We just made possible to specify which API endpoints an API token can access:
This will prevent from using your ie. production API token to read temporary/draft content using the GraphQL preview endpoint.