Skip to main content
Version: v2.x

Forwarding Auth Context to/from Remote Schemas

Introduction

This page gives an overview of how Hasura allows you to pass auth context to your Remote Schema server.

Passing headers from Hasura to your Remote Schema

Hasura will forward the resolved x-hasura-* values as headers to your Remote Schema. You can use this information to apply authorization rules in your server. You don't have to redo authentication in your Remote Schema server.

You can also configure Hasura to have (as shown here):

  1. static header values that are sent to the remote server
  2. forward all headers from the client (like Authorization, Cookie headers etc.)
  3. Fine grained access control

In case there are multiple headers with same name, the order of precedence is: configuration headers > resolved user (x-hasura-*) variables > client headers.

So for example, if the client sends an Authorization header, and the configuration also has an Authorization header, the configuration header value will selected.

Note

The headers from the client behave similarly to the authorization system. If x-hasura-admin-secret is sent, then all x-hasura-* values from the client are respected, otherwise they are ignored.

Set-Cookie headers from your Remote Schema servers are sent back to the client over HTTP transport. Over websocket transport there exists no means of sending headers after a query/mutation and hence the "Set-Cookie" headers are not sent to the client. Use HTTP transport if your remote servers set cookies.

Additional Resources

Data Federation with Hasura - Watch Webinar.