Backend Only Mutations
Introduction
If a mutation permission is marked as "backend only", it is accessible to the given role only if the
x-hasura-use-backend-only-permissions
session variable exists on the request and is set to true
. The
x-hasura-admin-secret
must also be present if any auth is configured.
This is useful if you would like to hide a mutation from a public facing API but allow access to it via a trusted backend.
Setting "backend only" is available for insert
, update
and delete
mutations.
- Console
- CLI
- API
You can set a mutate permission for a role as backend only in the Hasura Console in Data -> [table] -> Permissions -> [role] -> insert / update / delete -> Backend only

You can set a mutate permission for a role as backend only in the metadata -> databases -> [database-name] -> tables ->
[table-name].yaml
file, eg: public_users.yaml
:
table:
name: users
schema: public
insert_permissions:
- role: user
permission:
check: {}
columns:
- id
backend_only: true
delete_permissions:
- role: user
permission:
backend_only: true
filter: {}
You can set a mutate permission for a role as backend only with the Metadata API and the insert, update or delete permissions.
POST /v1/metadata HTTP/1.1
Content-Type: application/json
X-Hasura-Role: admin
{
"type": "pg_create_insert_permission",
"args": {
"table": {
"name": "users",
"schema": "public"
},
"role": "user",
"permission": {
"check": {},
"columns": [
"id"
],
"set": {},
"backend_only": true
},
"source": "default"
}
}
Backend only permissions for update
and delete
mutations are supported in Hasura GraphQL Engine versions v2.8.0
and above.