Hi guys. I'd like to prevent a user to run an introspection query on my graphcool when he's logged. After all, he has a token, he can knows my graphcool endpoint via his network tab, he could do whatever he wants. A logged user could do this? How can I prevent that?

Even though a user is logged in, that doesn't mean that he/she can do everything with your endpoint. Permission queries are used to define what a user can actually do.