Dgraph uses to JWK URL or JWT to authenticate users. You may find more details about auth over here .
You may read more about JWT over here,
In the example of @auth which you have provided, the ROLE provided from the JWT or JWK URL will be considered to authenticate the user.
To lock down the updates to the core application, you may need to provide a signed JWT token with ROLE set to ADMIN to the core application.
Do let us know if you have any more queries / questions.