I would like to know if it is safe to allow multiple clients to use and have access to the same
My company is creating something which requires deploying several Hasura instances. One of these is the our “Core” Hasura instance, and the rest are different “Client” Hasura instances for the several projects of different organizations. These client instances can be managed/hosted by our clients too (which means they can see the deployments’ env vars/secrets, because they may own it).
We’re currently using the built-in
HASURA_GRAPHQL_JWT_SECRET env var when deploying all the Hasura instances, as per this official Auth0 + Hasura JWT auth documentation: Auth0 | Hasura Authentication Tutorial.
The values for this env var have the format
Ideally, we would have a single Auth0 Tenant that handles all Client Hasura instances, however we are concerned that this would not be secure, because every Client Admin would have access to this single, shared value.
Currently, we’re manually creating a new Tenant for each Client Hasura deployment, because we were concerned that using this env var (link) value across different projects/organizations was safe security wise.
If this is, in fact, unsafe, is there a way that we could authenticate several unrelated organization projects (Client Hasura instances, in our case) without having to create new tenants for each?