What is your authorization line at the end of your schema (remove sensitive parts). I think you are probably using ClosedByDefault: true which
if set to
true, requires authorization for all requests even if the type does not specify the@authdirective.
https://dgraph.io/docs/graphql/authorization/authorization-overview/