Skip to main content
Version: v2.x



Authentication is handled outside of Hasura. Hasura delegates authentication and resolution of request headers into session variables to your authentication service (existing or new).

Your authentication service is required to pass a user's role information in the form of session variables like X-Hasura-Role, etc. More often than not, you'll also need to pass user information for your access control use cases, like X-Hasura-User-Id, to build permission rules.

You can also configure Hasura to allow access to unauthenticated users by configuring a specific role which will be set for all unauthenticated requests.

For information about making requests using the Admin Secret header please see here.

Authentication options

Hasura supports two modes of authentication configuration:

1. Webhook

Your auth server exposes a webhook that is used to authenticate all incoming requests to the Hasura GraphQL engine server and to get metadata about the request to evaluate access control rules.

Here's how a GraphQL request is processed in webhook mode:

Authentication using webhooks

2. JWT (JSON Web Token)

Your auth server issues JWTs to your client app, which, when sent as part of the request, are verified and decoded by the GraphQL engine to get metadata about the request to evaluate access control rules.

Here's how a GraphQL query is processed in JWT mode:

Authentication using JWT

See more details at:

Additional Resources

Using the Admin Secret header

Hasura will allow all queries, mutations and subscriptions when you include your X-Hasura-Admin-Secret header on your request. If you also include the X-Hasura-User-Id and X-Hasura-Role headers along with the X-Hasura-Admin-Secret header you can "pretend" to be that user and role.

Without the X-Hasura-Admin-Secret header you will need to authenticate your requests as a user and role with one of the options below.