We can manage who can access every field and directive in the schema through access control lists.
Gato GraphQL ships with the following access control rules:
Grant access if the user is logged-in or out
Grant access if the user has some role
Grant access if the user has some capability
Grant access if the visitor comes from an allowed IP address
Whenever the requested query (either executed through a custom endpoint or as a persisted query) contains one or more of the fields or directives added to the access control list, the corresponding rules are evaluated. If any rule is not satisfied, access to that field or directive is denied.
The configuration is created through an access control list (ACL), and delivered to custom endpoints and persisted queries via the schema configuration.