Session middleware on the Hasura platform #HasuraPaaS

Standardise your session management and handle identity across all services seamlessly

The session middleware is a component that ‘sits’ in front of your actual service. All requests that come from outside your cluster go through this middleware, are processed, and then reach your service.

The session middleware is built into the API gateway.

Almost every request, to any service, requires having a “session” i.e. an authenticated identity for the request (or the user). Cookies, Authorization headers, JSON web tokens are different methods of exchanging session information.

Resolving the session token once and for all

Hasura’s session middleware that resolves a session into an identity for every incoming request. The identity is passed to the upstream service as injected HTTP headers.

Two headers : X-Hasura-Id and X-Hasura-Allowed-Roles are set by the API gateway and passed on to your service. This pair of headers identifies a user and the roles that the user has (the ID and the roles for the user were set when the user authenticated themselves).

Your code can then use a simple pattern to perform various tasks that the user was authorised to do, based on their ID and roles.

Standard template for identity management across all your services

Standardising session management for your microservices

Hasura’s session middleware standardises your session management. You can handle identity concisely and uniformly across all services. This saves you many lines of code and enforces neat abstractions across all your services.


Hasura is an open-source engine that gives you realtime GraphQL APIs on new or existing Postgres databases, with built-in support for stitching custom GraphQL APIs and triggering webhooks on database changes.