Allow Lists

Allowlist can be configured to safely allow a limited number of GraphQL operations (queries/mutations/subscriptions) for your project.

You can add operations to Allowlist as follows:

  • Using Console
  • Using Metadata
  • Automatically through Hasura Cloud

Allowlist through Console

For example, in the slack demo, you can restrict only the users query to go through and deny all other queries. Do this by heading to the Settings tab on Console and navigating to the Allow List page.

Allow Lists on Console

You can manually add an operation by specifying an operation name and definition. Consider the operation name is users, whereas the definition is the following:

query {
users {

Allow List operation

Similarly, you can manually upload a GraphQL file with the list of all operations to achieve the same result.

Allowlist through Metadata

An "allow list" can have multiple collections, with each collection containing different queries. You can add a collection with the help of the following APIs.

Allowlist through Hasura Cloud

Hasura Cloud provides an efficient way to add operations to the Allowlist from a list of previously executed operations.

Head to the Allow List tab inside the MONITORING tab of the Hasura Cloud project. Then navigate to NEW OPERATIONS to see the list of operations that are not in the allow list yet.

Hasura Cloud Allowlist

In this example, select the user and introspection queries. You can choose them from the list of operations instead of manually entering them one by one.

Note that even Introspection queries need to be added explicitly to allow the GraphiQL interface to work. One other tip that would be useful is to ensure that the client uses named queries, so it's easier to add them to the allowlist. It's also easier to inspect and debug.

Enabling Allowlist

The Allowlist feature needs to be enabled because it comes disabled by default.

Set the HASURA_GRAPHQL_ENABLE_ALLOWLIST env variable to true to start using the Allowlist.

Head to the Env vars tab on the project settings page on Hasura Cloud to enable this env.

Did you find this page helpful?
Start with GraphQL on Hasura for Free
  • ArrowBuild apps and APIs 10x faster
  • ArrowBuilt-in authorization and caching
  • Arrow8x more performant than hand-rolled APIs
footer illustration
Brand logo
© 2024 Hasura Inc. All rights reserved