It seems to me that the Adding Authentication Headers section is very misleading in the way it suggests to implement authentication.
It encourages to pass the hasura admin secret as the x-hasura-admin-secret http header, but this should be kept for early developing stages only.
If ever such code gets deployed to production, then basically the hasura admin secret will be embedded in the (client-side) JS code, as well as each HTTP requests.
To me, this doc section should rather encourage providing only the JWT token, or add least add a very highlighted warning note about it.
It seems to me that the Adding Authentication Headers section is very misleading in the way it suggests to implement authentication.
It encourages to pass the hasura admin secret as the
x-hasura-admin-secrethttp header, but this should be kept for early developing stages only. If ever such code gets deployed to production, then basically the hasura admin secret will be embedded in the (client-side) JS code, as well as each HTTP requests.To me, this doc section should rather encourage providing only the JWT token, or add least add a very highlighted warning note about it.