graphql-engine/docs/graphql/manual/auth/authentication/unauthenticated-access.rst

.. meta::
   :description: Manage unauthenticated access in Hasura
   :keywords: hasura, docs, authentication, auth, unauthenticated access

Unauthenticated access
======================

.. contents:: Table of contents
  :backlinks: none
  :depth: 1
  :local:

Use case
--------

It is a common requirement to have requests which are accessible to all users without the need for any authentication
(logging in). For example, to display a public feed of events.

You can configure Hasura GraphQL engine to allow access to unauthenticated users by defining a specific role
which will be set for all unauthenticated requests.

Configuring unauthenticated access
----------------------------------

You can use the env variable ``HASURA_GRAPHQL_UNAUTHORIZED_ROLE`` or ``--unauthorized-role`` flag to set a role
for unauthenticated (non-logged in) users. See :doc:`../../deployment/graphql-engine-flags/reference` for more details
on setting this flag/env var.

This role can then be used to define the permissions for unauthenticated users as described in :doc:`../authorization/index`.
A guide on setting up unauthenticated user permissions can be found :ref:`here <anonymous_users_example>`.

How it works
------------

Once you have configured authentication, by default Hasura GraphQL engine will reject any unauthenticated request it
receives.

Based on your authentication setup, an unauthenticated request is any request:

- for which the webhook returns a ``401 Unauthorized`` response in case of :doc:`webhook authentication <./webhook>`.
- which does not contain a JWT token in case of :doc:`JWT authentication <./jwt>`.

Once an unauthenticated role is configured, unaunthenticated requests will not be rejected and instead the request will
be made with the configured role.
docs: add meta descriptions to pages (#3631) 2020-01-14 15:57:45 +03:00			`.. meta::`
			`:description: Manage unauthenticated access in Hasura`
			`:keywords: hasura, docs, authentication, auth, unauthenticated access`

add docs page for setting up unauthenticated acess (#3231) 2019-10-28 09:16:25 +03:00			`Unauthenticated access`
			`======================`

			`.. contents:: Table of contents`
			`:backlinks: none`
			`:depth: 1`
			`:local:`

			`Use case`
			`--------`

			`It is a common requirement to have requests which are accessible to all users without the need for any authentication`
			`(logging in). For example, to display a public feed of events.`

			`You can configure Hasura GraphQL engine to allow access to unauthenticated users by defining a specific role`
			`which will be set for all unauthenticated requests.`

			`Configuring unauthenticated access`
			`----------------------------------`

			You can use the env variable ``HASURA_GRAPHQL_UNAUTHORIZED_ROLE`` or ``--unauthorized-role`` flag to set a role
			for unauthenticated (non-logged in) users. See :doc:`../../deployment/graphql-engine-flags/reference` for more details
			`on setting this flag/env var.`

			This role can then be used to define the permissions for unauthenticated users as described in :doc:`../authorization/index`.
			A guide on setting up unauthenticated user permissions can be found :ref:`here <anonymous_users_example>`.

			`How it works`
			`------------`

			`Once you have configured authentication, by default Hasura GraphQL engine will reject any unauthenticated request it`
			`receives.`

			`Based on your authentication setup, an unauthenticated request is any request:`

			- for which the webhook returns a ``401 Unauthorized`` response in case of :doc:`webhook authentication <./webhook>`.
			- which does not contain a JWT token in case of :doc:`JWT authentication <./jwt>`.

			`Once an unauthenticated role is configured, unaunthenticated requests will not be rejected and instead the request will`
			`be made with the configured role.`