Sign up for Hasura Newsletter

Service Level Security

Hasura allows access to be determined on a service level. There are various configurations that can be done to secure data access at multiple layers. We will look at each of them now.

Configure an API secret

You might have configured an admin secret already to secure the GraphQL API initially. This will be followed up by role based permission system for data access. But if you are using custom code via Actions, Remote Schemas and Events, then you need a way to be able to restrict that custom code to be only called by Hasura and not from anywhere else.

This requires trust between the Hasura server and the custom code server. This trust is established through a shared API secret.

When creating an action/remote schema/events, you can add custom headers like the one below:

Shared Secret through Headers

Set CORS policies

By default, Hasura allows all CORS requests. In a production scenario, you might want to restrict the queries to be made by few selected domains.

For example, if your application is hosted on a domain, say, you can allow any requests to come from this and any of its subdomains by enabling the config HASURA_GRAPHQL_CORS_DOMAIN="http://*".

Cors Domain

Of course this restriction applies only on the client side (browser). Since the API is publicly accessible in any case, these policies are useful only to restrict requests made from the browser. This still doesn't prevent anyone from making requests server side or from mobile apps for example and shouldn't be used as a means to restrict for such cases anyways.


Hasura Cloud projects come with free SSL for all apps, including custom domains and hence the APIs are accessible over https regular queries and wss for realtime subscription queries.

Note that wss can be used for making all requests. (Not just subscriptions, but queries and mutations work too).

Manage team members and their levels of access

In Hasura Cloud, you can share console access to different team members with restricted access. You can do this by adding collaborators in the project settings page as given below:

Team Console

There are two levels of access to the Hasura Cloud project:

  • admin has access to perform API calls and view metrics and configure rules without any restrictions.
  • user has limited access depending on whether permissions for executing GraphQL and Viewing metrics was provided.
Did you find this page helpful?
Start with GraphQL on Hasura for Free
  • ArrowBuild apps and APIs 10x faster
  • ArrowBuilt-in authorization and caching
  • Arrow8x more performant than hand-rolled APIs
footer illustration
Brand logo
© 2022 Hasura Inc. All rights reserved