What is a CustomFieldValueRenderer?

A Go interface in the Cosmo Router Custom Modules system. It receives each GraphQL response field with its type and can return any value in place of the original. The router uses the renderer output when building the client response.

How does the router know which renderer to use for a given request?

The `RouterOnRequest` hook runs before execution and can attach a renderer to the request context. You read authentication claims, headers, or any other request data in this hook and select the appropriate renderer.

Which field types can be obfuscated?

String, Int, and Float fields are the primary targets. The renderer receives the GraphQL type name, so you can also target custom scalar types.

Does the response structure change after obfuscation?

No. Field names, nesting, and types are preserved. Only the field values are replaced. A client consuming the schema sees a structurally valid response.

What language do Custom Modules use?

Custom Modules are written in Go and compiled into the Cosmo Router binary. The `CustomFieldValueRenderer` interface and `RouterOnRequest` hook are part of the Custom Modules API.

Is this available on all plans?

Advanced Data Privacy via Custom Modules is available on Pro and Enterprise plans.

Field-Level Data Obfuscation for GraphQL | Cosmo by WunderGraph

The problem

The same API serves users who should see different data

Field-level access control is real work. Doing it in every subgraph is fragile and expensive to maintain.

Different users need different data visibility

A developer debugging a query should not see real customer names or payment data. A data scientist needs realistic data shapes but not the actual PII. The same API serves both.

Subgraph-level masking requires code changes everywhere

Adding field-level obfuscation in each subgraph means touching every service, syncing release cycles, and maintaining that logic as schemas evolve.

AI systems should not read sensitive fields

When GraphQL APIs are exposed to AI models or third-party systems, fields like SSNs, credit card numbers, and medical data must be protected without duplicating the API.

Our solution

Field-level obfuscation at the router

A Custom Module intercepts GraphQL response data before it reaches the client. The renderer replaces field values based on user role or request context. Subgraphs are unaware of the transformation.

How it works

Implement a `CustomFieldValueRenderer` interface in a Cosmo Router Custom Module, written in Go.
The renderer receives each field value with its GraphQL type (String, Int, Float, or custom) and can transform or replace it.
Use the `RouterOnRequest` hook to select different renderers based on authentication claims, user roles, or request headers.
A developer with the "developer" role gets all String fields replaced with "xxx" and numeric fields with placeholders, preserving the response structure.
An AI system identified by a specific header receives placeholder values for any field marked sensitive, while the rest of the response is unaffected.
No subgraph code changes are required. The obfuscation layer lives entirely at the router.

One renderer per role. Zero subgraph changes.

Advanced data privacy

Before & After

Before Cosmo	With Cosmo
Data masking implemented separately in each subgraph	Centralized obfuscation at the router, applied to all subgraphs
Complex authorization logic in every resolver	Role-based obfuscation via authentication claims and request context
Separate data pipelines for AI and analytics access	Same API with dynamic field filtering per request context
Code changes required to add or change privacy rules	Custom Module update without touching subgraph implementations

Custom renderer

Field value renderer interface

func (c *CustomValueRenderer) RenderFieldValue(
  ctx *resolve.Context,
  value resolve.FieldValue,
  out io.Writer,
) error {
  switch value.Type {
  case "String":
    _, err = out.Write([]byte(`"xxx"`))
  case "Int", "Float":
    _, err = out.Write([]byte(`123`))
  default:
    _, err = out.Write(value.Data)
  }
  return err
}

How field-level obfuscation works in Cosmo Router

01

Before the client sees it.

Intercept

The router processes the GraphQL response from subgraphs before sending it to the client. The Custom Module intercepts each field value at this point.

02

Per-request renderer selection.

Identify

The `RouterOnRequest` hook reads authentication claims, user roles, or request headers to determine which renderer to apply for this request.

03

Field-level, type-aware.

Transform

The `CustomFieldValueRenderer` receives each field with its type information and writes the obfuscated value. String fields become "xxx"; numeric fields become placeholder values.

04

Structure intact. Values masked.

Return

The client receives a structurally complete response. Types, field names, and nesting are preserved. Only the values that match the obfuscation rules are replaced.

Privacy capabilities

Fine-grained control at the gateway

One control point. Every subgraph behind it gets the same protection.

Centralized privacy control

Implement obfuscation once at the router. All subgraphs behind it inherit the protection without any code changes.

Role-based obfuscation

Apply different rendering rules per request based on authentication claims, user roles, or any request context your Custom Module can read.

AI-safe API access

Protect sensitive fields when exposing your GraphQL API to AI models or third-party integrations. The model gets realistic response shapes with placeholders for protected fields.

No subgraph changes

Add, change, or remove privacy rules by updating the Custom Module. Subgraph code and schemas stay untouched.

Add field-level privacy to your GraphQL API

Implement a Custom Module renderer. Apply it at the router. Subgraphs stay unchanged.

Start Free Read the Docs

Mask sensitive GraphQL fields by role, without touching subgraphs