another question: in the permission system, one can choose for 'authenticated'. When integrated with auth0 (or JWT in general), what does authenticated check? valid token, that's the minimum. But what about: JWT still valid (the

exp

field)? email verified? other fields? (I've had similar questions a few times already, and it's really a pitty that the payload of the http

Authorization

header is not exposed in the permission query system... it would make life with graphcool soooo much more logic)