A lot of GraphQL providers expect http post from the http graphql client.
In the below document it looks like githubs implementations prefers http post
How about something like
Preferable parts of graphql is public so that authorization could be obsolete.
The GraphQL Foundation recommends that a graphql server can handle POST and GET requests.