Making the API public or private
This functionality enhances access control, to provide visibility to the schema.
When access to some a field or directive is denied through access control, there are 2 ways for the API to behave:
Public mode: the fields in the schema are exposed, and when the permission is not satisfied, the user gets an error message with a description of why the permission was rejected. This behavior makes the metadata from the schema always available.
Private mode: the schema is customized to every user, containing only the fields available to him or her, and so when attempting to access a forbidden field, the error message says that the field doesn't exist. This behavior exposes the metadata from the schema only to those users who can access it.
How to define the visibility for the API
There are 3 levels in which we can define the visibility of the API, if public or private. In order of priority:
1. Individually on fields and directives
This option is available when option "Enable granular control?" in the settings is on.
We can define the visibility for a set of fields and directives, when editing the entry from the access control list:
2. On the schema configuration
We can define the visibility on the schema configuration, to be applied on the custom endpoint or persisted query as a whole:
3. Default mode, defined in the Settings
If the schema configuration has value "Default", it will use the mode defined in the Settings:
