Skip to content

Hasura Admin Secret

Service Name: Hasura GraphQL Engine

Service Description: Hasura is an open-source engine that provides instant GraphQL APIs over PostgreSQL databases. It allows for real-time GraphQL APIs with built-in authorization and can connect to multiple databases, microservices, and third-party APIs.

Service Address: https://hasura.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the project level through Hasura Cloud or through your infrastructure provider if self-hosted.

Secret Access Scope: Grants full administrative access to the Hasura GraphQL Engine, including schema management, data access, and user permissions.

Secret Revokement URL: https://hasura.io/docs/latest/auth/authentication/admin-secret/

Secret Example: hasura-admin-secret-key-example-12345

Suspicious Activity Investigation Instructions:

  • Review Hasura logs for unauthorized admin operations or unusual query patterns
  • Check for unexpected schema changes or permission modifications
  • Monitor for unusual data access patterns or high-volume queries
  • Examine event triggers for unauthorized configurations
  • Review metadata changes in the Hasura console

Mitigation Instructions:

  • Immediately rotate the admin secret by updating the

HASURA_GRAPHQL_ADMIN_SECRET environment variable

  • For Hasura Cloud: Navigate to Project Settings → Env vars and update the

admin secret

  • For self-hosted: Update the environment variable in your deployment

configuration

  • Verify and audit all permission configurations to ensure they haven't been

compromised

  • Review and potentially revoke JWT tokens if you're using JWT authentication

alongside admin secret

  • Enable request logging to monitor future access attempts
  • Consider implementing IP allow-listing for admin access if not already in place