DataPower API Gateway
only

Creating a GraphQL proxy API

GraphQL is a query language for APIs that gives an application client greater control over what data it retrieves in an API request when compared with a REST API request. IBM® API Connect enables you to create a GraphQL API proxy definition that proxies a backend GraphQL server, and to define rate limiting controls that reflect the amount of data that is returned from the server by a request to the GraphQL API.

About this task

You can complete this task either by using the API Designer UI application, or by using the browser-based API Manager UI.

To complete this task, you must be assigned a role that has the Api-Drafts:Edit, Settings:View, and App:View permissions. The pre-supplied Developer role has these permissions by default; if you are assigned a custom role it must have these permissions. For more information, see Creating custom roles.

GraphQL provides the following particular advantages over REST APIs:

  • The application client can request only the data that it needs. For example, when retrieving bank account records, request only the account number and current balance for each account, but not the customer name and address details. With a REST API request, either the backend REST service must provide separate endpoints for different data subsets, or the application client must retrieve the complete records and then discard the unwanted data.
  • The application client can retrieve multiple related resources in a single request. For example, a customer's bank account record might include an array that references other finance products that the customer holds. If an application client wants to retrieve the bank account details for a specific customer, and details of the other finance products for that customer, then with a REST API the client would first retrieve the bank account details, then make separate requests for each of the other products. A GraphQL API can be designed to allow the client to retrieve all this information in a single request.

However, this flexibility presents rate limiting challenges, because two seemingly very similar requests might return vastly different amounts of data, and what might have required multiple REST API requests, each counting towards the rate limit, might require only a single GraphQL API request. It is important therefore that rate limiting controls are imposed that reflect the amount of data that is retrieved. API Connect extends the GraphQL standard by providing, in a GraphQL API definition, the ability to configure a range of settings that are used to calculate the complexity of a GraphQL request and an associated cost that counts towards the rate limit.

Procedure

To create a GraphQL API proxy definition, complete the following steps:

  1. In the navigation pane, click Develop icon in the API UI navigation pane Develop, then click Add > API.
    The Select API type screen is displayed.
  2. Select OpenAPI 2.0.
  3. Select From existing GraphQL service (GraphQL proxy).
  4. Click Next. Specify the API summary in the Info section. You can fine-tune the API after it is created.
    • The Title can include special characters but should be kept short so that it can be easily displayed in the user interface.
    • The Name is entered automatically. The value in the Name field is a single string that is used to identify the API in developer toolkit CLI commands. To view the CLI commands to manage draft APIs, see the toolkit CLI reference documentation.
    • The Version corresponds to the value of the info.version property of the API's OpenAPI definition. The version.release.modification version numbering scheme is recommended; for example 1.0.0.
    • The Base path is the URL segment of the API and does not include the host name or any additional segments for paths or operations. The base path cannot include special characters and must begin with a / character even if it is otherwise empty.
    • The optional Description helps to identify the API.
  5. In the GraphQL Server section, specify the following values:
    • GraphQL server URL: this is the URL that is used for requests to the backend GraphQL API. The GraphQL schema is imported automatically from the specified URL.
    • Schema name: the name that you enter here is used to identify the schema definition that is created from the imported GraphQL schema. The field is pre-populated with host name segment of the value entered in the GraphQL server URL field, but you can change it.
  6. Click Next. If there are any warnings indicated relating to the imported schema, you can review them now by clicking View.
    You can deal with these warnings as appropriate after you have created your GraphQL proxy API.
  7. In the Operations and Paths section, select the operations and paths that you want to include.

    The operation path of /graphql is already selected and you cannot change this setting; this is the path for application client requests to API Connect that invoke the GraphQL API.

    For details of the mechanisms supported for sending a request to the /graphql/cost endpoint, see Request mechanisms supported by GraphQL endpoints.

    You can also select the operation path of graphql/cost; this path enables application clients to obtain details of the cost of a request to the GraphQL API before making the actual request. In a production environment, in particular, you should consider carefully the resource implications of making this path available. For full details regarding the enablement of the cost endpoint, see Enabling the cost endpoint for a GraphQL API.

    To form the full API paths, these path segments are appended to the basepath that you specified in step 4.

