API Design: REST vs GraphQL in Practice
10 min read1997 words
After building and maintaining over 30 APIs in production—from simple CRUD services to complex data aggregation platforms—I've learned that choosing between REST and GraphQL isn't about which is "better." It's about matching the right tool to your specific use case. Here's the practical guide I wish I had when making these architectural decisions.
The Real-World Performance Data
My team ran extensive benchmarks across different scenarios. Here's what we discovered:
// api-performance-analysis.ts
interface APIPerformanceMetric {
scenario: string;
restResponseTime: number; // ms
graphqlResponseTime: number; // ms
restDataSize: number; // KB
graphqlDataSize: number; // KB
cacheHitRate: number; // percentage
winner: 'REST' | 'GraphQL' | 'Tie';
}
const performanceResults: APIPerformanceMetric[] = [
{
scenario: 'Simple user profile fetch',
restResponseTime: 85,
graphqlResponseTime: 120,
restDataSize: 2.5,
graphqlDataSize: 1.8,
cacheHitRate: 95,
winner: 'REST'
},
{
scenario: 'Complex dashboard with 5 data sources',
restResponseTime: 450, // 5 separate requests
graphqlResponseTime: 180, // single request
restDataSize: 45.2,
graphqlDataSize: 12.8,
cacheHitRate: 15,
winner: 'GraphQL'
},
{
scenario: 'Mobile app data with selective fields',
restResponseTime: 95,
graphqlResponseTime: 110,
restDataSize: 8.5,
graphqlDataSize: 3.2,
cacheHitRate: 40,
winner: 'GraphQL'
},
{
scenario: 'Public API with high traffic',
restResponseTime: 65,
graphqlResponseTime: 140,
restDataSize: 3.1,
graphqlDataSize: 2.8,
cacheHitRate: 88,
winner: 'REST'
}
];Decision Framework: When to Choose What
Based on dozens of projects, here's my decision matrix:
Choose REST When:
// rest-use-cases.ts
interface APIRequirement {
requirement: string;
importance: 'critical' | 'important' | 'nice-to-have';
restScore: number; // 1-10
graphqlScore: number; // 1-10
}
const restAdvantages: APIRequirement[] = [
{
requirement: 'HTTP caching is critical',
importance: 'critical',
restScore: 10,
graphqlScore: 3
},
{
requirement: 'Simple CRUD operations',
importance: 'important',
restScore: 9,
graphqlScore: 6
},
{
requirement: 'Team has limited GraphQL experience',
importance: 'important',
restScore: 9,
graphqlScore: 4
},
{
requirement: 'Need predictable response structure',
importance: 'important',
restScore: 8,
graphqlScore: 5
},
{
requirement: 'Microservices architecture',
importance: 'critical',
restScore: 9,
graphqlScore: 6
}
];Choose GraphQL When:
// graphql-use-cases.ts
const graphqlAdvantages: APIRequirement[] = [
{
requirement: 'Complex, nested data relationships',
importance: 'critical',
restScore: 4,
graphqlScore: 10
},
{
requirement: 'Multiple client types with different data needs',
importance: 'critical',
restScore: 5,
graphqlScore: 9
},
{
requirement: 'Real-time updates with subscriptions',
importance: 'important',
restScore: 3,
graphqlScore: 10
},
{
requirement: 'Reducing over-fetching is critical',
importance: 'important',
restScore: 4,
graphqlScore: 9
},
{
requirement: 'Strong type system needed',
importance: 'important',
restScore: 6,
graphqlScore: 10
}
];REST Implementation Best Practices
Here's my production-tested REST API setup:
// rest-api-implementation.ts
import { NextApiRequest, NextApiResponse } from 'next';
import { z } from 'zod';
// Input validation schema
const userQuerySchema = z.object({
page: z.string().transform(Number).pipe(z.number().min(1)).default('1'),
limit: z.string().transform(Number).pipe(z.number().min(1).max(100)).default('20'),
sort: z.enum(['name', 'email', 'createdAt']).default('createdAt'),
order: z.enum(['asc', 'desc']).default('desc'),
search: z.string().optional()
});
interface User {
id: string;
name: string;
email: string;
avatar?: string;
createdAt: Date;
}
interface PaginatedResponse<T> {
data: T[];
pagination: {
page: number;
limit: number;
total: number;
totalPages: number;
};
links: {
first: string;
prev?: string;
next?: string;
last: string;
};
}
class RESTUserController {
// GET /api/users
async getUsers(req: NextApiRequest, res: NextApiResponse<PaginatedResponse<User>>) {
try {
const query = userQuerySchema.parse(req.query);
// Set caching headers
res.setHeader('Cache-Control', 'public, max-age=300, stale-while-revalidate=600');
res.setHeader('ETag', this.generateETag(query));
// Check if client has cached version
if (req.headers['if-none-match'] === res.getHeader('ETag')) {
return res.status(304).end();
}
const { users, total } = await this.fetchUsers(query);
const totalPages = Math.ceil(total / query.limit);
const response: PaginatedResponse<User> = {
data: users,
pagination: {
page: query.page,
limit: query.limit,
total,
totalPages
},
links: {
first: this.buildUrl(req, { ...query, page: 1 }),
prev: query.page > 1 ? this.buildUrl(req, { ...query, page: query.page - 1 }) : undefined,
next: query.page < totalPages ? this.buildUrl(req, { ...query, page: query.page + 1 }) : undefined,
last: this.buildUrl(req, { ...query, page: totalPages })
}
};
res.status(200).json(response);
} catch (error) {
res.status(400).json({ error: 'Invalid query parameters' });
}
}
// GET /api/users/[id]
async getUser(req: NextApiRequest, res: NextApiResponse<User>) {
const { id } = req.query;
// Aggressive caching for individual resources
res.setHeader('Cache-Control', 'public, max-age=3600, stale-while-revalidate=86400');
const user = await this.fetchUserById(id as string);
if (!user) {
return res.status(404).json({ error: 'User not found' });
}
res.status(200).json(user);
}
// POST /api/users
async createUser(req: NextApiRequest, res: NextApiResponse<User>) {
const createUserSchema = z.object({
name: z.string().min(1).max(100),
email: z.string().email(),
avatar: z.string().url().optional()
});
try {
const userData = createUserSchema.parse(req.body);
const user = await this.createUserInDB(userData);
// Invalidate cache
await this.invalidateUserCache();
res.status(201).json(user);
} catch (error) {
res.status(400).json({ error: 'Invalid user data' });
}
}
private generateETag(query: any): string {
return Buffer.from(JSON.stringify(query)).toString('base64');
}
private buildUrl(req: NextApiRequest, params: any): string {
const url = new URL(`${req.headers.host}${req.url}`);
Object.entries(params).forEach(([key, value]) => {
url.searchParams.set(key, String(value));
});
return url.toString();
}
private async fetchUsers(query: any) {
// Database implementation
return { users: [], total: 0 };
}
private async fetchUserById(id: string) {
// Database implementation
return null;
}
private async createUserInDB(userData: any) {
// Database implementation
return {} as User;
}
private async invalidateUserCache() {
// Cache invalidation implementation
}
}GraphQL Implementation Best Practices
Here's my production GraphQL setup with security and performance optimizations:
// graphql-implementation.ts
import { GraphQLSchema, GraphQLObjectType, GraphQLString, GraphQLList, GraphQLInt } from 'graphql';
import { createComplexityLimitRule } from 'graphql-query-complexity';
import depthLimit from 'graphql-depth-limit';
import costAnalysis from 'graphql-cost-analysis';
interface Context {
user?: User;
dataloaders: {
userLoader: DataLoader<string, User>;
postsLoader: DataLoader<string, Post[]>;
};
}
// User type definition
const UserType = new GraphQLObjectType({
name: 'User',
fields: () => ({
id: { type: GraphQLString },
name: { type: GraphQLString },
email: { type: GraphQLString },
avatar: { type: GraphQLString },
posts: {
type: new GraphQLList(PostType),
resolve: async (user, args, context: Context) => {
// Use DataLoader to prevent N+1 queries
return context.dataloaders.postsLoader.load(user.id);
}
},
followerCount: {
type: GraphQLInt,
resolve: async (user, args, context: Context) => {
// Expensive operation - add to complexity cost
return await getFollowerCount(user.id);
},
extensions: {
