Protect GQL endpoint


About the endpoint that slash expose, is it safe to give this endpoint to clients and restrict queries and muttions by @auth or should I have a server that expose only part of the functionality of the whole generated GQL API?
I am asking becuse sometimes even if the user is authorized and authenticated he can create queries that are not legit by mistake or with purpose.

Both models work with Slash GraphQL, but we are encouraging users to expose their endpoint directly to clients. Please remember to set up auth rules that lock down any resources you don’t want to expose (remembering to block query / create / delete / update).