    To allow application clients to send introspection requests for this GraphQL proxy API, select Support default introspection. For full details, see Supporting introspection for a GraphQL API.

    To allow users to test the GraphQL proxy API from a GraphiQL editor, select Enable GraphiQL editor. For full details, see Enabling the GraphiQL editor for a GraphQL API.

    Note: The graphql/cost, Support default introspection, and Enable GraphiQL editor options each automatically generate policy configuration in your API assembly that would have to be created manually if you disable this option and later decide that it is required.
  8. Optionally, you can replace the GraphQL schema that was imported from the GraphQL server URL by uploading a schema from your local file system. Click Replace; you can then either drag and drop your file, or click where indicated to select the file from your local file system. Click Upload when done.
    Note:
    • The schema must be written in the GraphQL Schema Definition Language (SDL). For more information, see Type language in the GraphQL documentation at https://graphql.org/.
    • If you upload a schema from a local file having previously uploaded a schema from a URL, the schema URL setting that is stored in the OpenAPI source for the API, and subsequently displayed in the user interface, retains the previously specified URL value rather than indicating a file location.
  9. Click Next. In the Secure section, configure the API security that you require.
    • Secure using Client ID - Select this option to require an Application to provide a Client ID (API Key). This causes the X-IBM-Client-Id parameter to be included in the request header for the API. For information about security options in IBM API Connect, see Configuring API security.
    • CORS - Select this option to enable cross-origin resource sharing (CORS) support for your API. This allows your API to be accessed from another domain.
      Note:
      • CORS support is available only on the DataPower® API Gateway.
      • When CORS is enabled, the API Gateway runs the cors preflow policy to handle all CORS requests that are made to the API.
      • When CORS is enabled and a preflight request is received, only the following API actions are performed:
        • The cors preflow policy configures the appropriate response headers.
        • The response headers are set.
      • When a preflight request is received, the request.attributes.isCORSPreflight flag is set to true.
      • For all preflight requests, the security and client-identification preflow policies are always skipped, whether CORS is enabled or not enabled.
  10. Optional: Select Activate API if you want to immediately use the API for further development and testing.
    Note:
    • When you select the Activate API option, API Connect automatically completes the following actions:
      • Creates a draft product, adds the API to the product, and publishes the product to the Sandbox catalog so that the API is available to be called. The product has the title api_title auto product. This product is not visible in the Develop view and you cannot delete it directly. However, if you delete the API the draft product is deleted together with the API; see Deleting an API definition. The product is visible in any catalogs to which it is published. If you want to remove the product from a catalog, you must do this separately; see Removing a product from a catalog
      • Subscribes the Sandbox test application to the product so that you can immediately test the API in the test environment. For information on testing an API, see Testing an API.
    • You cannot use the Activate API option if lifecycle approval is enabled in the Sandbox catalog for the Stage, Publish, or Replace actions. If any such lifecycle approvals are enabled, then to be able to use the Activate API option they must be disabled; for information on lifecycle approval settings, see Creating and configuring catalogs.
    • To use the Activate API option, you must be assigned a role that has the Product:Manage and Subscription:Manage permissions. The pre-supplied Developer role has these permissions by default; if you are assigned a custom role it must have these permissions. For more information, see Creating custom roles.
  11. Click Next to create your API definition.

    The Summary panel displays messages as the definition is created, and the selected security options are enforced.

    If you selected Activate API, the wizard populates an API Endpoint URL that you can use in testing. If you have also selected Secure using Client ID, the wizard displays a Client ID and Client Secret you can use.

  12. Click Next to create your API definition.

    The Summary panel displays messages as the definition is created, and the selected security options and rate limits are enforced.

  13. Select one of the following options:
    • To further configure your API, click Edit API. For details, see Editing an API definition.
    • If you do not want to configure your API further at this time, click the Develop link in the breadcrumb trail to return to the welcome page; you can then move on immediately to another task. For details on how to configure your API later, see Editing an API definition.

What to do next

Use the GraphQL schema editor to review, and deal with, any warnings associated with the schema, and to configure a range of settings that are used to calculate the complexity of a GraphQL request, and an associated cost that counts towards the rate limit; for details, see Using the GraphQL schema editor.