Bit of an update after hacking around a bit… some errors, such as the fact that a JWT has expired, are returned in the graphql query, but not logged.
Further, if you cock up the JWT in some way and the auth variables are not parsed or the @auth directive blocks access/mutation (rightly so), no error is logged or returned in the query.
More data: if the # Dgraph.Authorization is not loaded correctly from the schema (see Authorization issue when schema is updated via /admin/schema?), the @auth directive (rightly so) blocks the query, but still no error is logged or returned.
Just a thought, when the @auth directive blocks access, maybe a 401 should be returned instead of a 200.