[kej]

>to control very easily who can fetch what where it's fetched (permissions)

This is a piece of GraphQL I haven't been able to get my head around. Could you elaborate or point me to a good explanation of how this is implemented? Everything I found when I looked into GraphQL previously was something like "you control access to individual resources in your business layer" but never explained how.

[sgdesign]

In order for GraphQL to return a result when you ask for field “foo”, you need to define a resolver function for that field. Whatever that function returns will be returned to the client.

Inside that function you can write any code you’d like, including permissions code.

[t_fatus]

as sgdesign said, you can write your own resolver function (which allows you to retrieve a particular field deep in the nested graph of graphql). It's very easy to create decorators to handle the usual permission cased on the field level.