Hasura GraphQL Engine (Self-Hosted)
Self-hosted Hasura GraphQL Engine deployed via Docker that auto-generates a GraphQL API from Postgres (and other databases) with event triggers, remote schemas, and a CLI-driven migration workflow — distinct from Hasura Cloud's managed API surface.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Admin secret and JWT secret must be managed via environment variables, not metadata files. TLS termination must be handled by an upstream proxy (nginx, Caddy). Event trigger webhook security is operator responsibility in CE.
⚡ Reliability
Best When
Self-hosting a Postgres-backed GraphQL API with full infrastructure control, GitOps-managed metadata, and event-driven automation via triggers.
Avoid When
The team cannot operate Docker/Kubernetes infrastructure or needs a fully managed service — use Hasura Cloud in that case.
Use Cases
- • Running Hasura Engine in Docker Compose alongside Postgres and managing schema via hasura-cli migrate apply for reproducible environments
- • Configuring event triggers in the Hasura Console to fire webhooks on database row insert/update/delete events for async workflows
- • Adding remote schemas to federation third-party GraphQL APIs into the Hasura supergraph without code changes
- • Exporting and version-controlling Hasura metadata (tables, permissions, relationships) via hasura metadata export and committing to git
- • Defining row-level and column-level permissions in the Hasura Console or metadata YAML to implement multi-tenant data access control
Not For
- • Teams that want a managed cloud GraphQL API without operating Postgres or Docker infrastructure — use Hasura Cloud instead
- • Projects using non-relational databases as the primary data store (Hasura's auto-generation is optimized for SQL databases)
- • Developers who need custom business logic in resolvers without adding Actions or Remote Schemas as extension points
Interface
Authentication
Hasura validates JWTs (JWKS or static secret) or delegates auth to a webhook that returns session variables; the admin secret must be protected and rotated — never expose it in client code.
Pricing
Open source (Apache 2.0) for the core engine. Enterprise features require a commercial license.
Agent Metadata
Known Gotchas
- ⚠ The HASURA_GRAPHQL_ADMIN_SECRET environment variable grants unrestricted access; agents generating docker-compose files must not hard-code this value and should use secrets management.
- ⚠ Hasura permissions are role-based and must be explicitly configured per table per operation; a freshly tracked table with no permissions defined is inaccessible to non-admin roles — agents often forget to generate permission rows.
- ⚠ hasura migrate apply and hasura metadata apply are separate commands; agents that only run migrate apply will leave metadata changes (permissions, relationships, event triggers) unapplied.
- ⚠ Event trigger webhook payloads are signed with a shared secret only in Hasura Enterprise; in CE, agents must implement their own HMAC or token validation to prevent spoofed trigger calls.
- ⚠ Remote schema stitching merges the remote type namespace into the Hasura schema; type name conflicts between the remote schema and Hasura auto-generated types cause startup errors that are only visible in the engine logs.
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Hasura GraphQL Engine (Self-Hosted).
Scores are editorial opinions as of 2026-03-06.