You stopped the quote too early… It is also a runtime.
To say GraphQL is not an API is like saying REST is not an API or FHIR or HL7 or SOAP or CCDA or any other API flavor is not an API. It is the spec that the API must conform to, to be classified as a GraphQL server. But whatever you want to believe you may. You probably know GraphQL better than me anyways.
No they don’t… And this is not what Jonathan said either.
There are glaring holes in auth rules currently so be careful with them.
Auth will also currently slow down your queries if not done correctly which is close to impossible to do in the current state. I would almost say that there are NO secure Dgraph natiive GraphQL APIs. Anybody who thinks their auth rules are secure, please send me your graphql api endpoint and I will help you understand the issues.