How do you implement authorization in GraphQL resolvers?

Authorization (what an authenticated user can do) in GraphQL can be implemented at multiple levels: (1) Resolver-level: check permissions in each resolver — if (context.user.role !== 'ADMIN') throw new GraphQLError('Forbidden', { extensions: { code: 'FORBIDDEN' } });. Verbose but granular. (2) Schema directives: @auth(requires: ADMIN) declarative annotation on fields — cleaner but requires directive implementation. (3) Middleware: wrap resolvers with permission checks using graphql-shield — define rules declaratively outside resolvers. (4) Business logic layer: move authorization to service/model classes, keeping resolvers thin. (5) Row-level security: push authorization to the database layer (PostgreSQL RLS). Best practice: use a service layer where objects are pre-filtered by user permissions — never trust client IDs without verifying ownership.