Authentication / Access control

Hasura helps you define granular access controls for every field in your GraphQL schema (i.e. every table or view in your Postgres schema). These access control rules can use dynamic variables that come in with every request.

../../../_images/hasura-perms.png

While developing, you can send variables as request headers directly.

../../../_images/dev-mode-auth.png

However, in production, when your application is deployed, your app can’t send these authorization variables directly!

Your app will likely only send an authorization token or cookie provided by your app’s authentication system to Hasura. In this case, Hasura will make a request to a webhook set up by you with the request headers your app has sent (authorization tokens, cookies, etc). The webhook should then return the variables required as context for the access control rules. Alternatively, your app can send to Hasura JWT tokens, which can then be decoded by Hasura to get the variables required for the access control rules. See Authorization using webhooks or Authorization using JWT for more details.

Next, let’s setup some basic access control rules.