Skip to content

zuplo/zuplo-graphql-example

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
config
config
 
 
docs
docs
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 
zuplo.jsonc
zuplo.jsonc
 
 

Repository files navigation

zuplo-graphql-example

At Zuplo, we're passionate about empowering developers build robust, scalable, and dynamic applications. That's why we love GraphQL!

Live demo & Example

It's deployed on Zuplo, so you can check out the live demo here:

https://graphlq-example-main-062e49c.zuplo.app/graphql

Checkout the config/routes.oas.json to learn how to setup GraphQL with Zuplo and the config/policies.json on how to configure the GraphQL policies.

What's in this example?

This example demonstrates how to use Zuplo's GraphQL API Gateway with a GraphQL API. The example demonstrates the following things:

  • Adding a depth limit to your GraphQL API
  • Adding a query cost / complexity limit to your GraphQL API
  • Filtering types and fields out of introspection responses
  • Reporting failed GraphQL operations to Zuplo's GraphQL analytics dashboard
  • Exposing the GraphQL API to AI agents as an MCP server

Depth Limit

A depth limit allows you to limit the depth of GraphQL queries. This is useful to prevent malicious queries that could cause a denial of service attack on your GraphQL API.

Query Cost Limit

Using the query cost limit, you can limit the cost of GraphQL queries. This is useful to prevent malicious queries that could cause a denial of service attack on your GraphQL API.

Introspection Filter

The GraphQL Introspection Filter policy (graphql-introspection-filter-policy) removes specific types and fields from introspection responses, so you can hide internal or sensitive parts of your schema from clients and AI agents while keeping introspection enabled. Edit the excludeTypes and excludeTypeFields options in config/policies.json to match your own schema.

If you instead want to block introspection entirely on the public endpoint, the example also includes the GraphQL Disable Introspection policy (graphql-disable-introspection-policy) ready to drop into the route's inbound policies. Note that introspection must stay enabled for the MCP server (below) to discover the schema.

GraphQL Analytics

GraphQL servers typically return 200 OK with an errors[] array when an operation fails, so failures are invisible to HTTP-level analytics. The route is marked with "x-graphql": true, which surfaces it on Zuplo's GraphQL analytics dashboard, and the GraphQL Analytics policy (graphql-analytics-policy) reads the response body, counts the GraphQL errors, and classifies each one (syntax, validation, auth, timeout, or resolver) so failed operations show up as failures instead of successes.

GraphQL MCP Server

The /graphql route is annotated with mcp.type: "graphql", and a new /mcp route runs the mcpServerHandler. Together they expose the GraphQL API to AI assistants (Claude, ChatGPT, and any MCP client) as an MCP server with two automatically generated tools:

  • An introspection tool (zupper_schema) that fetches the schema so the agent understands the available queries, mutations, and types
  • An execute tool (zupper_query) that runs GraphQL queries against the endpoint

Any authentication, rate limiting, and the introspection filter applied to the /graphql route carry forward to the MCP server, so AI agents only ever see the schema you choose to expose.

About

No description, website, or topics provided.

Resources

Readme

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors