GraphQL Apollo Federation Subscriptions

GraphQL API Development for Flexible and Efficient Data APIs

GraphQL eliminates over-fetching and under-fetching by letting clients request exactly the data they need — reducing API round trips, payload size and frontend complexity. We design GraphQL schemas, optimise resolver performance (DataLoader, query depth limiting), implement real-time subscriptions and build federated GraphQL gateways for US and EU clients on Node.js, Python and Java backends.

Get a proposal See cases

GraphQL eliminates over-fetching and under-fetching by letting clients request exactly the data they need — reducing API round trips, payload size and frontend complexity. We design GraphQL schemas, optimise resolver performance (DataLoader, query depth limiting), implement real-time subscriptions and build federated GraphQL gateways for US and EU clients on Node.js, Python and Java backends.

Challenges

Industry challenges we solve

N+1 resolver problem

Nested GraphQL queries trigger N+1 database calls — one per parent item. We implement DataLoader for all list resolvers, batching database calls to a single query per type per request.

Overly permissive schema exposure

Introspection enabled in production exposes the full data model to attackers. We disable introspection in production, add query depth limiting (max 7 levels) and query complexity analysis (max score 1000).

Schema versioning without breaking clients

GraphQL schemas are versionless — deprecating fields requires coordinating with all clients. We use @deprecated directives, monitor deprecated field usage in Apollo Studio and maintain a field-removal timeline agreed with client teams.

Federation complexity at scale

Apollo Federation supergraphs with 10+ subgraphs introduce distributed tracing challenges and schema composition failures. We structure subgraph boundaries by domain, test composition in CI and implement gateway-level distributed tracing.

Real-time subscription scaling

WebSocket-based subscriptions are stateful — they don't scale horizontally without a pub/sub backend. We use Redis pub/sub as the subscription transport layer so any gateway instance can serve any subscription.

GDPR field-level access control

GDPR requires that EU PII is only returned to authorised callers. We implement resolver-level field directives (@auth, @redact) that check claims from the JWT context before returning PII fields — not at the HTTP layer.

Solutions

Solutions we build

GraphQL schema design and evolution

Domain-driven schema design with relay-style pagination, connection types and input validation — built for long-term evolution without breaking clients.

Production security hardening

Introspection disabled, query depth and complexity limits, persisted queries for production clients, JWT context validation and field-level @auth directives.

DataLoader and performance optimisation

DataLoader batching for all N+1 resolver patterns, Redis query caching for expensive resolvers, and query complexity analysis to identify expensive operations before they reach production.

Apollo Federation gateway

Federated supergraph from multiple subgraphs — entity references, @key directives, subgraph composition testing in CI and gateway-level distributed tracing.

Real-time GraphQL subscriptions

WebSocket subscriptions with Redis pub/sub backend — horizontally scalable, with automatic reconnection and subscription deduplication on the client.

GraphQL migration from REST

Incremental migration strategy: GraphQL gateway wraps existing REST endpoints via RESTDataSource, gradually replaced by native resolvers as the backend migrates.

Stack

Technology stack

GraphQL, Apollo Server 4, Apollo Federation 2, DataLoader, GraphQL Yoga, Strawberry (Python), Netflix DGS (Java), WebSockets (subscriptions), PostgreSQL, Redis, Sentry.

Compliance

Compliance & regulations

GDPR-aligned · query depth limiting · field-level auth · PII masking in resolvers

EU

  • GDPR — field-level permission checks in resolvers; PII fields masked for non-authorised roles; query audit log.
  • EU AI Act — decision-field logging for AI-powered GraphQL resolvers.
  • eIDAS — OAuth2 JWT validation in Apollo context; role-claim propagation to resolvers.
  • NIS2 — query complexity and depth limiting to prevent DoS; CVE scanning of GraphQL dependencies.

US

  • HIPAA — PHI fields restricted to authorised resolver roles; audit log per field access.
  • SOC 2 — query logging, resolver error capture in Sentry, rate limiting via Redis.
  • CCPA/CPRA — data-subject request resolvers; PII field opt-out via directive.
  • FedRAMP-adjacent — field-level encryption for sensitive data in resolvers.

