Authorization / Access Control
Overview
Hasura supports role-based authorization where access control is done by creating rules for each role and operation.
In the case of database tables, you can create rules for database operations (select, insert, update, delete) and in the
case of Remote Schemas, you can define rules for access to fields. These access control
rules use dynamic session variables that are passed to the GraphQL Engine from your
authentication service with every request. Role information is inferred from the
X-Hasura-Role
and X-Hasura-Allowed-Roles
session variables. Other session variables can be passed by your auth
service as per your requirements.
For example:

Hasura roles and permissions are implemented at the Hasura layer. They have nothing to do with Postgres roles and users.
Trying out access control
If you just want to see role-based access control in action, you need not set up or integrate your auth service with GraphQL Engine. You can just:
- Define permission rules for a table for a role.
- Use the GraphiQL interface in the Console to make a request and send the session variables as request headers (send
a
X-Hasura-Role
key, with its value as the name of the role you've defined rules for). The data in the response will be restricted as per your configuration.
Follow the example at access control basics.
See:
- Access control basics
- Roles & Session variables
- Inherited roles
- Configuring permission rules
- Access control examples
- Multiple column + row permissions for the same role
Additional access controls and API limits like maximum query depth can be found in Hasura Cloud. See more at API limits with Hasura Cloud.
- Enterprise Grade Authorization - Watch Webinar.
- Authorization Patterns with Hasura - Check out this tutorial.