2-public-access-role.mdx

sidebar_position	sidebar_label	description	keywords	seoFrontMatterUpdated
3	Public access	Learn how to create a public-access role that can view data without authentication.	hasura hasura ddn authorization public open tutorial guide	false

Public Access

Introduction

In this tutorial, you'll learn how to configure permissions to allow for unauthenticated access to data in your supergraph. This can be done by creating a role and setting the filter field to null.

:::warning A word of caution

Any requests made to your supergraph with the configuration demonstrated below will have unauthenticated access to whatever resources you allow. Use with caution!

:::

:::info Prerequisites

Before continuing, ensure you have:

• A local Hasura DDN project.
• Either JWT or Webhook mode enabled in your AuthConfig.

:::

Tutorial

Step 1. Create the claims

In your authentication server, you can provide a claims map that identifies the default role as public. This can be any name you wish, so long as it's not a role (such as admin) that already exists.

  "claims.jwt.hasura.io": {
    "x-hasura-default-role": "public",
    "x-hasura-allowed-roles": ["public"],
  }

Step 2. Update ModelPermissions {#step-two}

For whatever models you'd like to publicly expose, add a ModelPermissions rule for the public role.

kind: ModelPermissions
version: v1
definition:
  modelName: Events
  permissions:
    - role: admin
      select:
        filter: null
    #highlight-start
    - role: public
      select:
        filter: null
    #highlight-end

Step 3. Update TypePermissions

Then, determine which types you'd like to publicly expose by updating TypePermissions. Hasura DDN gives you the ability to granularly determine which fields from each Model are available to each role.

kind: TypePermissions
version: v1
definition:
  typeName: Events
  permissions:
    - role: admin
      output:
        allowedFields:
          - id
          - owner_id
          - created_at
          - updated_at
          - is_live
          - title
          - date
          - description
    #highlight-start
    - role: public
      output:
        allowedFields:
          - id
          - is_live
          - title
          - date
          - description
    #highlight-end

Step 4. Test your permissions

Create a new build of your supergraph:

ddn supergraph build local

Then, in a request, pass a header with the role you identified earlier according to your authentication configuration. You should see a schema limited to whatever ModelPermissions you defined for your new role and — when executing a query — only see data meeting the filtering rule you included in the first step.

Wrapping up

In this guide, you learned how to expose data in your supergraph to users without any authentication. This is valuable for any public-facing resources clients may need to access.

As you continue building out your supergraph, keep in mind that authentication and authorization are crucial components. Always validate your configuration and regularly test your setup to ensure it functions as expected across different roles and environments.

Learn more about permissions and auth

• Permissions with Hasura DDN
• Auth with Hasura DDN

Similar tutorials

• Authorization tutorials