EntityGraphQL
diff --git a/‎docs/docs/authorization.md‎
Lines changed: 29 additions & 0 deletions b/‎docs/docs/authorization.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎src/EntityGraphQL.AspNet/Extensions/AddGraphQLOptions.cs‎
Lines changed: 8 additions & 0 deletions b/‎src/EntityGraphQL.AspNet/Extensions/AddGraphQLOptions.cs‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/EntityGraphQL.AspNet/Extensions/EntityGraphQLAspNetServiceCollectionExtensions.cs‎
Lines changed: 1 addition & 7 deletions b/‎src/EntityGraphQL.AspNet/Extensions/EntityGraphQLAspNetServiceCollectionExtensions.cs‎
Lines changed: 1 addition & 7 deletions
@@ -6,6 +6,35 @@ sidebar_position: 5
 
 You should secure the route where you app/client posts request to in any ASP.NET supports. Given GraphQL works with a schema you likely want to provide authorization within the schema. EntityGraphQL provides support for checking claims on a `ClaimsPrincipal` object.
 
+## Authorization Services
+
+EntityGraphQL supports different authorization service implementations:
+
+- **`RoleBasedAuthorization`** - The default. Checks roles on the `ClaimsPrincipal`. Use when you only need role-based authorization.
+- **`PolicyOrRoleBasedAuthorization`** - Supports both ASP.NET Core policies and roles. This is the default when calling `AddGraphQLSchema()` in `EntityGraphQL.AspNet` if `IAuthorizationService` is available.
+
+### Configuring Authorization Service
+
+When using `AddGraphQLSchema()` in ASP.NET, `PolicyOrRoleBasedAuthorization` is used by default. To use a different authorization service:
+
+```cs
+services.AddGraphQLSchema<DemoContext>(options => {
+    // Use role-based authorization only
+    options.Schema.AuthorizationService = new RoleBasedAuthorization();
+
+    // Or use a custom authorization service
+    options.Schema.AuthorizationService = new MyCustomAuthService();
+});
+```
+
+When creating a schema manually outside of ASP.NET:
+
+```cs
+var schema = new SchemaProvider<DemoContext>(
+    authorizationService: new RoleBasedAuthorization()
+);
+```
+
 ## Passing in the User
 
 First pass in the `ClaimsPrincipal` to the query call
 
@@ -1,5 +1,6 @@
 using System;
 using EntityGraphQL.Schema;
+using Microsoft.AspNetCore.Authorization;
 
 namespace EntityGraphQL.AspNet;
 
@@ -10,6 +11,13 @@ namespace EntityGraphQL.AspNet;
 /// <typeparam name="TSchemaContext">The type of the schema context</typeparam>
 public class AddGraphQLOptions<TSchemaContext>
 {
+    public AddGraphQLOptions(IAuthorizationService? authService)
+    {
+        // Default for asp.net if IAuthorizationService available
+        if (authService != null)
+            Schema.AuthorizationService = new PolicyOrRoleBasedAuthorization(authService);
+    }
+
     /// <summary>
     /// Options that control how SchemaBuilder reflects the object graph to auto-create schema types and fields.
     /// </summary>
 
@@ -45,18 +45,12 @@ public static IServiceCollection AddGraphQLSchema<TSchemaContext>(this IServiceC
         var authService = serviceProvider.GetService<IAuthorizationService>();
         var webHostEnvironment = serviceProvider.GetService<IWebHostEnvironment>();
 
-        var options = new AddGraphQLOptions<TSchemaContext>();
+        var options = new AddGraphQLOptions<TSchemaContext>(authService);
         configure(options);
 
         // Apply environment-based defaults if not explicitly set
         var schemaOptions = options.Schema;
 
-        // If user hasn't configured authorization, use the ASP.NET policy-based authorization
-        if (schemaOptions.AuthorizationService is RoleBasedAuthorization)
-        {
-            schemaOptions.AuthorizationService = new PolicyOrRoleBasedAuthorization(authService);
-        }
-
         // If user hasn't explicitly set IsDevelopment, detect from environment
         // We check if it's still the default value (true) and the environment is not Development
         if (webHostEnvironment != null && !webHostEnvironment.IsEnvironment("Development"))