What is the N+1 problem in GraphQL and why is it worse than in REST?

The N+1 problem occurs when a GraphQL query for a list of items (N items) triggers an additional database query for each item to resolve a nested field — resulting in N+1 queries total. It is more pronounced in GraphQL because field resolvers fire independently for each item in a list; the resolver for User.posts runs once per user, unaware that it will be called 100 times for 100 users. In REST, the endpoint developer typically writes a JOIN that fetches related data in one query. In GraphQL, you must explicitly add DataLoader to batch those individual loads into a single query. Without DataLoader, a query for 100 users with their posts becomes 101 database queries instead of 2.

How does cursor-based pagination work in GraphQL (Relay connection spec)?

The Relay connection specification defines the cursor-based pagination pattern most GraphQL APIs follow. A paginated field returns a Connection type containing edges (each with a node and cursor) and pageInfo (hasNextPage, endCursor). To get the next page, the client sends the endCursor as the after argument on the next query. The server translates this cursor (usually a Base64-encoded ID or timestamp) into a SQL WHERE clause (e.g., WHERE created_at < cursor_timestamp ORDER BY created_at DESC LIMIT n). This approach is stable when new data is inserted — unlike offset pagination where page 2 results can shift as new items are added to page 1.

Should I use a union type or an interface for GraphQL error handling?

The modern GraphQL error handling best practice uses union result types (also called the "result type pattern") rather than top-level GraphQL errors. Define each mutation result as a union: union CreatePostResult = Post | ValidationError | AuthorizationError. The client queries __typename to determine which type was returned and handles each case explicitly. This is superior to throwing GraphQLErrors because: error cases are explicit in the schema (clients know what errors to expect), partial success is representable, type-checking tools can enforce exhaustive handling, and the GraphQL response still returns 200 OK with a typed error in data (not in the errors array). Use the errors array only for unexpected server errors and infrastructure issues.

What are persisted queries and why do they improve security?

Persisted queries (also called automatic persisted queries or APQ) pre-register a set of allowed GraphQL operations on the server by their SHA-256 hash. Clients send only the hash, not the full query string. The server looks up the operation and executes it. Benefits: (1) Security — attackers cannot send arbitrary queries; only pre-registered operations execute. This prevents abusive queries from flooding your resolvers. (2) Bandwidth — the client sends a 64-character hash instead of a potentially large query string. (3) GET-cacheable requests — hash-identified queries can be made via GET and cached at the CDN layer, one of GraphQL's biggest caching weaknesses. Apollo Client and Apollo Server support APQ out of the box with client-side fallback to full query on cache miss.

How do I prevent abusive GraphQL queries from overloading my server?

GraphQL's flexible query language allows clients to send deeply nested or very complex queries that can overwhelm your resolvers. Protections: (1) Query depth limiting — reject queries nested beyond a maximum depth (e.g., 7 levels). Use graphql-depth-limit. (2) Query complexity analysis — assign a cost to each field, reject queries above a total complexity threshold. Use graphql-query-complexity. (3) Persisted queries — only allow pre-registered operations (see previous question). (4) Rate limiting — limit requests per authenticated user per minute at the API gateway layer. (5) Field-level timeouts — use Promise.race with a timeout in resolvers that call external services. (6) Pagination limits — cap the maximum limit/first argument on paginated connections (e.g., max 100 items per page) to prevent fetching huge datasets in one query.

← Software Engineering Studio

Engineering·10 min read·June 21, 2026

🔗 GraphQL API Design Best Practices

Q: Should I use a union type or an interface for GraphQL error handling?

The modern GraphQL error handling best practice uses union result types (also called the "result type pattern") rather than top-level GraphQL errors. Define each mutation result as a union: union CreatePostResult = Post | ValidationError | AuthorizationError. The client queries __typename to determine which type was returned and handles each case explicitly. This is superior to throwing GraphQLErrors because: error cases are explicit in the schema (clients know what errors to expect), partial success is representable, type-checking tools can enforce exhaustive handling, and the GraphQL response still returns 200 OK with a typed error in data (not in the errors array). Use the errors array only for unexpected server errors and infrastructure issues.

Q: What are persisted queries and why do they improve security?

Persisted queries (also called automatic persisted queries or APQ) pre-register a set of allowed GraphQL operations on the server by their SHA-256 hash. Clients send only the hash, not the full query string. The server looks up the operation and executes it. Benefits: (1) Security — attackers cannot send arbitrary queries; only pre-registered operations execute. This prevents abusive queries from flooding your resolvers. (2) Bandwidth — the client sends a 64-character hash instead of a potentially large query string. (3) GET-cacheable requests — hash-identified queries can be made via GET and cached at the CDN layer, one of GraphQL's biggest caching weaknesses. Apollo Client and Apollo Server support APQ out of the box with client-side fallback to full query on cache miss.

