Third-party API (opt-in)

Use this profile for an API that must accept operations authored by untrusted or third-party clients. This is a more niche use-case for GraphQL that requires more complex protections against malicious requests; we recommend implementing a first-party API if your use case supports it.

Intended for

• Public platform APIs
• Partner ecosystems
• Any endpoint where ad-hoc documents are expected

Recommended practices

• Operation cost controls
• Cursor pagination
• Pagination limits
• Error hardening
• Batched execution

Recommended patterns

• Cursor Connections
• Query complexity limits
• Depth limits
• Token limits
• Validation timeouts
• Execution timeouts

Notes

• Full trusted-document allowlisting usually cannot be enforced.
• Keep strict parse/validation/runtime protections enabled by default.
• Consider disabling introspection by default and instead publish the schema definition (SDL) through a separate integrator channel.