Three Strategies

There are three places to put the boundary.

1

Restrict the URI

Partition routes into public and private spaces.

2

Restrict the API call

Authorize each operation before it touches data.

3

Restrict the data

Filter the database scope to graphs the user can read or change.