When we want to expose a GraphQL endpoint to developers that are outside of your team additional challenges arise in protecting your backend from queries that hammer your backend. To do so API Connect offers advice and a way to do intelligent rate limiting (as rate limiting per request doesn't make a lot of sense in the world of GraphQL because a request can be either super cheap or super expensive)
In this example we'll expose the Star Wars API that is hosted online on https://swapi-graphql.netlify.app/.netlify/functions/index
In API Connect we first pick to expose a new GraphQL endpoint
We add in the base path and the backend endpoint, API Connect will try to fetch the schema , if this doesn't work (maybe due to authentication) you can always add the schema by using the add button.
In the next screen you have a couple of option and info.
- 88 warnings : These will be addressed later
- The checkbox if you want to support introspection so that people can request the schema, rather than being plainly forwarded to the GraphQL endpoint that serves as a backend this will also reflect the changes and limitions that we configure later on
- GraphQL editor : if a someone goes to the GraphQL endpoint on the gateway with a browser he will be served the GraphiQL editor to build queries
- The cost endpoint: A way for someone to understand the rate limit cost (which we'll come back on later) of the query he is about to make, without making the actual query
After a couple of extra windows we're ready with the wizard and we start to address those warnings we have seen earlier and think about the rate limiting cost.
Firstly API Connect comes with the recommendation that we don't allow queries that have an unknown response size. To avoid we execute very expensive queries on the backend. To avoid this the suggestion is to use the @listSize argument this will force the consumer to define where to start and where to stop based on the edges , you can read more on this here https://ibm.github.io/graphql-specs/cost-spec.html#sec-The-List-Size-Directive.#automation-featured-area-1
Now that we applied all these recomendations we are at a good starting point.
As a good tip, many GraphQL servers have a bug in their implementation that gives error on compressed requests. It's a good idea to go the GraphQL invoke in the assembly and disable compression. (the checkbox in the screenshot below)