https://graphweaver.com/docs/implementing-authorization
The auth is at the access control is at the API layer.