complexity: 10 // High complexity cost
}
}
})
});
const PostType = new GraphQLObjectType({
name: 'Post',
fields: () => ({
id: { type: GraphQLString },
title: { type: GraphQLString },
content: { type: GraphQLString },
author: {
type: UserType,
resolve: async (post, args, context: Context) => {
return context.dataloaders.userLoader.load(post.authorId);
}
},
publishedAt: { type: GraphQLString }
})
});
// Query type with field-level caching
const QueryType = new GraphQLObjectType({
name: 'Query',
fields: {
user: {
type: UserType,
args: {
id: { type: GraphQLString }
},
resolve: async (_, { id }, context: Context) => {
return context.dataloaders.userLoader.load(id);
},
extensions: {
cacheControl: { maxAge: 300 } // Cache for 5 minutes
}
},
users: {
type: new GraphQLList(UserType),
args: {
first: { type: GraphQLInt, defaultValue: 10 },
after: { type: GraphQLString },
search: { type: GraphQLString }
},
resolve: async (_, args, context: Context) => {
return await searchUsers(args);
},
extensions: {
complexity: ({ args }) => args.first * 2,
cacheControl: { maxAge: 60 }
}
}
}
});
// Create schema with security rules
export const schema = new GraphQLSchema({
query: QueryType,
// Add mutation and subscription types here
});
// Security and performance middleware
export const validationRules = [
depthLimit(7), // Limit query depth
createComplexityLimitRule(1000), // Limit query complexity
costAnalysis({
maximumCost: 1000,
defaultCost: 1,
createError: (max, actual) => {
return new Error(`Query cost ${actual} exceeds maximum cost ${max}`);
}
})
];
// DataLoader implementation for efficient data fetching
class DataLoaders {
userLoader: DataLoader<string, User>;
postsLoader: DataLoader<string, Post[]>;
constructor() {
this.userLoader = new DataLoader(async (userIds: readonly string[]) => {
const users = await getUsersByIds(Array.from(userIds));
return userIds.map(id => users.find(user => user.id === id));
});
this.postsLoader = new DataLoader(async (userIds: readonly string[]) => {
const posts = await getPostsByUserIds(Array.from(userIds));
return userIds.map(userId => posts.filter(post => post.authorId === userId));
});
}
}
// Context factory
export function createContext(req: any): Context {
return {
user: req.user,
dataloaders: new DataLoaders()
};
}Hybrid Approach: Best of Both Worlds
In practice, I often use both REST and GraphQL in the same application:
// hybrid-api-architecture.ts
import { GraphQLSchema } from 'graphql';
import { createYoga } from 'graphql-yoga';
class HybridAPIGateway {
private restRoutes: Map<string, Function> = new Map();
private graphqlSchema: GraphQLSchema;
constructor(graphqlSchema: GraphQLSchema) {
this.graphqlSchema = graphqlSchema;
this.setupRESTRoutes();
}
private setupRESTRoutes() {
// Simple CRUD operations stay as REST
this.restRoutes.set('GET /api/users/:id', this.getUser);
this.restRoutes.set('POST /api/users', this.createUser);
this.restRoutes.set('GET /api/health', this.healthCheck);
// Public APIs that need caching
this.restRoutes.set('GET /api/public/stats', this.getPublicStats);
}
// GraphQL for complex queries
private createGraphQLHandler() {
return createYoga({
schema: this.graphqlSchema,
context: this.createContext,
// Enable introspection only in development
graphiql: process.env.NODE_ENV === 'development'
});
}
// Route decision logic
async handleRequest(req: Request): Promise<Response> {
const url = new URL(req.url);
// Route to GraphQL for complex queries
if (url.pathname === '/api/graphql') {
return this.createGraphQLHandler()(req);
}
// Route to REST for simple operations
const restHandler = this.matchRESTRoute(req.method, url.pathname);
if (restHandler) {
return restHandler(req);
}
return new Response('Not Found', { status: 404 });
}
private matchRESTRoute(method: string, pathname: string): Function | null {
// Simple pattern matching for REST routes
for (const [pattern, handler] of this.restRoutes) {
