AppTrust OneModel GraphQL
Reference for JFrog AppTrust GraphQL
Using JFrog OneModel GraphQL, you can create a single query to retrieve information from different services and REST API endpoints in the JFrog Platform, returning only the fields you need.
The AppTrust GraphQL API exposes data about your AppTrust applications, application versions, promotions, sources, and bound package versions. It follows the JFrog OneModel GraphQL conventions and supports filtering, ordering, and cursor-based pagination.
Prerequisites
- Requires Artifactory version 7.104.1 or later
- JFrog AppTrust installed and running
You can also issue queries from the JFrog Platform GraphQL Playground at Integrations > GraphQL Playground, where AppTrust queries appear under Query > ApplicationsQueries.
AppTrust Queries
All AppTrust queries are located under the applications field on Query (i.e. Query.applications: ApplicationsQueries!). The top-level queries are:
- getApplication(key: String!): Application — fetch a single application by its unique key. Returns null with a NOT_FOUND extension code when the application does not exist.
- searchApplications(where: ApplicationWhereInput!, first: Int, after: Cursor, orderBy: ApplicationOrderInput): ApplicationConnection! — paginated search for applications matching the given filter.
- getApplicationsByPackageVersionBindings(packages: [ApplicationPackageVersionBindingInput!]!, limitPerPackage: Int): [ApplicationsByPackageVersionBindingResult!]! — for each input package (with optional version), return the applications bound to it (capped per package).
- getApplicationVersion(applicationKey: String!, version: String!): ApplicationVersion — fetch a single application version. Returns null with a NOT_FOUND extension code when missing.
- searchApplicationVersions(where: ApplicationVersionWhereInput, first: Int, after: Cursor): ApplicationVersionConnection! — search application versions across one application or one project (must specify applicationKey XOR projectKey), optionally narrowed by artifact identity.
In the Playground, you will see them grouped under ApplicationsQueries.
Documentation
The detailed documentation of the AppTrust Queries appears in the Playground with the queries. In addition, this document provides:
- General information that applies to all of the queries
- A sample procedure for creating and running a query in the Playground
- Detailed samples of requests and responses
Create and Run a Query
To create and run a query:
- In the JFrog Platform, go to Integrations > GraphQL Playground > Query > ApplicationsQueries.
- If this is the first time you are creating a query, read the text in the query panel, then delete it.
- Enter the text of your query as shown in the simple example below. The query asks for the display name and description of a specific application which is identified by its application key.
query {
applications {
getApplication(key: "green-burger") {
displayName
description
}
}
}- Click the arrow on the top right of the query panel. The response will appear to the right.
{
"data": {
"applications": {
"getApplication": {
"displayName": "Green Burger Application",
"description": "Burger ordering application"
}
}
}
}Additional Sample Queries
The examples below demonstrate every top-level query and every nested connection on the AppTrust GraphQL surface. They are derived from an AppTrust integration test suite and reflect realistic field shapes.
A. getApplication
A1. Fetch an application by key (minimal)
query {
applications {
getApplication(key: "green-burger") {
key
displayName
criticality
}
}
}Response
{
"data": {
"applications": {
"getApplication": {
"key": "green-burger",
"displayName": "Green Burger Application",
"criticality": "critical"
}
}
}
}A2. Fetch an application with all top-level fields
query {
applications {
getApplication(key: "green-burger") {
key
projectKey
displayName
description
criticality
maturityLevel
owners {
name
type
}
labels {
key
value
}
}
}
}Response
{
"data": {
"applications": {
"getApplication": {
"key": "green-burger",
"projectKey": "apptrust-demos",
"displayName": "Green Burger Application",
"description": "Burger ordering application",
"criticality": "medium",
"maturityLevel": "production",
"owners": [
{ "name": "alice", "type": "USER" },
{ "name": "platform-team", "type": "GROUP" }
],
"labels": [
{ "key": "environment", "value": "production" },
{ "key": "team", "value": "ordering" }
]
}
}
}
}Note: internal-realm labels (those used by AppTrust internals such as lifecycle.*) are filtered out of labels. Only user-facing labels are returned.
