Hello,
Thanks for the question.
The client key is required when using the non-graphql endpoints, such as DQL’s /query, /mutate or the gRPC endpoints with a Dgraph client such as dgo.
DQL queries do not honor any @auth rules specified in your GraphQL schema, and hence access to these APIs require this extra layer of security.
We are also building out a simple way to lock down your GraphQL endpoint, and only allow anonymous access to certain operations, and this should go live in a month or so (End Feb 2021).
Tejas