We can manage who can access every field and directive in the schema through access control lists.
GraphQL API for WordPress ships with the following access control rules:
Grant access if the user is logged-in or out
Grant access if the user has some role
Grant access if the user has some capability
Whenever the requested query (either executed through a custom endpoint or as a persisted query) contains one or more of the fields or directives added to the access control list, the corresponding rules are evaluated. If any rule is not satisfied, access to that field or directive is denied.
The configuration is created through an access control list, and delivered to custom endpoints and persisted queries via the schema configuration.