GraphQLSchemas are intended to be immutable (they are according to their typings, there’s conceivable ways of working around this at runtime). It’s important to be clear about things like this in documentation, particularly when it’s pertaining to auth concerns.
If you are doing some exotic transformation the schema after it’s been built (e.g., something like
schema.getType('Foo').getFields()['bar'] = ...), then you’d want to make sure the schema is re-visited (the visitor functions apply a AST “visit” pattern to the way they traverse and apply their transformations).
If you’re not changing the schema after it’s passed to
ApolloServer — as is typically the case — you should not need to worry about this subtlety/word-of-caution.
Does that make sense?