Q: How do I prevent abusive GraphQL queries from overloading my server?

GraphQL's flexible query language allows clients to send deeply nested or very complex queries that can overwhelm your resolvers. Protections: (1) Query depth limiting — reject queries nested beyond a maximum depth (e.g., 7 levels). Use graphql-depth-limit. (2) Query complexity analysis — assign a cost to each field, reject queries above a total complexity threshold. Use graphql-query-complexity. (3) Persisted queries — only allow pre-registered operations (see previous question). (4) Rate limiting — limit requests per authenticated user per minute at the API gateway layer. (5) Field-level timeouts — use Promise.race with a timeout in resolvers that call external services. (6) Pagination limits — cap the maximum limit/first argument on paginated connections (e.g., max 100 items per page) to prevent fetching huge datasets in one query.

A comprehensive guide to GraphQL API design: schema design for types, queries, mutations, and subscriptions — solving the N+1 problem with DataLoader, cursor-based pagination, authentication via context, error handling, persisted queries, and GraphQL vs REST trade-offs.

Why GraphQL Exists and When to Choose It

GraphQL was created by Facebook (Meta) to solve a specific problem at mobile scale: REST APIs returned too much data (over-fetching) or required multiple round-trips (under-fetching). With GraphQL, the client specifies exactly which fields it needs in a single query. This is compelling for mobile apps and complex UIs, but GraphQL introduces its own complexity — particularly around caching, security, and the N+1 problem. Understanding the trade-offs before committing is essential.

Schema Design: Types, Queries, Mutations, Subscriptions

# schema.graphql — SDL (Schema Definition Language)

# Object types define your data model
type User {
  id: ID!           # "!" means non-nullable (required)
  email: String!
  name: String!
  role: UserRole!
  posts: [Post!]!   # Always use [T!]! for lists — no null items, no null list
  createdAt: String!
}

enum UserRole {
  ADMIN
  EDITOR
  VIEWER
}

type Post {
  id: ID!
  title: String!
  body: String!
  published: Boolean!
  author: User!
  tags: [String!]!
  publishedAt: String
  viewCount: Int!
}

# Query type — all read operations
type Query {
  me: User                          # Returns null if unauthenticated
  user(id: ID!): User               # Returns null if not found
  posts(
    cursor: String                  # Cursor-based pagination
    limit: Int = 20
    filter: PostFilter
  ): PostConnection!
}

input PostFilter {
  published: Boolean
  authorId: ID
  tag: String
}

# Connection pattern for pagination
type PostConnection {
  edges: [PostEdge!]!
  pageInfo: PageInfo!
  totalCount: Int!
}
type PostEdge {
  node: Post!
  cursor: String!
}
type PageInfo {
  hasNextPage: Boolean!
  hasPreviousPage: Boolean!
  startCursor: String
  endCursor: String
}

# Mutation type — all write operations
type Mutation {
  createPost(input: CreatePostInput!): PostResult!
  updatePost(id: ID!, input: UpdatePostInput!): PostResult!
  deletePost(id: ID!): Boolean!
  publishPost(id: ID!): PostResult!
}

# Input types for mutations — separate from object types
input CreatePostInput {
  title: String!
  body: String!
  tags: [String!]!
}
input UpdatePostInput {
  title: String
  body: String
  tags: [String!]
}

# Union result type for mutations — handles success and errors
union PostResult = Post | ValidationError | AuthorizationError

type ValidationError { message: String!; field: String }
type AuthorizationError { message: String! }

# Subscription type — real-time updates via WebSocket
type Subscription {
  postPublished: Post!
  commentAdded(postId: ID!): Comment!
}

Resolvers: The Execution Engine

// resolvers/index.ts (Apollo Server example)
import { GraphQLContext } from './context'
import { PostDataLoader } from './dataloaders'

export const resolvers = {
  Query: {
    me: (_: unknown, __: unknown, ctx: GraphQLContext) => {
      if (!ctx.user) return null
      return ctx.db.users.findOne({ id: ctx.user.id })
    },
    posts: async (_: unknown, args: { cursor?: string; limit: number; filter?: PostFilter }, ctx: GraphQLContext) => {
      return ctx.db.posts.findWithCursor({ cursor: args.cursor, limit: args.limit, ...args.filter })
    },
  },
  Mutation: {
    createPost: async (_: unknown, { input }: { input: CreatePostInput }, ctx: GraphQLContext) => {
      if (!ctx.user) return { __typename: 'AuthorizationError', message: 'Unauthenticated' }