B. searchApplications
B1. Search by name substring with ordering
query {
applications {
searchApplications(
where: { nameContains: "Burger" }
orderBy: { field: NAME, direction: ASC }
) {
edges {
node {
key
displayName
}
}
totalCount
}
}
}B2. Filter by criticality and maturity level
criticality and criticalityIn are mutually exclusive; same for maturityLevel and maturityLevelIn.
query {
applications {
searchApplications(
where: {
criticalityIn: ["medium", "critical"]
maturityLevelIn: ["experimental", "end_of_life"]
}
) {
edges {
node {
key
displayName
criticality
maturityLevel
}
}
totalCount
}
}
}B3. Filter by label and owner
query {
applications {
searchApplications(
where: {
hasLabelsWith: { key: "environment", value: "production" }
hasOwnersWith: { name: "alice", type: USER }
}
) {
edges {
node {
key
displayName
owners { name type }
labels { key value }
}
}
}
}
}B4. Compound owner / label filters with and and or
and and orquery {
applications {
searchApplications(
where: {
hasOwnersWith: {
and: [
{ name: "alice", type: USER }
{ name: "platform-team", type: GROUP }
]
}
hasLabelsWith: {
and: [
{ key: "environment", value: "production" }
{ key: "tier", value: "tier-1" }
]
}
}
) {
edges { node { key displayName } }
}
}
}B5. Filter by bound package version
query {
applications {
searchApplications(
where: {
hasPackageVersionWith: { type: "npm", name: "colors", version: "1.4.0" }
}
) {
edges {
node {
key
displayName
}
}
}
}
}B6. Pagination — request page 1, then page 2 using endCursor
endCursorquery {
applications {
searchApplications(where: {}, first: 25) {
edges {
node { key displayName }
cursor
}
pageInfo {
hasNextPage
endCursor
}
totalCount
}
}
}Use the returned pageInfo.endCursor as the after argument on the next request:
query {
applications {
searchApplications(where: {}, first: 25, after: "<endCursor from previous page>") {
edges { node { key } cursor }
pageInfo { hasNextPage endCursor }
}
}
}B7. Invalid input examples
first: -1→INVALID_INPUT(first must be non-negative).first: 251onsearchApplications→INVALID_INPUT(above max of 250).after: "not-a-real-cursor"→INVALID_INPUT(invalid cursor).- Combining
criticalityandcriticalityInin the samewhere→INVALID_INPUT.
C. Application.packageVersionsConnection
C1. Page through bound package versions with VCS info
query {
applications {
getApplication(key: "green-burger") {
key
packageVersionsConnection(first: 25) {
edges {
node {
type
name
version
vcsCommit {
revision
vcsUrl
branch
}
}
cursor
}
pageInfo {
hasNextPage
hasPreviousPage
startCursor
endCursor
}
totalCount
}
}
}
}C2. Filter by package type
query {
applications {
getApplication(key: "green-burger") {
packageVersionsConnection(where: { type: "npm" }, first: 50) {
edges { node { type name version } }
totalCount
}
}
}
}D. Application.versionsConnection
D1. Filter by tag
query {
applications {
getApplication(key: "green-burger") {
versionsConnection(where: { tag: "release-2026Q1" }) {
edges { node { version tag } }
}
}
}
}D2. Filter by release status
query {
applications {
getApplication(key: "green-burger") {
versionsConnection(where: { releaseStatus: "RELEASED" }) {
edges {
node {
version
releaseStatus
currentStageName
}
}
}
}
}
}D3. Order by version using semver, descending
query {
applications {
getApplication(key: "green-burger") {
versionsConnection(
first: 10
orderBy: { field: VERSION, direction: DESC, versionSortType: SEMVER }
) {
edges { node { version createdAt } }
}
}
}
}With versionSortType: SEMVER, the after cursor argument is not supported. Use LEXICOGRAPHIC if you need cursor-based pagination across pages.
