Hasura Admin Secret
Service Name: Hasura GraphQL Engine
Service Description: Hasura is an open-source engine that provides instant GraphQL APIs over PostgreSQL databases. It allows for real-time GraphQL APIs with built-in authorization and can connect to multiple databases, microservices, and third-party APIs.
Service Address: https://hasura.io/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the project level through Hasura Cloud or through your infrastructure provider if self-hosted.
Secret Access Scope: Grants full administrative access to the Hasura GraphQL Engine, including schema management, data access, and user permissions.
Secret Revokement URL: https://hasura.io/docs/latest/auth/authentication/admin-secret/
Secret Example: hasura-admin-secret-key-example-12345
Suspicious Activity Investigation Instructions:
- Review Hasura logs for unauthorized admin operations or unusual query patterns
- Check for unexpected schema changes or permission modifications
- Monitor for unusual data access patterns or high-volume queries
- Examine event triggers for unauthorized configurations
- Review metadata changes in the Hasura console
Mitigation Instructions:
- Immediately rotate the admin secret by updating the
HASURA_GRAPHQL_ADMIN_SECRET environment variable
- For Hasura Cloud: Navigate to Project Settings → Env vars and update the
admin secret
- For self-hosted: Update the environment variable in your deployment
configuration
- Verify and audit all permission configurations to ensure they haven't been
compromised
- Review and potentially revoke JWT tokens if you're using JWT authentication
alongside admin secret
- Enable request logging to monitor future access attempts
- Consider implementing IP allow-listing for admin access if not already in place