Hey @aleclofabbro, the recommended way is to keep the expiry of access tokens short. We are also releasing Custom JS resolvers soon which would allow you to add business logic on top of your pre-existing auto-generated resolvers.
@dusty-phillips 20.11 release would have an option to change the default to Closed by default instead of the current public by default. This would mean that a JWT must be supplied to access any of the resources. We are getting the docs up for this right now.