E. getApplicationVersion
E1. Full version graph (status, releasables, sources, evidence)
query {
applications {
getApplicationVersion(applicationKey: "green-burger", version: "1.0.0") {
application { key }
version
tag
createdBy
createdAt
status
releaseStatus
currentStageName
messages { text }
evidenceSubject { fullPath }
releasables {
releasablesCount
artifactsCount
totalSize
sources {
sourceType
... on ApplicationVersionSourceBuild {
name
number
startedAt
repositoryKey
}
... on ApplicationVersionSourceReleaseBundle {
name
version
repositoryKey
}
}
releasablesConnection {
edges {
node {
name
version
packageType
releasableType
sha256
totalSize
artifacts {
filePath
downloadPath
sha256
size
evidenceSubject { fullPath }
}
sources {
sourceType
... on ApplicationVersionSourceBuild { name number repositoryKey }
... on ApplicationVersionSourceReleaseBundle { name version repositoryKey }
... on ApplicationVersionSourceApplicationVersion { applicationKey version }
}
}
cursor
}
totalCount
pageInfo { hasNextPage endCursor }
}
}
}
}
}E2. Filter releasables by package type
query {
applications {
getApplicationVersion(applicationKey: "green-burger", version: "1.0.0") {
releasables {
releasablesConnection(where: { packageTypeIn: ["npm", "maven"] }) {
edges { node { name version packageType } }
totalCount
}
}
}
}
}E3. Get VCS commit info for a package-version releasable
query {
applications {
getApplicationVersion(applicationKey: "green-burger", version: "1.0.0") {
releasables {
releasablesConnection {
edges {
node {
name
version
packageType
releasableType
vcsCommit { revision vcsUrl branch }
}
}
}
}
}
}
}Response
{
"data": {
"applications": {
"getApplicationVersion": {
"releasables": {
"releasablesConnection": {
"edges": [
{
"node": {
"name": "colors",
"version": "1.4.0",
"packageType": "npm",
"releasableType": "package_version",
"vcsCommit": {
"revision": "abc123def456789",
"vcsUrl": "https://github.com/example/colors.git",
"branch": "main"
}
}
}
]
}
}
}
}
}
}E4. Resolve the federated packageVersionLocation
packageVersionLocationpackageVersionLocation is resolved by the OneModel Packages service. It is null when the field is not requested or when the location cannot be determined (e.g. a non-package releasable, or before any promotion sets a stored location).
query {
applications {
getApplicationVersion(applicationKey: "green-burger", version: "1.0.0") {
releasables {
releasablesConnection {
edges {
node {
name
version
packageType
packageVersionLocation {
repositoryKey
packageVersion {
package { type name }
version
}
}
}
}
}
}
}
}
}E5. Top-level ApplicationVersion.sources (all four implementations)
ApplicationVersion.sources (all four implementations)query {
applications {
getApplicationVersion(applicationKey: "green-burger", version: "1.0.0") {
sources {
sourceType
... on ApplicationVersionSourceBuild {
name
number
startedAt
repositoryKey
evidenceSubject { fullPath }
}
... on ApplicationVersionSourceReleaseBundle {
name
version
repositoryKey
evidenceSubject { fullPath }
}
... on ApplicationVersionSourceApplicationVersion {
applicationKey
version
evidenceSubject { fullPath }
}
... on ApplicationVersionSourceDirect {
sourceType
}
}
}
}
}E6. NOT_FOUND example
query {
applications {
getApplicationVersion(applicationKey: "green-burger", version: "9.9.9") {
version
}
}
}Response
{
"data": {
"applications": {
"getApplicationVersion": null
}
},
"errors": [
{
"message": "No application version was found for key 'green-burger' and version '9.9.9'",
"path": ["applications", "getApplicationVersion"],
"extensions": { "code": "NOT_FOUND" }
