How do you implement query cost analysis and rate limiting in a production GraphQL API?
Answer
Production GraphQL APIs need multiple layers of protection. Query cost analysis assigns weights to fields (scalars: 1, object relations: 5, list fields: multiplied by estimated item count) and rejects queries exceeding a total cost threshold before execution. Libraries like graphql-query-complexity implement this as a validation rule. Rate limiting should be applied per-operation, per-user, and per-IP using token buckets or sliding window algorithms. A sophisticated approach uses cost-based rate limiting: each user has a point budget per time window, and each query deducts its computed cost. Rejected queries return 429 Too Many Requests with a Retry-After header. Additional protections include timeout limits per resolver, maximum query depth, field-level rate limits for expensive resolvers, and disabling introspection in production. All of these should be implemented at the gateway level so they apply uniformly across all subgraphs.
Previous
What is incremental delivery in GraphQL with @defer and @stream?
Next
What is schema evolution and deprecation strategy in GraphQL?
More GraphQL Questions
View all →- Advanced What is Apollo Federation and how do subgraphs, gateways, and directives like @key and @extends work?
- Advanced What is incremental delivery in GraphQL with @defer and @stream?
- Advanced What is schema evolution and deprecation strategy in GraphQL?
- Advanced What is the Relay specification for GraphQL — Node interface, Connection/Edge pagination?
- Advanced How do you implement distributed tracing across GraphQL resolvers?