Currently, the JWT plugin returns a 403 status when an invalid or expired JWT token is sent in the Authorization header, but it does not stop processing the request. I think this is logically and semantically incorrect, and that no processing of the request should take place.

The current approach prevents a retry handler being used on the client side to refresh a token and re-attempt the query without deep understanding of every query or mutation that was executed, because the query or mutation may not fail, but may fail to return the expected data (for example, a customer's orders) or fail to execute the mutation in the way intended (for example, creating an anonymous comment vs a comment from an authenticated user).

Aborting the request all together is, IMHO, the path of least surprise. It allows a quick recovery when a token has expired (reducing round trip time because less processing has to be done on the 403 response), and the client is not left trying to figure out what did work, what didn't work and what had an unintended side effect.

WP REST has the [rest_authentication_errors](https://developer.wordpress.org/reference/hooks/rest_authentication_errors/) hook that authentication plugins can return a WP_Error with that will stop processing. I think that this is a good pattern to follow.

Other GraphQL implementations fail without processing the request on invalid/expired authentication credentials. Some examples: Postgraphile, Prisma