This functionality enhances access control, to provide visibility to the schema.
When access to some a field or directive is denied through access control, there are 2 ways for the API to behave:
Public mode: the fields in the schema are exposed, and when the permission is not satisfied, the user gets an error message with a description of why the permission was rejected. This behavior makes the metadata from the schema always available.
Private mode: the schema is customized to every user, containing only the fields available to him or her, and so when attempting to access a forbidden field, the error message says that the field doesn't exist. This behavior exposes the metadata from the schema only to those users who can access it.
We can see in this image how, when executing a persisted query, access to field
status becomes restricted, and what the error message is when using both public and private modes:
How to define the visibility for the API permalink
There are 3 levels in which we can define the visibility of the API, if public or private. In order of priority:
1. Individually on fields and directives permalink
Note: This option is available when option "Enable granular control?" in the settings is
We can define the visibility for a set of fields and directives, when editing the entry from the access control list:
2. On the schema configuration permalink
We can define the visibility on the schema configuration, to be applied on the custom endpoint or persisted query as a whole:
3. Default mode, defined in the Settings permalink
If the schema configuration has value
"Default", it will use the mode defined in the Settings: