Using Tyk’s new GraphQL functionality: Who’s it for and what does it do?

Our upcoming Tyk 3.0 release brings a bunch of improvements to our base API management platform, including a revamped UI and UX improvements that are guaranteed to make users who upgrade thrilled with their choice. But, by far, the most groundbreaking part of the upcoming release is the addition of GraphQL functionality into our API management platform.

Our new functionality, in a nutshell, allows you to secure and enhance your existing GraphQL services and build new GraphQL services by stitching schemas from existing RESTful and GraphQL endpoints.

So who did we build these features for? Well, I’m glad you asked because they cover many potential use cases! Let’s look at two of the most common.

Users and organizations that already have existing GraphQL services

Now you can use all the impressive features of Tyk like security, rate limiting, quotas, and other GraphQL specific API management functionality by connecting your GraphQL service with Tyk. Here are a few of the most sought-after features for those who already have existing GraphQL services developed.


Our entire suite of security features is now available to be used with your GraphQL service. This means that you can have your GraphQL service focus on core functionality needed by the service and leave the management features up to Tyk. 

All the great authentication and authorization capabilities you’ve used to harden your RESTful APIs with Tyk can now be used to do the same for your GraphQL endpoints.

Rate limiting and quotas

The ease of setting rate limiting and quota policies in Tyk for your RESTful APIs can now be done in the same fashion for your GraphQL service(s). Once again, this allows you to move this logic out of your GraphQL layer and into the API management platform. 

Now you can manage all of your Tyk endpoint policies, RESTful, GraphQL, or other, all in one place in just a few simple steps.

Field-based permissions

One of the tougher parts of managing GraphQL is the ability to limit certain fields to certain users. Tyk makes this very simple by allowing you to set which fields are available right in the policy you create for the API or user. Granular configuration is just a few clicks away and is instantly applied to any of the user’s future queries. This helps you to protect sensitive fields or even expose a subset of your Graph dependent on the consumer.

Query depth limiting

Malicious GraphQL queries usually leverage queries with a deep depth which can lead to your servers crashing. This is easy to do with GraphQL and relatively common, which can be a barrier to getting started with the technology. 

One strategy to mitigate this is to restrict the maximum allowable query depth a client is allowed to make.. Tyk contains a configurable query depth limit to reduce concerns about the depth of a query which has the potential to crash your server. Once again, a few clicks and you are guarded against such attacks, and you can control this on a per-client or per-security-policy basis.

Users who are looking to leverage existing RESTful services for GraphQL endpoints

This is one of the most defining features of this release and one we are most excited about. If you have existing RESTful services, managed through Tyk or not, you can very simply hook them up to be exposed as a GraphQL endpoint.

This is great for users who want to experiment with GraphQL but do not want to go down the path of building a brand new GraphQL service or already have superb RESTful infrastructure and want to move closer to the convenience of Backend-for-Frontend type approach.

With a few clicks, you can create a GraphQL schema, create a data source for the schema using your existing RESTful services, and have a GraphQL API exposed in a matter of minutes. 

It is tough to explain just how simple it is, so check out this quick video where I show how I converted a RESTful service to be exposed as a GraphQL API in about 5 minutes using Tyk.

One thing not covered in the video, for simplicity’s sake, is the ability to actually “stitch” together multiple RESTful endpoints and any existing GraphQL services to create a much larger Graph. This helps to enable a unified data graph which derives its data from multiple data sources, something we here at Tyk are calling our Universal Data Graph.

So after you have built your new RESTful-based GraphQL endpoint, you can use all the features I listed above that are applicable to existing GraphQL services. Rate limiting, quotas, query depth limiting, field-based permissions, and more are all available to your new GraphQL endpoint with a few clicks. It really is GraphQL, the easy way.

What’s next for GraphQL with Tyk?

As we move through further iterations of our GraphQL offering, we expect to add even more convenient features for building and managing GraphQL endpoints. GraphQL can be tough to get started with and to manage, which is why we have added these features to make the lives of those who use it and who want to start using it a lot easier and safer.

Stay tuned for more videos and blogs that show you just how powerful this awesome new feature is!