graphql-engine/docs/graphql/manual/deployment/heroku/securing-graphql-endpoint.rst

Securing the GraphQL endpoint (Heroku)
======================================

.. contents:: Table of contents
  :backlinks: none
  :depth: 1
  :local:

To make sure that your GraphQL endpoint and the Hasura console are not publicly accessible, you need to
configure an admin secret key.


Add the HASURA_GRAPHQL_ADMIN_SECRET env var
-------------------------------------------

Head to the config-vars URL on your Heroku dashboard and set the ``HASURA_GRAPHQL_ADMIN_SECRET`` environment variable.

.. thumbnail:: ../../../../img/graphql/manual/deployment/secure-heroku.png

Setting this environment variable will automatically restart the dyno. Now when you access your console, you'll be
prompted for the admin secret key.

.. thumbnail:: ../../../../img/graphql/manual/deployment/access-key-console.png

.. note::

  The ``HASURA_GRAPHQL_ADMIN_SECRET`` should never be passed from the client to Hasura GraphQL engine as it would
  give the client full admin rights to your Hasura instance. See :doc:`../../auth/index` for information on
  setting up Authentication.


(optional) Use the admin secret with the CLI
--------------------------------------------

In case you're using the CLI to open the Hasura console, use the ``admin-secret`` flag when you open the console:

.. code-block:: bash

   hasura console --admin-secret=myadminsecretkey
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			`Securing the GraphQL endpoint (Heroku)`
			`======================================`

add table of contents to docs pages (#1115) 2018-12-03 15:12:24 +03:00			`.. contents:: Table of contents`
			`:backlinks: none`
			`:depth: 1`
			`:local:`

merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			`To make sure that your GraphQL endpoint and the Hasura console are not publicly accessible, you need to`
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			`configure an admin secret key.`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00

rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			`Add the HASURA_GRAPHQL_ADMIN_SECRET env var`
			`-------------------------------------------`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			Head to the config-vars URL on your Heroku dashboard and set the ``HASURA_GRAPHQL_ADMIN_SECRET`` environment variable.
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
add image zoom in docs (close #1483) (#1752) 2019-03-13 13:03:45 +03:00			`.. thumbnail:: ../../../../img/graphql/manual/deployment/secure-heroku.png`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
			`Setting this environment variable will automatically restart the dyno. Now when you access your console, you'll be`
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			`prompted for the admin secret key.`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
add image zoom in docs (close #1483) (#1752) 2019-03-13 13:03:45 +03:00			`.. thumbnail:: ../../../../img/graphql/manual/deployment/access-key-console.png`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
update docs (#1696) 2019-03-06 11:58:04 +03:00			`.. note::`

			The ``HASURA_GRAPHQL_ADMIN_SECRET`` should never be passed from the client to Hasura GraphQL engine as it would
			give the client full admin rights to your Hasura instance. See :doc:`../../auth/index` for information on
			`setting up Authentication.`

merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			`(optional) Use the admin secret with the CLI`
			`--------------------------------------------`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			In case you're using the CLI to open the Hasura console, use the ``admin-secret`` flag when you open the console:
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
			`.. code-block:: bash`

rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			`hasura console --admin-secret=myadminsecretkey`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00