Skip to main content
Version: v2.x

Backend Only Mutations


Backend only permissions in Hasura allow certain mutations to be hidden from the public-facing API while still accessible via a trusted backend. This is useful for operations that should bypass standard client-side validation or business logic, ensuring that only authorized back-end services can perform these operations.

Setting "backend only" is available for insert, update and delete mutations.

Set a mutation permission for a role as backend only in the Hasura Console under **Data -> [table] -> Permissions -> [role] -> insert / update / delete -> Backend only**
Allow backends only in Hasura Console
Supported from

Backend only permissions for update and delete mutations are supported in Hasura GraphQL Engine versions v2.8.0 and above.

How it Works


Backend only permissions create two operation modes within Hasura:

  • Frontend Scenario: All mutation operations are visible when no backend-only permissions are set.
  • Backend Scenario: Specific mutations set with backend-only permissions become visible only when the x-hasura-use-backend-only-permissions header is set to true.

Schema Generation

Hasura maintains two GraphQL schemas per role per table:

Schema TypeDescriptionExample
Frontend SchemaVisible mutations without backend-only permissions.Given a role "public" and a table "user", mutations like insert_user and delete_user are visible by default.
Backend SchemaMutations visible only when backend-only permissions are enabled.For the same role and table, the update_user mutation is only visible when the x-hasura-use-backend-only-permissions header is set to true.

All operations are visible by default.

Access Requirements

For a mutation to be accessible under backend only permissions, the following conditions must be met:

  • x-hasura-admin-secret is present if authorization is configured.
  • x-hasura-use-backend-only-permissions must be set to true.
  • x-hasura-role is used to identify the role.

This table outlines the visibility of mutations based on the Backend Only permission along with the presence of necessary headers:

Backend Onlyx-hasura-admin-secretx-hasura-use-backend-only-permissionsResult