The complexity of building a GraphQL API permissions layer and how Hasura solves this

API security breaches are becoming more common, with Gartner predicting that by 2025, insecure APIs will account for over 50% of data theft incidents. As businesses continue to adopt an API-driven approach to software development, securing their APIs is crucial. GraphQL APIs require a more complex authorization layer than REST APIs due to factors such as data modeling, roles and attributes, nested rules, and performance considerations. Building an authorization layer involves various methods, including API-wide, resolver-based, and schema/model-based approaches. In GraphQL, the context object is used for passing authentication and authorization details to every resolver. However, writing custom authorization logic can be challenging and may lead to a lot of boilerplate code that becomes difficult to maintain. Hasura offers a powerful authorization engine that allows developers to declaratively define fine-grained permissions and policies to restrict access to specific data elements based on session information in an API call. This approach simplifies the effort needed to build authorization logic into APIs, making it easier for developers and security teams to create, maintain, evolve, and audit their code.