Authentication & Authorization

In Hasura, access control or authorization is based on roles. Let’s take a look at how this works when the GraphQL engine receives a request:

Authentication and authorization with Hasura

As you can see from this:

  • Authentication is handled outside of Hasura. Hasura delegates authentication and resolution of request headers into session variables to your authentication service (existing or new).

    Your authentication service is required to pass a user’s role information in the form of session variables like X-Hasura-Role, etc. More often than not, you’ll also need to pass user information for your access control use cases, like X-Hasura-User-Id, to build permission rules.

  • For Authorization or Access Control, Hasura helps you define granular role-based access control rules for every field in your GraphQL schema (granular enough to control access to any row or column in your database).

    Hasura uses the role/user information in the session variables and the actual request itself to validate the request against the rules defined by you. If the request/operation is allowed, it generates an SQL query, which includes the row/column-level constraints from the access control rules, and sends it to the database to perform the required operation (fetch the required rows for queries, insert/edit rows for mutations, etc.).

See more details about setting up authentication and access control at:

Learn course

If you’d like to learn about authentication and authorization / access control by following a tutorial, check out our Learn course, Authentication with Hasura.