Third-party API (opt-in)

Use this role for an API that must accept operations authored by untrusted or third-party clients. This is a more niche use case for GraphQL that requires more complex protections against malicious requests; we recommend implementing a first-party API if your use case supports it.

Intended for

• Public platform APIs
• Partner ecosystems

Recommended practices

• Operation cost controls
• Cursor pagination
• Pagination limits
• Error hardening
• Batched execution

Notes

• Only use this where trusted documents cannot be implemented.
• Keep strict parse/validation/runtime protections enabled by default.
• Consider disabling introspection by default and instead publish the schema definition (SDL) through a separate integrator channel.