Rotating Admin Secrets¶

Table of contents

Introduction
How to use multiple admin secrets
How to rotate an admin secret

Introduction¶

You can specify a list of admin secrets which can be used to implement security mechanisms like rotating admin secrets.

How to use multiple admin secrets¶

Multiple admin secrets can be provided in the env var HASURA_GRAPHQL_ADMIN_SECRETS which takes a JSON array of admin secrets (strings).

When you launch the console from the Hasura Cloud dashboard, you can use any secret from the admin secrets list to authenticate yourself as an admin. If you want to make API calls from outside the console, you need to pass any one of the admin secrets as the x-hasura-admin-secret request header.

Note

If both HASURA_GRAPHQL_ADMIN_SECRET and HASURA_GRAPHQL_ADMIN_SECRETS are set, then only HASURA_GRAPH_ADMIN_SECRETS will be used.

How to rotate an admin secret¶

To implement a secret rotation mechanism, the following can be done:

Add a new secret to the list of admin secrets (and perform a rolling deploy)
Update applications/services using the old admin secret to use the new secret
Remove the old secret from the admin secret list (and perform a rolling deploy)

« previous | next »

Want to contribute or report missing content?

edit this page on github | contributing guidelines | report an issue

Hasura GraphQL engine is open source. See license