The webinar discusses deploying GraphQL services as managed APIs, highlighting the benefits of using GraphQL over REST, such as efficient data fetching and the elimination of over-fetching. It emphasizes the necessity of an API manager for managing security, authentication, authorization, and rate-limiting for GraphQL APIs. Key features include operational analytics, the use of SDL for schema definitions, and tools for discovering and consuming GraphQL APIs through a developer portal.

1. Deploying GraphQL Services
as Managed APIs
Hiranya Abeyrathne
Software Engineer
WSO2 Webinar - 05th May 2020
Naduni Pamudika
Senior Software Engineer

2. Discussion Points
● Introduction to GraphQL
● Why and When to use GraphQL APIs
● Exposing GraphQL service as Managed APIs
○ The necessity of an API Manager
● Deploying a GraphQL service via WSO2 API Manager
○ Security, Authentication, Authorization, and Rate-Limiting
● Invoking GraphQL APIs via the Integrated GraphiQL UI in
Developer Portal
● GraphQL Analytics

3. Introduction to GraphQL

4. GraphQL
● A query language for your APIs.
● Gives what you request, nothing more and nothing less.
● GraphQL specification is an SDL (Schema Definition Language).
● Created by Facebook in 2012 and released for open-source in 2015.
● Ability to make API calls more efficient, flexible, and developer-friendly.
● Served over HTTP via a single endpoint.
● Specification - https://spec.graphql.org/June2018/
● Reference Implementation - https://github.com/graphql/graphql-js
● Implementation support in many languages - https://graphql.org/code/

5. Products Management Service
Retailer
Id: ID
Name: String
Customer
Id: ID
Name: String
Product
Id: ID
Name: String
Category: enum (
CLOTHING
FOOTWEAR
COSMETICS
)
1
m
1 m
m m

6. Image Area
Type System
● Defines the capabilities of an API
● All the types are exposed in an API, written
down in a language called GraphQL Schema
Definition Language
● Contract between the server and the client.
Once it is defined, both sides are aware of
the data structure
● Query, Mutation, and Subscription root types

7. Query

8. Mutation

9. ● GraphQL subscriptions allow you to be notified in real-time of
changes to your data.
● In ProductsManagement service, a retailer will be notified whenever
a new Customer node is created.
Subscription

10. Why and When
to use GraphQLs

11. ● Consider the same ProductsManagement service example, where the
retailer wants to know the list of customers who ordered a particular
product.
● If you try this with REST, you need to do the following three API calls.
REST vs GraphQL

12. Image Area
REST API Call 1
Fetch a list of allProducts (/products/)

13. Image Area
REST API Call 2
Fetch the list of customers’ Ids
sending the particular product Id
(/products/<orderedProductId>/
customers)

14. Image Area
REST API Call 3
Fetch the customer specific details by
sending their Ids one by one
(/products/<orderedProductId>/
customers/<id>)

15. Image Area
GraphQL Service Call
Returns the details of a list of
customers for the particular
product with just a single query

16. Why and When to Use GraphQL
● No more over-fetching or under-fetching
● Single API call data fetching
● Auto generated documentation using GraphiQL
● Versionless API evolution
● High performance in data fetching networks
● Schema and Type System
● Not good for complex queries - Slow down performance and kill the
efficiency of GraphQL applications
● Not a perfect fit for content delivery networks - No HTTP cache support

17. Exposing GraphQLs
as Managed APIs

18. The necessity of an API Manager
● First class support for creating/publishing GraphQL APIs
● Authentication and security
● Role based access control for each operation - Authorization for
GraphQL APIs
● Rate limiting GraphQL operations
● Operational level Analytics
● Detect and block malicious/unintentional/poor queries

19. Deploying a GraphQL service
via WSO2 API Manager

20. First Class Support for GraphQL APIs
● Create a GraphQL API by importing an SDL schema
● Identify GraphQL APIs automatically in the Portals
● Display operation list instead of resources
● Display SDL schema instead of Open API definition
● Download option for SDL schema in Publisher and Developer Portal
● Search option to GraphQL type APIs ( type: GRAPHQL)

21. Deploying ProductsAPI via WSO2 Publisher

22. Authentication for GraphQL APIs
● APIs are mostly exposed to external users.
● Security plays a major role at this point as it is crucial to ensure that
the users who access the API operations are authentic.
● There can be some GraphQL API operations are exposed to the public;
giving access to anyone without authenticating to the system.
● WSO2 APIM provides the ability to enable or disable operational level
security at the Publisher.
● For instance, allProducts operation in ProductsAPI should be
accessible by anyone, hence the security needs to be disabled.

23. Operational Level Security

24. Authentication

25. Authorization for GraphQL APIs
● The operations defined at the Graphql SDL needs to be accessed by
only a subset of users in an organization.
● Only the authorized parties should have the access.
● WSO2 APIM provides the ability to assign different levels of
permissions to the API operations using fine grained access control
with OAuth2 scopes.
● An API developer needs to distribute the privileges of “ProductsAPI”
operations among the Retailer and Customer user groups to limit
accessing the API.

26. Operational level Access Control

27. Rate Limiting for GraphQL Operations
● There can be specific operations which can be expensive to execute.
● Therefore, allowing the same rate limits to all the operations will not be
a good idea in a production system.
● WSO2 API Manager can manage easily operational level rate limits.
● An API developer is able to set rate limiting either at operational level
or API level to manage operation based traffic.
● For example, fetching the products list should be available to anyone
limitlessly, thus has been assigned with the Unlimited value.

28. Operational Level Rate Limiting

29. Invoking GraphQL APIs

30. Discovering and Consuming GraphQL APIs via DevPortal
● A listing of GraphQL APIs
● Search option to GraphQL type APIs
● Categorizing
● Documentation
● Developer friendly try-out tooling
● Rating and Commenting for the APIs

31. Discovering and Consuming GraphQL APIs via DevPortal

32. Demo

33. Operational Level Analytics

34. Roadmap
● Subscription Plans on Query Complexities
● Microgateway Support
● Websocket Subscription

35. Q & A

36. ● Download API Manager: https://wso2.com/api-management/
● GitHub: https://github.com/wso2/product-apim/issues
● Slack Channel:
https://app.slack.com/client/TLVKGQN84/CLVKGR3BN
● Subscribe to YouTube Channel:
https://www.youtube.com/channel/UCuWrSEtlGX9dcd5jiK6lovw

37. Next Webinar
● 12th May - Overview of API Microgateway 3.1

38. THANK YOU
wso2.com