Hey guys, I was reading this http://graphql.org/learn/authorization/ and I was wondering, what is the best practice to deal with authorization failures. If I e.g. request a draft I didn't create, do I return an empty response? What is the best practice about informing the client about the error? Status Code, Response Body, Headers or something different?