Skip to main content
Version: v2.x

Authorization / Access Control


Hasura supports role-based authorization where access control is done by creating rules for each role and operation. In the case of database tables, you can create rules for database operations (select, insert, update, delete) and in the case of Remote Schemas, you can define rules for access to fields. These access control rules use dynamic session variables that are passed to the GraphQL Engine from your authentication service with every request. Role information is inferred from the X-Hasura-Role and X-Hasura-Allowed-Roles session variables. Other session variables can be passed by your auth service as per your requirements.

For example:

Create a permission rule

Hasura roles and permissions are implemented at the Hasura layer. They have nothing to do with Postgres roles and users.

Trying out access control

If you just want to see role-based access control in action, you need not set up or integrate your auth service with GraphQL Engine. You can just:

  • Define permission rules for a table for a role.
  • Use the GraphiQL interface in the Console to make a request and send the session variables as request headers (send a X-Hasura-Role key, with its value as the name of the role you've defined rules for). The data in the response will be restricted as per your configuration.

Follow the example at access control basics.


API limits and access controls in Hasura Cloud

Additional access controls and API limits like maximum query depth can be found in Hasura Cloud. See more at API limits with Hasura Cloud.

Additional Resources