Version: v3.x

Enabling Admin and Unauthenticated Requests

Each Hasura DDN project metadata is generated with an admin role by default which has access to all models, commands and object types in your supergraph. On the other hand, there's no concept for unauthenticated access to a supergraph. Below, we'll show you how to achieve both when using JWTs and Hasura DDN.

Making admin-level requests

To make an admin-level request, after updating up your AuthConfig, shape your claims as follows:

Claims configuration in your authentication service

  "https://hasura.io/jwt/claims": {
    "x-hasura-default-role": "admin",
    "x-hasura-allowed-roles": ["admin"],
  }

You can now use the JWT generated by your authentication service to make requests as the admin role.

Your JWT claims should be unique for each role

When designing or implementing an auth server, it is crucial to generate JWTs with different claims for each user role so that each token enables the appropriate data access permissions for that user.

Making unauthenticated requests

To make an unauthenticated request (i.e., one that is publicly accessible without any authentication), you'll need to do a few things.

Step 1. Create the claims

In your authentication server, you can provide a claims map that identifies the default role as public. This can be any name you wish, so long as it's not a role (such as admin) that already exists.

JWT claims configuration in your authentication service

  "https://hasura.io/jwt/claims": {
    "x-hasura-default-role": "public",
    "x-hasura-allowed-roles": ["public"],
  }

Step 2. Update ModelPermissions

For whatever models you'd like to publicly expose, add a ModelPermissions rule for the public role.

Example ModelPermission for an Events Model
kind: ModelPermissions
version: v1
definition:
  modelName: Events
  permissions:
    - role: admin
      select:
        filter: null
    - role: public
      select:
        filter: null

Step 3. Update TypePermissions

Then, determine which types you'd like to publicly expose by updating TypePermissions. Hasura DDN gives you the ability to granularly determine which fields from each Model are available to each role.

Example TypePermissions for an Events Model
kind: TypePermissions
version: v1
definition:
  typeName: Events
  permissions:
    - role: admin
      output:
        allowedFields:
          - id
          - owner_id
          - created_at
          - updated_at
          - is_live
          - title
          - date
          - description
    - role: public
      output:
        allowedFields:
          - id
          - is_live
          - title
          - date
          - description

Step 4. Rebuild your supergraph

Once you've updated your metadata files, you can rebuild your supergraph and test it locally.

For example, from the root of your project, run:
ddn supergraph build local \
  --supergraph supergraph.yaml \
  --env-file .env

Step 5. Make an unauthenticated request

In basic examples, we're using the BearerAuthorization method. As such, as we can make a request to our Hasura DDN instance by including a header with the key-value of Authorization: Bearer <our-encoded-token-with-the-public-claims>. For testing, you can pass this value in the Hasura DDN console's header section.

Enabling Admin and Unauthenticated Requests

Making admin-level requests​

Making unauthenticated requests​

Step 1. Create the claims​

Step 2. Update ModelPermissions​

Step 3. Update TypePermissions​

Step 4. Rebuild your supergraph​

Step 5. Make an unauthenticated request​

Was this helpful?