What is operation complexity and how does it relate to rate limiting GraphQL APIs?

Standard IP/request-based rate limiting is insufficient for GraphQL — a single request can be vastly more expensive than another. Effective rate limiting uses operation complexity as the currency. Architecture: (1) Calculate complexity: use graphql-query-complexity to compute cost per operation at validation time. Reject if > max threshold. (2) Complexity budget: assign each user/API key a rolling complexity budget (e.g., 10,000 per minute). Deduct per operation. Track budgets in Redis with sliding window counters. (3) Field-level cost: expensive fields (external API calls, ML inference) get higher costs than simple DB lookups. (4) Response time budget: implement server-side timeouts — setTimeout(() => query.cancel(), 30000). (5) Request size limit: reject queries over N bytes (prevents large payload attacks). (6) Apollo Router rate limiting: Apollo's router supports JWT-based rate limiting per user/operation. (7) Persisted queries only: only allow pre-registered operations — eliminates arbitrary query attacks entirely.