Skip to main content
Version: v2.x

Unauthenticated / Public Access

It is a common requirement to have requests which are accessible to all users without the need for authentication or logging in.

Once you have configured an admin secret, by default Hasura GraphQL Engine will reject any unauthenticated request it receives.

You can configure the Hasura Engine to allow access to unauthenticated users by defining a specific role which will be used for all unauthenticated requests. Once an unauthenticated role is configured, unauthenticated requests will not be rejected and instead will be handled as the unauthenticated user with the relevant authorization permissions for that role taking effect.

A guide on setting up permissions for the unauthenticated role can be found here.

Risk of session variables with the unauthenticated role

You should not use session variables in the permissions for an unauthenticated role because the source of the session variables cannot be trusted.

Since session variables can be passed using request headers and they are not verified through the JWT or webhook authentication methods or utilize an admin secret, a user can choose to set any values for them and bypass the permissions.

Configuring unauthenticated / public access

You can use the env variable HASURA_GRAPHQL_UNAUTHORIZED_ROLE or the --unauthorized-role flag to define a role for unauthenticated (non-logged in) users. See GraphQL Engine server config reference for more details on setting this flag or environment variable.

No-auth setup

When JWT or webhook modes are not configured, and the request does not contain the admin secret header, then every request is considered an unauthenticated request.


For JWT authentication mode, any request which does not contain a JWT token is considered an unauthenticated request.


When using webhook mode, any request for which the webhook returns a 401 Unauthorized response is denied.

To allow unauthenticated access, say for public data, the server must be configured with an unauthorized role and the auth webhook should return a 200 status response with your unauthenticated role specified in the headers. For details on the webhook response, refer to this section.