GraphQL has emerged as a key technology in the API space, with a growing number of organizations adopting this new API structure into their ecosystems. GraphQL is often seen as an alternative to REST APIs, which have been around for a long time. Compared to REST APIs (or other traditional API specifications), GraphQL provides more flexibility to API consumers (like app developers) and delivers many benefits, along with a few new challenges to API development and delivery.

I recently attended GraphQLConf 2023, the GraphQL conference in San Francisco where GraphQL experts and users from all over the world came together to discuss the future of the technology. This very first GraphQLConf was organized by the GraphQL Foundation, which IBM is proudly sponsoring. I will highlight seven key insights on GraphQL trends for the coming years based on learnings from the event.

1. GraphQL at scale

GraphQL adoption amongst enterprises has been growing rapidly. A report from Gartner® predicted that by 2025, more than 50% of enterprises will use GraphQL in production, up from less than 10% in 2021. At the GraphQLConf, it became clear that the technology is well on its way to fulfilling this prediction. The conference included speakers and attendees from companies like Pinterest, AWS, Meta, Salesforce, Netflix, Coinbase and Atlassian.

2. API management for GraphQL

Similar to other API specifications, GraphQL should be paired with API management software to get the most benefits. GraphQL is often implemented as a gateway or middleware for different data sources, which means that the API performance and security depend on these downstream sources. To optimize GraphQL API performance, you should make use of a query cost analysis to implement rate limiting based on the connected data sources. Presentations at GraphQLConf discussed how observability and rate limiting play important roles in API management for GraphQL.

3. GraphQL security

Security for GraphQL APIs is becoming even more critical now that enterprises have started running GraphQL at scale. As the structure of GraphQL is different from other API specifications, it has its own needs in terms of security. During the conference, GraphQL-specific vulnerabilities like complexity issues and schema leaks were highlighted. Of course, security threats that apply to standard API specifications—such as injections and server errors—also apply to GraphQL APIs and can often be mitigated by API management solutions.

4. Declarative, SDL-first GraphQL API development

There are two distinct approaches to building GraphQL APIs: “code-first” and “schema-first.” At the core of every GraphQL API is a schema that serves as the type-system.

• In a “code-first” approach, the schema would be generated from the business logic implemented in the framework that’s used to build the GraphQL API.
• In the “schema-first” approach, you’d start by defining the schema and map this schema to your business logic separately.

A new emerging approach is called “SDL-first” (Schema Definition Language), where instead of separating the schema and business logic, you define both directly inside the GraphQL schema. I discussed this declarative, SDL-first approach in my talk at GraphQLConf.

5. Incremental delivery of streaming data

Streaming data in GraphQL has long been neglected, but it is getting more relevant with the increased adoption of GraphQL at scale. Real-time data in GraphQL is implemented by using an operation type called “Subscription,” but streaming data has different needs. For streaming data, two new built-in directives will be introduced to the GraphQL specification, which are called “@stream” and “@defer.” By adding these new directives, GraphQL will be able to handle more complex situations where incremental delivery of data is needed. It’s expected that this development will make GraphQL more compatible with asynchronous or event-driven data sources.

6. Open specification for GraphQL federation

GraphQL federation is used to bring together multiple GraphQL APIs to consume all their data from a single API. This will improve the usability and discoverability of all services within the organization. Often, federation will require every downstream service to be a GraphQL API, but some GraphQL solutions allow every data source to be federated into a single GraphQL API. So far, GraphQL federation depended on vendor-specific requirements, which led to many different implementations.

At GraphQLConf it was announced that IBM has joined efforts with other leading companies in the API space to develop an open specification for GraphQL federation under the GraphQL Foundation.

7. GraphQL and AI

As artificial intelligence (AI) transforms how developers write and interact with code, it provides challenges and opportunities for GraphQL, too. For example, how will developers build GraphQL APIs in a world dominated by AI? How can AI help find and prevent security vulnerabilities for GraphQL?

Both at GraphQLConf and IBM TechXchange, IBM Fellow and CTO, Anant Jhingran, presented what role GraphQL plays for AI and API integration. This keynote from IBM TechXchange shows what the combination of GraphQL and AI looks like.

Learn more

With a growing number of organizations not only experimenting with GraphQL, but starting to implement it at scale, the ecosystem is developing quickly. At IBM, we’re helping organizations of all sizes in their GraphQL journey by making it easy to develop production-level GraphQL APIs quickly.