I would like to check for correct auth/permissions before a user can access my Prisma forwardTo(‘db’) API

posts: forwardTo('db')

What’s the best approach to handle this?

Can recommend to have a look at GraphQL-Shield.

Yes, you will require a middleware. I can also recommend graphql-shield

Cheers, I will checkout graphql-shield.