      try {
        const post = await ctx.db.posts.create({ ...input, authorId: ctx.user.id })
        return { __typename: 'Post', ...post }
      } catch (err) {
        if (err instanceof ValidationError) {
          return { __typename: 'ValidationError', message: err.message, field: err.field }
        }
        throw err
      }
    },
  },
  // Field resolver for User.posts — this triggers the N+1 problem if unoptimized
  User: {
    posts: (user: User, _: unknown, ctx: GraphQLContext) => {
      // Without DataLoader: N queries for N users
      return ctx.db.posts.findMany({ authorId: user.id })
      // With DataLoader: batched into 1 query for all users
      return ctx.loaders.postsByAuthor.load(user.id)
    },
  },
}

Solving the N+1 Problem with DataLoader

The N+1 problem is particularly acute in GraphQL because nested field resolvers fire independently. A query for 10 users with their posts triggers 10 separate database queries for posts — one per user. DataLoader solves this by batching all those individual loads into a single query.

import DataLoader from 'dataloader'
import { db } from './db'

// A DataLoader takes a batch function: given N keys, return N values (in the same order)
export const createPostsByAuthorLoader = () => new DataLoader<string, Post[]>(
  async (authorIds: readonly string[]) => {
    // One query for all requested author IDs
    const posts = await db.posts.findMany({
      where: { authorId: { in: [...authorIds] } }
    })

    // Group by authorId — DataLoader requires results in same order as keys
    const postsByAuthor = new Map<string, Post[]>()
    authorIds.forEach(id => postsByAuthor.set(id, []))
    posts.forEach(post => {
      postsByAuthor.get(post.authorId)!.push(post)
    })

    return authorIds.map(id => postsByAuthor.get(id) ?? [])
  }
)

// Create fresh DataLoaders per request (in your context factory)
// Loaders cache within a single request — creating per-request prevents cross-request data leaks
export function createContext({ req }): GraphQLContext {
  return {
    user: extractUser(req),
    db,
    loaders: {
      postsByAuthor: createPostsByAuthorLoader(),
      // Create one loader per relationship you need to batch
    }
  }
}

Authentication and Authorization via Context

// context.ts — built fresh for every request
import jwt from 'jsonwebtoken'
import { Request } from 'express'

export async function createContext({ req }: { req: Request }): Promise<GraphQLContext> {
  const token = req.headers.authorization?.replace('Bearer ', '')
  let user = null

  if (token) {
    try {
      const payload = jwt.verify(token, process.env.JWT_SECRET!, { algorithms: ['HS256'] })
      user = await db.users.findOne({ id: (payload as any).userId })
    } catch {
      // Invalid token — user remains null (unauthenticated)
    }
  }

  return { user, db, loaders: createLoaders() }
}

// In a resolver: check ctx.user before returning sensitive data
Query: {
  adminDashboard: (_: unknown, __: unknown, ctx: GraphQLContext) => {
    if (!ctx.user) throw new GraphQLError('Unauthenticated', { extensions: { code: 'UNAUTHENTICATED' } })
    if (ctx.user.role !== 'ADMIN') throw new GraphQLError('Forbidden', { extensions: { code: 'FORBIDDEN' } })
    return ctx.db.getAdminStats()
  }
}

GraphQL vs REST: Trade-offs Table

Criterion	GraphQL	REST
Over/under-fetching	None — client specifies exact fields	Common — endpoint returns fixed shape
Caching	Hard — single POST endpoint, custom CDN logic	Easy — HTTP GET cache by URL
N+1 problem	Built-in risk, requires DataLoader	Less common (endpoints are more specific)
Type safety	First-class schema, auto-generated clients	Requires OpenAPI + codegen
Learning curve	Higher (schema, resolvers, DataLoader)	Lower (HTTP methods + JSON)
Versioning	Evolve schema with deprecations	URL versioning (/v1/, /v2/)
Best for	Complex UIs, mobile, multiple clients	Simple APIs, webhooks, public APIs

Topics covered

GraphQL API designGraphQL schema designGraphQL DataLoader N+1GraphQL paginationGraphQL mutations subscriptionsGraphQL authentication contextGraphQL error handlingGraphQL vs REST trade-offspersisted queries GraphQLGraphQL cursor paginationApollo Server GraphQLGraphQL type systemGraphQL fragmentsGraphQL batching DataLoaderGraphQL federationGraphQL code-first schema-firstGraphQL subscriptions WebSocketGraphQL complexity limiting

🛠️ Related Free Tools

Put this knowledge to work on your iPhone

Browse our full catalog of professional iOS apps — from electrical code tools to AI builders.

Browse All 95+ Apps