What's the recommended approach for securing GraphQL APIs?

A header token or a token passed in the message directly are the two ways I most often see.