Skip to main content
Version: v2.x

Backend Only Mutations


If a mutation permission is marked as "backend only", it is accessible to the given role only if the x-hasura-use-backend-only-permissions session variable exists on the request and is set to true. The x-hasura-admin-secret must also be present if any auth is configured.

This is useful if you would like to hide a mutation from a public facing API but allow access to it via a trusted backend.

Setting "backend only" is available for insert, update and delete mutations.

You can set a mutate permission for a role as backend only in the Hasura Console in Data -> [table] -> Permissions -> [role] -> insert / update / delete -> Backend only

Allow backends only in Hasura Console
Supported from

Backend only permissions for update and delete mutations are supported in Hasura GraphQL Engine versions v2.8.0 and above.