This functionality enhances access control, to provide visibility to the schema.
When access to some a field or directive is denied through access control, there are 2 ways for the API to behave:
Public mode: the fields in the schema are exposed, and when the permission is not satisfied, the user gets an error message with a description of why the permission was rejected. This behavior makes the metadata from the schema always available.
Private mode: the schema is customized to every user, containing only the fields available to him or her, and so when attempting to access a forbidden field, the error message says that the field doesn't exist. This behavior exposes the metadata from the schema only to those users who can access it.
We can see in this image how, when executing a persisted query, access to field status becomes restricted, and what the error message is when using both public and private modes:
How to define the visibility for the API permalink
There are 3 levels in which we can define the visibility of the API, if public or private. In order of priority:
1. Individually on fields and directives permalink