Basic auth lockdown

I want to lock down update, delete, create to only a single authorized user (an automated script that populates and updates data and maintains game state).

I was looking at some examples and I found this:

    add: { rule:  "{$ROLE: { eq: \"ADMIN\" } }" },
    update: { rule:  "{$ROLE: { eq: \"ADMIN\" } }" },
    delete: { rule:  "{$ROLE: { eq: \"ADMIN\" } }" },

Does this lock it down to a custom attribute “ROLE”, or is it generated ADMIN API keys from the security tab?

I basically want to allow anyone to query anything from the API (there is only one type, it’s fairly simple) but all updates are locked down to only the core application to manage.

Also, if you do lock it down to an api key, any example on how to use these keys from api explorer.

Dgraph uses to JWK URL or JWT to authenticate users. You may find more details about auth over here .
You may read more about JWT over here,

In the example of @auth which you have provided, the ROLE provided from the JWT or JWK URL will be considered to authenticate the user.

To lock down the updates to the core application, you may need to provide a signed JWT token with ROLE set to ADMIN to the core application.

Do let us know if you have any more queries / questions.