I don’t see why not… create a JWT secret key and lock down all queries and mutations with auth rules that are role based. Then generate a JWT for the admin that has the admin role and one for the https client that has the client role.
Anyone who then tries to use Slash without one of those would get nothing and could do nothing.
Would not a GraphQL endpoint serve a better purpose helping with N+1, overfetching, and underfetching?
Using a REST endpoint layer above Slash GraphQL just seems backwards to me, but it is possible for sure.