Allow Lists

Allowlist can be configured to safely allow a limited number of GraphQL operations (queries/mutations/subscriptions) for your project.

Operations to Allowlist can be added

Using Console
Using Metadata
Automatically through Hasura Cloud

Allowlist through Console

For example, in our slack demo, we can restrict only the users query to go through and deny all other queries. This can be done by heading to the Settings tab on Console and navigating to the Allow List page.

Allow Lists on Console

We can add an operation manually by specifying an operation name and the operation definition.

Let's say the operation name is users and the definition is

query {
  users {
    id
    name
  }
}

Allow List operation

Similarly this can be added via a file upload by manually uploading a graphql file with the list of all operations.

Allowlist through Metadata

Queries can be stored in collections and a collection can be added to or removed from the allow-list. A collection can be added through the following APIs

Allowlist through Hasura Cloud

While the above is done manually by entering in all the operations, Hasura Cloud gives a quick way to enable Allowlist from the list of operations that were already executed in the past.

Head to the Allow List tab inside the Pro tab of Hasura Cloud project. Then navigate to New Operations to see the list of operations that are not in the allow list yet.

Hasura Cloud Allowlist

In our example, we would like to select only the user query and hence we can explictly select that from the list of operations instead of manually entering them one by one.

Do note that even Introspection queries need to be added explictly to allow the GraphiQL interface to work and this tab let's you do that quickly. One other tip that would be useful is that, always ensure named queries are made from the client so that it's easier to add them to allowlist and also easier to inspect and debug.