Thank’s for all the answers!
I have already thought that I have to solve this via passing a JWT to the public /graphql endpoint. It still was a bit of a mission since we use Auth0 for our auth service, which generates the token using the RS256 algorithm. Unfortunately the private key is not exposed in Auth0 and thus I had to sign the token using the public key which obviously generates the token with HS256 (or something else but not RS256).
This left me with a workflow where I publish the entire schema including
# Dgraph.Authorization { "VerificationKey" : ... , "Algo": "HS256" }
then I seed the data. All the public nodes in the schema have a rule which grants access to a deployment claim in my JWT. This way I can make sure I don’t ha ve to fiddle around with auth.
After seeding I reset the auth back to the RS256 algorithm.
Not the nicest way I guess but it works… Maybe this helps someone!