHP versions are supported?
Magento Open Source 2.4.9 and later 2.4.x, verified on PHP 8.4 and 8.5.