Cases

Selected GraphQL case studies

JoyJet case study cover
Social Media · Consumer Tech

JoyJet

Production social platform — App Store + Google Play, live across the US and EU — with geo Radar, encrypted messaging and a virtual economy.

2025 View case
Signatory Pro case study cover
LegalTech · Mobile · CRM

Signatory Pro

Native iOS and Android e-signature clients with a Symfony + React CRM for a cross-border law firm — KYC onboarding and a defensible evidence trail for US & EU matters.

2026 View case
Media Arena case study cover
Sports Media · Mobile

Media Arena

Cross-platform sports news app and web portal — Telegram-bot CMS instead of a custom admin, Markdown publishing pipeline.

2023 View case

View all case studies →

Why YuSMP

Why product teams choose YuSMP for GraphQL development

Schema-first, not resolver-first

We design the GraphQL schema as a product contract before writing resolvers — ensuring the API serves frontend needs, not backend convenience.

DataLoader from the first resolver

N+1 is the most common GraphQL production issue. We implement DataLoader for every list resolver on day one, not after the first performance incident.

Federation-ready from the start

Even single-graph projects are built with federation-compatible types — @key directives, entity resolvers — so adding a second subgraph later is additive, not breaking.

FAQ

GraphQL Development FAQ

When should I use GraphQL instead of REST?

GraphQL is the better choice when: multiple clients (web, iOS, Android, partners) consume the same API and have different data needs; the frontend team changes data requirements frequently; you need real-time subscriptions alongside queries; or you're building a product platform where third-party developers query your data. REST is the better choice for simple CRUD services, public APIs where HTTP caching is critical, or teams without GraphQL experience where the learning curve outweighs the benefits.

How does Apollo Federation work?

Apollo Federation 2 composes multiple subgraph schemas into a single supergraph. Each subgraph owns its domain types and exposes @key-decorated entities. The Apollo Router (or Apollo Gateway) routes incoming queries to the correct subgraphs, fetches entity references via the @external and @requires directives, and assembles the response. Schema composition is validated in CI — the router only starts if the composed supergraph is valid.

How do you prevent GraphQL denial-of-service attacks?

Query depth limiting (max 7 levels), query complexity analysis (max score 1000, calculated per field), rate limiting on the HTTP layer via Redis, persisted queries (production clients can only run pre-approved queries), and introspection disabled in production. For large-scale APIs, we add APQ (Automatic Persisted Queries) to reduce payload size and Apollo Studio anomaly detection for unusual query patterns.

How do GraphQL subscriptions scale horizontally?

GraphQL subscriptions are WebSocket connections — stateful. A single server instance can hold thousands of subscriptions, but horizontal scaling requires routing subscription events to the correct server. We use Redis pub/sub: when an event occurs, the publishing service writes to Redis; every gateway instance subscribes to Redis and forwards the event to the correct WebSocket connection. This scales to hundreds of thousands of concurrent subscriptions.

How do you handle file uploads in GraphQL?

The GraphQL spec does not cover file uploads. We use the multipart request spec (graphql-multipart-request-spec) — either via Apollo Server's built-in upload support or graphql-upload middleware. Files are streamed directly to S3 from the resolver without touching the application server disk. Alternatively, we implement a REST upload endpoint alongside GraphQL for large or frequent file uploads.

How do you implement GDPR compliance in a GraphQL API?

Field-level access control via custom directives (@auth, @requiresRole) that check JWT claims before returning PII fields. Data-subject request resolvers that anonymise or return all data for a given user ID. Query audit logging — every query is logged with the authenticated user ID and resolved fields. For EU deployments, the GraphQL gateway routes EU-resident entity queries to EU-region resolvers that enforce data-residency.

How do you migrate a REST API to GraphQL incrementally?

We use Apollo Server's RESTDataSource to wrap existing REST endpoints in GraphQL resolvers. The GraphQL schema is designed first based on client data needs, then resolvers delegate to REST. As backend services are updated, resolvers migrate from REST calls to direct database queries. This allows frontend teams to adopt GraphQL immediately while backend migration happens incrementally over weeks or months.

Build a flexible, efficient GraphQL API with senior engineers

Response within 1 business day. NDA on request.

Get a proposal