if (this.matchPattern(pattern, `${method} ${pathname}`)) {
return handler;
}
}
return null;
}
private matchPattern(pattern: string, path: string): boolean {
// Implement route pattern matching
return pattern === path;
}
}Caching Strategies Compared
REST Caching
// rest-caching.ts
class RESTCacheStrategy {
// HTTP-based caching
static setResponseHeaders(res: Response, options: {
maxAge?: number;
staleWhileRevalidate?: number;
etag?: string;
}) {
const { maxAge = 300, staleWhileRevalidate = 600, etag } = options;
res.headers.set(
'Cache-Control',
`public, max-age=${maxAge}, stale-while-revalidate=${staleWhileRevalidate}`
);
if (etag) {
res.headers.set('ETag', etag);
}
}
// Edge caching with Vercel
static edgeConfig = {
'/api/users': { maxAge: '300s', staleWhileRevalidate: '600s' },
'/api/posts': { maxAge: '60s', staleWhileRevalidate: '120s' },
'/api/public/*': { maxAge: '3600s', staleWhileRevalidate: '86400s' }
};
}GraphQL Caching
// graphql-caching.ts
import { InMemoryCache } from '@apollo/client';
class GraphQLCacheStrategy {
// Response caching at resolver level
static createResponseCache() {
return new Map();
}
// Field-level caching
static cacheControl = {
user: { maxAge: 300 }, // 5 minutes
posts: { maxAge: 60 }, // 1 minute
publicData: { maxAge: 3600 } // 1 hour
};
// Client-side caching configuration
static clientCache = new InMemoryCache({
typePolicies: {
User: {
fields: {
posts: {
merge(existing = [], incoming) {
return [...existing, ...incoming];
}
}
}
}
}
});
// Persisted queries for better caching
static persistedQueries = new Map([
['getUserProfile', 'query GetUserProfile($id: ID!) { user(id: $id) { id name email avatar } }'],
['getUserPosts', 'query GetUserPosts($userId: ID!) { user(id: $userId) { posts { id title publishedAt } } }']
]);
}Migration Strategy: REST to GraphQL
When moving from REST to GraphQL, I use this gradual approach:
// migration-strategy.ts
class APIGradualMigration {
private phase: 'planning' | 'wrapper' | 'native' | 'cleanup' = 'planning';
// Phase 1: GraphQL wrapper over REST
async createGraphQLWrapper() {
return new GraphQLSchema({
query: new GraphQLObjectType({
name: 'Query',
fields: {
user: {
type: UserType,
args: { id: { type: GraphQLString } },
resolve: async (_, { id }) => {
// Call existing REST endpoint
const response = await fetch(`/api/users/${id}`);
return response.json();
}
}
}
})
});
}
// Phase 2: Migrate critical queries to native GraphQL
async migrateToNative(queryName: string) {
switch (queryName) {
case 'complexDashboard':
// Replace multiple REST calls with single GraphQL query
return this.createNativeDashboardResolver();
case 'userProfile':
// Keep simple queries as REST for now
return this.keepAsRESTWrapper();
}
}
// Phase 3: Performance monitoring
trackPerformance(apiType: 'REST' | 'GraphQL', queryName: string, metrics: {
responseTime: number;
dataSize: number;
errorRate: number;
}) {
// Track metrics to inform migration decisions
console.log(`${apiType} ${queryName}:`, metrics);
}
// Phase 4: Cleanup old REST endpoints
async cleanupUnusedEndpoints() {
// Remove REST endpoints that have been fully migrated
const unusedEndpoints = await this.identifyUnusedEndpoints();
return this.deprecateEndpoints(unusedEndpoints);
}
}Real-World Lessons Learned
After years of building APIs in production, here's what really matters:
- Start simple: Begin with REST for straightforward CRUD operations
- Add GraphQL gradually: Introduce it for complex, relationship-heavy queries
- Cache aggressively: Both approaches benefit from intelligent caching
- Monitor everything: Track performance, error rates, and developer experience
- Consider your team: GraphQL has a steeper learning curve
- Plan for scale: REST scales more predictably, GraphQL requires more optimization
The choice isn't binary—most successful APIs I've worked on use both REST and GraphQL where each excels. Focus on solving real problems rather than chasing architectural purity.