Here are the @auth docs.
You can form appropriate JWT token, and pass it to the GraphQL API, which will decide based on that token whether someone can perform the query/mutation they are trying to do. So, if you don’t want all your users to have access to certain queries/mutations, then you can have a schema with auth rules like this:
type Country @auth(
query: { rule: "{$ROLE: { eq: \"ADMIN\"}}"},
add: { rule: "{$ROLE: { eq: \"ADMIN\"}}"},
update: { rule: "{$ROLE: { eq: \"ADMIN\"}}"},
delete: { rule: "{$ROLE: { eq: \"ADMIN\"}}"}
){
id: ID!
name: String! @search(by: [hash])
}
Then just don’t issue your users a JWT token containing ROLE as ADMIN, and they won’t be able to perform any query/mutation for type Country.
We are in the process of updating our docs at present, so expect better docs in a couple of days.