Making the API public or private

This functionality enhances access control, to provide visibility to the schema.

When access to some a field or directive is denied through access control, there are 2 ways for the API to behave:

Public mode: the fields in the schema are exposed, and when the permission is not satisfied, the user gets an error message with a description of why the permission was rejected. This behavior makes the metadata from the schema always available.

Private mode: the schema is customized to every user, containing only the fields available to him or her, and so when attempting to access a forbidden field, the error message says that the field doesn't exist. This behavior exposes the metadata from the schema only to those users who can access it.

How to define the visibility for the API permalink

There are 3 levels in which we can define the visibility of the API, if public or private. In order of priority:

1. Individually on fields and directives permalink

📣 Note: This option is available when option "Enable granular control?" in the settings is on.

We can define the visibility for a set of fields and directives, when editing the entry from the access control list:

Individual Public/Private schema mode
Individual Public/Private schema mode

2. On the schema configuration permalink

We can define the visibility on the schema configuration, to be applied on the custom endpoint or persisted query as a whole:

3. Default mode, defined in the Settings permalink

If the schema configuration has value "Default", it will use the mode defined in the Settings: