Auth: Hook for validating things outside a JWT

We should probably try to support validating flows that can’t fit all validation inside a JWT.

Do we need to extend our GraphQL directive for this - to support as many use cases as possible?