2020-01-14 15:57:45 +03:00
.. meta ::
2020-06-29 15:50:06 +03:00
:description: Manage unauthenticated / public access in Hasura
:keywords: hasura, docs, authentication, auth, unauthenticated access, public access
2020-01-14 15:57:45 +03:00
2020-03-11 22:42:36 +03:00
.. _unauthenticated_access:
2020-06-29 15:50:06 +03:00
Unauthenticated / Public access
===============================
2019-10-28 09:16:25 +03:00
.. contents :: Table of contents
:backlinks: none
2020-06-29 15:50:06 +03:00
:depth: 2
2019-10-28 09:16:25 +03:00
:local:
2020-06-29 15:50:06 +03:00
Introduction
------------
2019-10-28 09:16:25 +03:00
It is a common requirement to have requests which are accessible to all users without the need for any authentication
(logging in). For example, to display a public feed of events.
2020-07-08 16:20:41 +03:00
Once you have configured an :ref: `admin secret <securing_graphql_endpoint>` , by default Hasura GraphQL engine will reject any unauthenticated request it
2020-06-29 15:50:06 +03:00
receives.
2019-10-28 09:16:25 +03:00
2020-06-29 15:50:06 +03:00
You can configure Hasura GraphQL engine to allow access to unauthenticated users by defining a specific role
2020-07-08 16:20:41 +03:00
which will be set for all unauthenticated requests. Once an unauthenticated role is configured, unauthenticated requests will
2020-06-29 15:50:06 +03:00
not be rejected and instead the request will be made with the configured role.
2019-10-28 09:16:25 +03:00
2020-03-11 22:42:36 +03:00
This role can then be used to define the permissions for unauthenticated users as described in :ref: `authorization` .
2019-10-28 09:16:25 +03:00
A guide on setting up unauthenticated user permissions can be found :ref: `here <anonymous_users_example>` .
2020-06-29 15:50:06 +03:00
Configuring unauthenticated / public access
-------------------------------------------
2019-10-28 09:16:25 +03:00
2020-07-08 16:20:41 +03:00
An unauthenticated role can be configured for the following scenarios: no auth setup, webhook auth setup or JWT auth setup.
No auth setup
^^^^^^^^^^^^^
With no auth setup, every request is considered an unauthenticated request.
You can use the env variable `` HASURA_GRAPHQL_UNAUTHORIZED_ROLE `` or the `` --unauthorized-role `` flag to set a role
for unauthenticated (non-logged in) users. See :ref: `server_flag_reference` for more details
on setting this flag/env var.
2020-06-29 15:50:06 +03:00
Webhooks
^^^^^^^^
2020-07-08 16:20:41 +03:00
For :ref: `webhook authentication <auth_webhooks>` , any request for which the webhook returns a `` 401 Unauthorized `` response
is considered an unauthenticated request.
2019-10-28 09:16:25 +03:00
2020-07-08 16:20:41 +03:00
To allow unauthenticated access, the auth webhook should return a `` 200 `` status response with your unauthenticated role in the headers. For details on the webhook response, refer to :ref: `this section <webhook_response>` .
2019-10-28 09:16:25 +03:00
2020-06-29 15:50:06 +03:00
JWT
^^^
2019-10-28 09:16:25 +03:00
2020-07-08 16:20:41 +03:00
For :ref: `JWT authentication <auth_jwt>` , any request which does not contain a JWT token is considered an unauthenticated request.
2019-10-28 09:16:25 +03:00
2020-07-08 16:20:41 +03:00
You can use the env variable `` HASURA_GRAPHQL_UNAUTHORIZED_ROLE `` or the `` --unauthorized-role `` flag to set a role
2020-06-29 15:50:06 +03:00
for unauthenticated (non-logged in) users. See :ref: `server_flag_reference` for more details
on setting this flag/env var.
2021-03-09 11:36:02 +03:00
.. admonition :: Additional Resources
Enterprise Grade Authorization - `Watch Webinar <https://hasura.io/events/webinar/authorization-modeling-hasura/?pg=docs&plcmt=body&cta=watch-webinar&tech=> `__ .