}
]
}F. ApplicationVersion.promotionsConnection
F1. List promotions with their artifacts and evidence
query {
applications {
getApplicationVersion(applicationKey: "green-burger", version: "1.0.0") {
version
releaseStatus
currentStageName
promotionsConnection {
edges {
node {
sourceStageName
targetStageName
createdBy
createdAt
status
artifacts {
repositoryKey
path
sha256
packageType
packageName
packageVersion
evidenceSubject { fullPath }
}
messages { text }
}
cursor
}
pageInfo { hasNextPage endCursor }
totalCount
}
}
}
}Response
{
"data": {
"applications": {
"getApplicationVersion": {
"version": "1.0.0",
"releaseStatus": "PRE_RELEASE",
"currentStageName": "DEV",
"promotionsConnection": {
"edges": [
{
"node": {
"sourceStageName": "",
"targetStageName": "DEV",
"createdBy": "admin",
"createdAt": "2026-05-06T10:15:30.000Z",
"status": "COMPLETED",
"artifacts": [
{
"repositoryKey": "apptrust-demos-npm-local",
"path": "colors/1.4.0/colors-1.4.0.tgz",
"sha256": "b50eb83eda7cc37519809e240338fded8e625169945bbfe6d4156445c6610498",
"packageType": "npm",
"packageName": "colors",
"packageVersion": "1.4.0",
"evidenceSubject": {
"fullPath": "apptrust-demos-npm-local/colors/1.4.0/colors-1.4.0.tgz"
}
}
],
"messages": []
},
"cursor": "..."
}
],
"totalCount": 1
}
}
}
}
}The first promotion in a chain has an empty sourceStageName (no prior stage).
G. getApplicationsByPackageVersionBindings
G1. Match by package without a version (any version qualifies)
query {
applications {
getApplicationsByPackageVersionBindings(
packages: [
{ type: "npm", name: "colors" }
{ type: "maven", name: "spring-boot" }
{ type: "nuget", name: "Newtonsoft.Json" }
]
limitPerPackage: 3
) {
package { type name version }
applications {
key
displayName
criticality
}
}
}
}G2. Match by exact package version
query {
applications {
getApplicationsByPackageVersionBindings(
packages: [
{ type: "npm", name: "colors", version: "1.4.0" }
{ type: "maven", name: "spring-boot", version: "1.0.0" }
]
limitPerPackage: 5
) {
package { type name version }
applications { key displayName }
}
}
}G3. Validation behavior
limitPerPackage: 0is valid — each result returns an emptyapplicationslist.limitPerPackage: -1returnsINVALID_INPUTwith messagelimitPerPackage must be non-negative.
H. searchApplicationVersions
H1. Find versions of one application that contain a given artifact (by SHA-256)
query {
applications {
searchApplicationVersions(
where: {
applicationKey: "green-burger"
hasArtifactWith: {
sha256: "b50eb83eda7cc37519809e240338fded8e625169945bbfe6d4156445c6610498"
}
}
) {
edges {
node {
application { key displayName }
version
releaseStatus
releasables {
releasablesCount
artifactsCount
}
}
}
pageInfo { hasNextPage endCursor }
}
}
}H2. Project-wide search by file path
query {
applications {
searchApplicationVersions(
where: {
projectKey: "apptrust-demos"
hasArtifactWith: { filePath: "colors/1.4.0/colors-1.4.0.tgz" }
}
) {
edges {
node {
application { key }
version
}
}
}
}
}H3. Combined filePath + sha256 (AND semantics)
filePath + sha256 (AND semantics)query {
applications {
searchApplicationVersions(
where: {
projectKey: "apptrust-demos"
hasArtifactWith: {
filePath: "colors/1.4.0/colors-1.4.0.tgz"
sha256: "b50eb83eda7cc37519809e240338fded8e625169945bbfe6d4156445c6610498"
}
}
) {
edges { node { application { key } version } }
}
}
}H4. Constraints
where.applicationKeyandwhere.projectKeyare mutually exclusive — exactly one must be provided.- When
hasArtifactWithis used,totalCountis alwaysnullon the resultingApplicationVersionConnection. UsepageInfo.hasNextPageto drive pagination.