graphql-engine/docs/graphql/manual/auth/config.rst.wip

Authorization modes
===================

You can run Hasura's GraphQL engine in three modes:

1. No Authentication mode
^^^^^^^^^^^^^^^^^^^^^^^^^

- When ``--admin-secret`` and ``--auth-hook`` are not set

- It is useful when you're developing . It is not recommended to use in production but however you can have proxy gateway that will set (``X-Hasura-Admin-Secret``) header and other required ``X-Hasura-*`` headers.

Run server in this mode using following docker command.

.. code-block:: bash

   docker run --name hasura-graphql-engine -p 9000:9000 \
              --link hasura-postgres:postgres \
              -d hasura/graphql-engine:latest graphql-engine \
              --database-url \
                postgres://postgres:mysecretpassword@postgres:5432/postgres \
                serve --server-port 9000 --cors-domain "*"


2. Admin secret mode
^^^^^^^^^^^^^^^^^^^^

- When only ``--admin-secret`` is set. See :doc:`GraphQL Server Options <../deployment/options>`

- Server authenticates based on ``X-Hasura-Admin-Secret`` header and expects all other required ``X-Hasura-*`` headers.

Run server in this mode using following docker command.

.. code-block:: bash

   docker run --name hasura-graphql-engine -p 9000:9000 \
              --link hasura-postgres:postgres \
              -d hasura/graphql-engine:latest graphql-engine \
              --database-url \
                postgres://postgres:mysecretpassword@postgres:5432/postgres \
                serve --server-port 9000 --admin-secret myAdminSecretKey \
                  --cors-domain "*"


3. Admin secret key and Authorization webhook mode
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- When both ``--admin-secret`` and ``--auth-hook`` are set

- This mode is useful in production. When server founds ``X-Hasura-Admin-Secret`` header it ignores webhook and expects all other required ``X-Hasura*`` headers

- If ``X-Hasura-Admin-Secret`` header not found then server authenticaters through webhook. See :doc:`Authorization
  Webhook <webhook>`

Run server in this mode using following docker command.

.. code-block:: bash

   docker run --name hasura-graphql-engine -p 9000:9000 \
              --link hasura-postgres:postgres \
              -d hasura/graphql-engine:latest graphql-engine \
              --database-url \
                postgres://postgres:mysecretpassword@postgres:5432/postgres \
                serve --server-port 9000 --admin-secret myAdminSecretKey \
                  --auth-hook http://myAuthhook/ --cors-domain "*"
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			`Authorization modes`
			`===================`

fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			`You can run Hasura's GraphQL engine in three modes:`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
			`1. No Authentication mode`
			`^^^^^^^^^^^^^^^^^^^^^^^^^`

rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			- When ``--admin-secret`` and ``--auth-hook`` are not set
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			- It is useful when you're developing . It is not recommended to use in production but however you can have proxy gateway that will set (``X-Hasura-Admin-Secret``) header and other required ``X-Hasura-*`` headers.
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
			`Run server in this mode using following docker command.`

			`.. code-block:: bash`

			`docker run --name hasura-graphql-engine -p 9000:9000 \`
			`--link hasura-postgres:postgres \`
			`-d hasura/graphql-engine:latest graphql-engine \`
			`--database-url \`
			`postgres://postgres:mysecretpassword@postgres:5432/postgres \`
			`serve --server-port 9000 --cors-domain "*"`


rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			`2. Admin secret mode`
			`^^^^^^^^^^^^^^^^^^^^`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			- When only ``--admin-secret`` is set. See :doc:`GraphQL Server Options <../deployment/options>`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			- Server authenticates based on ``X-Hasura-Admin-Secret`` header and expects all other required ``X-Hasura-*`` headers.
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
			`Run server in this mode using following docker command.`

			`.. code-block:: bash`

			`docker run --name hasura-graphql-engine -p 9000:9000 \`
			`--link hasura-postgres:postgres \`
			`-d hasura/graphql-engine:latest graphql-engine \`
			`--database-url \`
			`postgres://postgres:mysecretpassword@postgres:5432/postgres \`
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			`serve --server-port 9000 --admin-secret myAdminSecretKey \`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			`--cors-domain "*"`


rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			`3. Admin secret key and Authorization webhook mode`
			`^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			- When both ``--admin-secret`` and ``--auth-hook`` are set
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			- This mode is useful in production. When server founds ``X-Hasura-Admin-Secret`` header it ignores webhook and expects all other required ``X-Hasura*`` headers
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			- If ``X-Hasura-Admin-Secret`` header not found then server authenticaters through webhook. See :doc:`Authorization
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			Webhook <webhook>`

			`Run server in this mode using following docker command.`

			`.. code-block:: bash`

			`docker run --name hasura-graphql-engine -p 9000:9000 \`
			`--link hasura-postgres:postgres \`
			`-d hasura/graphql-engine:latest graphql-engine \`
			`--database-url \`
			`postgres://postgres:mysecretpassword@postgres:5432/postgres \`
rename access-key to admin-secret (close #1347) (#1540) Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret. Server CLI and console all support the older flag but marks it as deprecated. 2019-02-14 12:37:47 +03:00			`serve --server-port 9000 --admin-secret myAdminSecretKey \`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00			`--auth-hook http://myAuthhook/ --cors-domain "*"`