Hasura#
Hasura is an instant GraphQL API engine that sits in front of your database (most commonly PostgreSQL) and automatically exposes your data as a real-time GraphQL API with built-in authorization, filtering, relationships, and subscriptions.
- Think of it as:
βPostgREST for GraphQL + real-time + UI-driven configuration.β
1) What Hasura does (in simple terms)#
- When you connect Hasura to a database:
It introspects tables, views, and functions
Automatically generates:
GraphQL queries
GraphQL mutations
GraphQL subscriptions (real-time via WebSockets)
You control who can see what using roles + permissions
No backend code required for CRUD APIs
2) Core components of Hasura#
1οΈβ£ GraphQL Engine
- The main server that:
Translates GraphQL β SQL
Enforces permissions
Manages caching and subscriptions
2οΈβ£ Metadata
- Configuration stored as metadata:
Table permissions
Relationships
Remote schemas
Actions
Event triggers
(You can version-control this)
3οΈβ£ Admin Console (UI)
- A web UI to:
Browse tables
Set permissions
Define relationships
Test GraphQL queries
3) What you get out of the box#
β Instant GraphQL API
query {
orders {
id
item
created_at
}
}
No SQL. No resolvers.
β Role-based authorization (very important)
Permissions are defined per role, per table, per operation.
- Example:
Role: user
Table: orders
Rule: user_id = X-Hasura-User-Id
Hasura automatically injects this filter into SQL.
β Row-level security (RLS-like, but at GraphQL level)
Example permission rule:
{
"user_id": {
"_eq": "X-Hasura-User-Id"
}
}
- Hasura ensures:
Users can only access their own rows
Even if they try to query more data
(You can also combine with Postgres RLS for defense-in-depth)
β Real-time subscriptions
subscription {
orders {
id
item
}
}
When a row changes β clients get updates instantly.
No polling. No custom WebSocket code.
β Relationships without joins
- Define relationships once:
orders β users
users β roles
Then query like:
query {
orders {
item
user {
name
email
}
}
}
Hasura generates efficient SQL joins automatically.
4) Authentication model (important concept)#
Hasura itself does NOT authenticate users.
- Instead:
You use JWT, OAuth, or an external auth service
JWT contains claims like:
x-hasura-user-id
x-hasura-role
x-hasura-allowed-roles
Hasura reads these headers and enforces permissions.
5) How Hasura compares to PostgREST (high level)#
Feature |
Hasura |
PostgREST |
|---|---|---|
API style |
GraphQL |
REST |
Auto API |
β |
β |
Real-time |
β Built-in |
β |
Authorization |
GraphQL permissions |
PostgreSQL RLS |
Admin UI |
β |
β |
Custom logic |
Actions / Functions |
SQL / Functions |
Complexity |
Medium |
Low |
Control via SQL |
Less |
More |
- Rule of thumb
Want GraphQL + real-time + UI β Hasura
Want pure SQL + REST + minimal layer β PostgREST
- Where Hasura is commonly used
SaaS backends
Dashboards
Mobile apps
Rapid prototypes
Internal tools
Event-driven systems
- Especially popular when:
Frontend teams want GraphQL
You want fast iteration
You donβt want to write resolvers
- How Hasura executes a request (flow)
Client sends GraphQL query + JWT
#. Hasura: - Validates JWT - Extracts role + user id - Applies permission rules
Generates SQL
Runs SQL on PostgreSQL
Returns GraphQL response
All in milliseconds.
8) Is Hasura a replacement for backend code?#
No β but it replaces a LOT of boilerplate.
- You still may need:
Business logic
Payment processing
External APIs
Complex workflows
- Hasura integrates these via:
Actions (custom resolvers)
Event triggers
Remote schemas
- When NOT to use Hasura
You want full SQL-only control
You donβt want GraphQL
You need extremely custom query planning
You already rely heavily on stored procedures + RLS
- Summary:
Hasura is a production-ready GraphQL engine that instantly turns your PostgreSQL database into a secure, real-time API with role-based access control β without writing backend CRUD code.