Skip to main content
Version: v3.x (DDN)

Service Accounts

Introduction

In this tutorial, you'll learn how to configure a JWT or webhook to allow for admin-level access to data in your supergraph. This can be done by passing hard-coded session variables that match the admin role in Hasura DDN.

Prerequisites

Before continuing, ensure you have:

  • A local Hasura DDN project.
  • Either JWT or Webhook mode enabled in your AuthConfig.

Tutorial

Step 1. Create a custom claim

To make an admin-level request, shape your claims as follows:

  "https://hasura.io/jwt/claims": {
    "x-hasura-default-role": "admin",
    "x-hasura-allowed-roles": ["admin"],
  }

When the token is minted, it will include the hard-coded values and can be passed to act as an admin-level request to your supergraph.

Your JWT claims should be unique for each role

When designing or implementing an auth server, it is best practice to generate JWTs with different claims for each user role so that each token enables the appropriate data access permissions for that user.

If you're unsure about setting up JWTs with Hasura, check out our tutorials for popular providers.

Step 2. Test your permissions

Create a new build of your supergraph:

ddn supergraph build local

Then, in a request, pass a header according to your authentication configuration. You should see all types and fields available to the admin role.

Wrapping up

In this guide, you learned how to expose all data in your supergraph to the admin role. While this is done by default, you'll need to generate a JWT or include the session variables in your webhook response that will allow the request to act as a service account.

As you continue building out your supergraph, keep in mind that authentication and authorization are crucial components. Always validate your configuration and regularly test your setup to ensure it functions as expected across different roles and environments.

Learn more about permissions and auth

Similar tutorials

© 2025 Hasura Inc. All rights reserved