Server
Pick one of these roles if you are the developer of a GraphQL server library/framework.
For most users, the server default should be First-party API: APIs intended to power their own websites and applications only, and reject external requests. This is the right baseline for the majority of GraphQL deployments where clients are controlled by the same organization that develops the GraphQL API. It is also much easier to open an API up later than it is to lock it down once it has already shipped.
Use Third-party API only when untrusted external clients must be allowed to send ad hoc documents (for example the GitHub or Shopify public APIs).