# An Empirical Study of GraphQL Schemas

**Authors:** Erik Wittern, Alan Cha, James C. Davis, Guillaume Baudart and, Louis Mandel

arXiv: 1907.13012 · 2019-07-31

## TL;DR

This study analyzes real-world GraphQL schemas from commercial sources and GitHub to understand their design patterns, security vulnerabilities, and best practices, providing valuable insights for API developers and researchers.

## Contribution

It presents the first large-scale empirical analysis of GraphQL schemas, revealing common design practices, security issues, and addressing gaps in understanding GraphQL interface design.

## Key findings

- Most schemas are susceptible to denial of service attacks.
- Schemas vary significantly in size and feature usage.
- Many APIs do not follow recommended naming conventions.

## Abstract

GraphQL is a query language for APIs and a runtime to execute queries. Using GraphQL queries, clients define precisely what data they wish to retrieve or mutate on a server, leading to fewer round trips and reduced response sizes. Although interest in GraphQL is on the rise, with increasing adoption at major organizations, little is known about what GraphQL interfaces look like in practice. This lack of knowledge makes it hard for providers to understand what practices promote idiomatic, easy-to-use APIs, and what pitfalls to avoid. To address this gap, we study the design of GraphQL interfaces in practice by analyzing their schemas - the descriptions of their exposed data types and the possible operations on the underlying data. We base our study on two novel corpuses of GraphQL schemas, one of 16 commercial GraphQL schemas and the other of 8,399 GraphQL schemas mined from GitHub projects. We make both corpuses available to other researchers. Using these corpuses, we characterize the size of schemas and their use of GraphQL features and assess the use of both prescribed and organic naming conventions. We also report that a majority of APIs are susceptible to denial of service through complex queries, posing real security risks previously discussed only in theory. We also assess ways in which GraphQL APIs attempt to address these concerns.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1907.13012/full.md

## Figures

9 figures with captions in the complete paper: https://tomesphere.com/paper/1907.13012/full.md

## References

31 references — full list in the complete paper: https://tomesphere.com/paper/1907.13012/full.md

---
Source: https://tomesphere.com/paper/1907.13012