get started
Authenticate users
In the previous section you defined select permissions for the public role. You will now add insert and create permissions for authenticated users to secure your app's GraphQL API with authentication.
Nhost's authentication service allows you to deliver a frictionless registration and login experiences to your users. We support the vast majority of social providers and different methods (passwordless, SMS, etc).

Manually create a user by going to the Users tab (top menu) of your app and clicking on Add User.
Add user
Add user
You will now use that newly created user to make authenticated requests to the API.

Add the following code to sign in the new user and request the list of todos again:
import { NhostClient } from '@nhost/nhost-js'

const nhost = new NhostClient({
  backendUrl: 'https://[app-subdomain]'

(async () => {
  // Sign in user
  const signInResponse = await nhost.auth.signIn({
    email: '',
    password: 'securepassword'

  // Handle sign-in error
  if (signInResponse.error) {
    throw signInResponse.error

  // Get todos
  const todos = await nhost.graphql.request(`
    query {
      todos {

  console.log(JSON.stringify(, null, 2))

Why is the return value null? Because when making GraphQL requests as an authenticated user, the user role is assumed.
For authenticated requests, there is always the option to override the default user role with any other valid role.

We won't use the public role anymore, so let's remove all permission for that role.
Remove public permissions from Hasura
Remove public permissions from Hasura
Now we'll add permissions for the user role.
All logged-in users have the user role.
First, we'll set the Insert permission.
A user can only insert name because all other columns will be set automatically. More specifically, user_id will be set to the id of the user making the request (x-hasura-user-id) and is configured in the Column presets section. See the image below.
User insert permission
User insert permission
For Select permission, set a custom check so users can only select todos where user_id is the same as their user id. In other words: users are only allowed to select their own todos. See the image below.
User select permission
User select permission
Now run the app again. New todos are inserted and only todos for the user are fetched and displayed. Your backend is succesfully secured!