There's a reason that we parse the query in one interceptor, and execute it in a later interceptor. There's a point in the middle where you can identify what the operation is. Our code at Walmart uses that opportunity to apply auth, and whitelist what operations a given API key is allowed to access.

I’m simply building my authorization checks for mutations atop the mutations’ resolver fns, though if there grew to be a bunch of them, separate interceptors would be easier to validate. But my question was at a slight remove from that: I wanted a query that could tell me if a given mutation (with some subset of args) might be authorized. I now have a :may query which takes a mutation name and an json string map of args and returns a boolean, which is reasonable, if a little annoying what with the map smuggling.