Menu
Article api

GraphQL API Design - Flexibility vs Complexity

Rishabh Pandey

• 3 min read

Introduction

GraphQL, developed by Facebook in 2015, is a query language for APIs that provides clients with flexibility in data retrieval. Unlike REST, which requires predefined endpoints, GraphQL allows clients to specify the exact data they need, reducing over-fetching and under-fetching of data. This makes GraphQL particularly useful for applications with complex relationships and dynamic frontends.

In this guide, we will design an E-Commerce API using GraphQL, explaining every aspect in detail, including schema design, queries, mutations, error handling, authentication, and performance optimizations.

1. Understanding GraphQL vs REST

Before diving into implementation, let’s compare GraphQL vs REST in terms of key design considerations:

FeatureGraphQLREST
Data FetchingClient specifies required fieldsFixed response structure per endpoint
Over-fetchingAvoided by selecting fieldsCommon due to predefined responses
Under-fetchingAvoided by requesting multiple related resourcesRequires multiple API calls
Endpoint StructureSingle /graphql endpointMultiple RESTful endpoints
VersioningNot required (flexible schema evolution)Requires explicit versioning (e.g., /v1/products)
Real-time UpdatesSupported via subscriptionsRequires WebSockets or polling

GraphQL is ideal for modern frontends, but it introduces additional complexity in caching, security, and performance optimization.

2. Designing the E-Commerce API Schema

2.1. Defining the GraphQL Schema

A GraphQL API starts with defining a schema. The schema consists of typesqueries, and mutations.

Example GraphQL Schema (E-Commerce API)

type User {
  id: ID!
  name: String!
  email: String!
  orders: [Order]
}

type Product {
  id: ID!
  name: String!
  description: String
  price: Float!
  stock: Int!
  category: Category
}

type Category {
  id: ID!
  name: String!
  products: [Product]
}

type Order {
  id: ID!
  user: User!
  products: [Product]!
  total: Float!
  status: String!
}

type Query {
  users: [User]
  user(id: ID!): User
  products: [Product]
  product(id: ID!): Product
  orders: [Order]
  order(id: ID!): Order
}

type Mutation {
  createUser(name: String!, email: String!, password: String!): User
  createProduct(name: String!, price: Float!, stock: Int!): Product
  createOrder(userId: ID!, productIds: [ID!]!): Order
}

This schema defines the core entities and operations for our E-Commerce API.

3. Writing GraphQL Queries

In GraphQL, clients can request specific fields within a resource.

Example: Fetching Products with Category Details

query {
  products {
    id
    name
    price
    category {
      name
    }
  }
}

Response:

{
  "data": {
    "products": [
      {
        "id": "1",
        "name": "Smartphone",
        "price": 699.99,
        "category": {
          "name": "Electronics"
        }
      }
    ]
  }
}

Unlike REST, the client chooses what fields to retrieve, optimizing network usage.

4. Mutations (Creating and Updating Data)

Mutations in GraphQL are equivalent to POST, PUT, and DELETE operations in REST.

Example: Creating a New Order

mutation {
  createOrder(userId: "1", productIds: ["101", "102"]) {
    id
    total
    status
  }
}

Response:

{
  "data": {
    "createOrder": {
      "id": "501",
      "total": 1299.98,
      "status": "Pending"
    }
  }
}

Mutations ensure that data changes are processed correctly within the API.

5. Error Handling in GraphQL

Unlike REST, GraphQL always returns a 200 OK response, even for errors. Errors are handled inside the response body.

Example: Requesting a Non-Existent Product

query {
  product(id: "9999") {
    id
    name
  }
}

Response:

{
  "errors": [
    {
      "message": "Product not found",
      "locations": [{ "line": 2, "column": 3 }],
      "path": ["product"]
    }
  ]
}

Error responses should be structured and informative.

6. Authentication & Authorization

GraphQL APIs typically use JWT authentication. A token is passed in the request header.

Example: Authenticated Query

POST /graphql HTTP/1.1
Authorization: Bearer <jwt-token>

Role-based access control (RBAC) can be implemented using GraphQL directives.

type User {
  id: ID!
  name: String!
  email: String!
  orders: [Order] @auth(requires: ADMIN)
}

7. Optimizing Performance

7.1. Query Complexity Control

GraphQL can be resource-intensive if clients request deeply nested data. Use query depth limiting.

Example: Limiting Query Depth

{
  "maxDepth": 5
}

7.2. Caching Strategies

Unlike REST, GraphQL responses vary by query. Caching can be implemented at different levels:

  • Application-level caching (Redis, Memcached)
  • Persisted queries (storing common queries with hashed IDs)
  • Automatic persisted queries (APQ) (used by Apollo Server)

8. Real-Time Updates with Subscriptions

GraphQL supports real-time updates via subscriptions.

Example: Live Order Status Updates

subscription {
  orderUpdated(orderId: "501") {
    id
    status
  }
}

Whenever an order status changes, subscribed clients receive updates instantly.

Conclusion

GraphQL provides flexibility and efficiency compared to REST, but requires additional considerations for caching, security, and performance. Our E-Commerce API now supports:

  • Efficient data fetching (queries)
  • Modifications (mutations)
  • Real-time updates (subscriptions)
  • Error handling & authentication

In the next part of this series, we will explore RPC & Event-Driven APIs, including gRPC, WebSockets, and Kafka. Stay tuned! 🚀

Share