REST vs GraphQL
REST defines resources as URLs and uses HTTP verbs to act on them. GraphQL exposes a single endpoint and lets clients specify exactly what data they need. Neither is universally better — the right choice depends on who your API consumers are and how complex your data graph is.
TL;DR
- REST: multiple endpoints, HTTP verbs (GET/POST/PUT/DELETE), HTTP caching, simple tooling, universally understood. Default for public APIs.
- GraphQL: single endpoint, query language, client-specified fields, eliminates over/under-fetching. Best for complex data graphs and first-party clients.
- REST wins on: caching, simplicity, public API developer experience, tooling breadth.
- GraphQL wins on: flexible data fetching, reducing round trips, schema introspection, mobile bandwidth efficiency.
At a Glance
| Attribute | REST | GraphQL |
|---|---|---|
| Endpoint structure | Multiple resource endpoints (/users, /posts) | Single endpoint (/graphql) |
| Data fetching | Server-defined response shape | Client-defined — request exactly what you need |
| HTTP caching | Native — GET requests cached by CDN/proxy | Harder — all queries are typically POST |
| Over-fetching | Common — endpoint returns fixed fields | Eliminated — client specifies fields |
| Under-fetching | Requires multiple round trips | Solved — fetch related data in one query |
| Versioning | /v1, /v2 URL versioning | Schema evolution — additive, versionless |
| Tooling | curl, Postman, any HTTP client | Requires GraphQL client or playground |
| Learning curve | Low — standard HTTP concepts | Medium — query language, resolvers, schema |
| Public API DX | Excellent — widely understood | Good — requires GraphQL knowledge |
| N+1 problem | Typically solved at API design level | Requires DataLoader pattern to avoid |
| Security considerations | Standard HTTP auth, rate limiting | Query complexity attacks, introspection exposure |
Quick Decision
Use REST when…
- You're building a public API for third-party developers
- HTTP caching at CDN/proxy layer is critical (high read traffic)
- Your data model is simple — CRUD on a handful of resources
- Your consumers use diverse tech stacks and need simple HTTP clients
- You want simple operability — curl, browser, any language
- You're integrating with existing REST-only systems or partners
Use GraphQL when…
- You control all API consumers (first-party web and mobile clients)
- You have a complex, deeply connected data graph
- Mobile clients need bandwidth efficiency (specify only needed fields)
- Different clients (web, iOS, Android) need different data shapes
- You want to aggregate multiple microservices behind one API surface
- Rapid front-end iteration without back-end API changes
Deep Dive
REST — Representational State Transfer
REST is an architectural style (not a protocol) defined by Roy Fielding in his 2000 doctoral dissertation. It models APIs around resources — nouns — and uses HTTP verbs to define actions: GET (read), POST (create), PUT/PATCH (update), DELETE (remove). A URL like /api/users/42/orders immediately communicates resource hierarchy to any developer.
REST's superpower is HTTP caching. GET responses can be cached by browsers, CDNs, and proxy servers — reducing origin server load dramatically for read-heavy APIs. A public news API serving millions of readers benefits enormously from CDN caching: one cache hit serves thousands of users with zero server cost. GraphQL's typical POST-to-single-endpoint pattern bypasses this entirely.
REST's weaknesses: over-fetching (endpoints return fixed payloads regardless of what the client needs) and under-fetching (related data requires multiple requests). These problems compound in mobile contexts where bandwidth is constrained and latency is variable.
GraphQL — Graph Query Language
GraphQL was developed by Facebook in 2012 and open-sourced in 2015. It emerged from the practical problem of building Facebook's mobile app: hundreds of different UI components needing different data shapes from a complex social graph, with REST endpoints that were either under-serving (requiring N+1 round trips) or over-serving (returning enormous payloads mobile couldn't efficiently process).
GraphQL's defining feature: the client decides the shape of the response. A query like { user(id: "42") { name, avatar, posts { title, createdAt } } } returns exactly those fields — no more, no less. This makes GraphQL exceptionally powerful for product teams where front-end developers iterate UI without needing back-end API changes for every new data requirement.
GraphQL's weaknesses: HTTP caching is difficult (workaround: persisted queries via GET), N+1 database queries without DataLoader, query complexity attacks require explicit depth/complexity limits, and the learning curve for new developers is higher than standard REST.
Real-World Patterns
GitHub's Dual API Strategy
GitHub offers both a REST API (v3) and a GraphQL API (v4). The REST API covers simple operations — creating issues, listing repos, webhooks — and is what most third-party integrations use. The GraphQL API allows first-party GitHub.com front-end to fetch complex data in one round trip: a repository page might need repo metadata, recent commits, open PRs, contributor list, and issue counts — one GraphQL query vs 5–6 REST calls. Both APIs coexist because they serve different consumer needs.
The Mobile Bandwidth Case
A social media app has a feed page showing: user avatar, username, post thumbnail, like count, comment count, and 2 preview comments. A REST /feed endpoint returns full user objects (50 fields), full post objects (30 fields), and full comment objects (15 fields each) — perhaps 4KB per post item. A GraphQL query requesting only the 6 needed fields per item reduces payload to ~400 bytes per post item — a 10× bandwidth reduction. On 4G LTE this is marginal; on 2G or weak signal it's the difference between a usable and unusable app.
The Public API REST Default
Stripe, Twilio, SendGrid, Shopify Partners API, and virtually every public API designed for third-party developer consumption use REST. The reason is simple: REST requires no special client library, no schema download, no query language knowledge. Any developer with a language's built-in HTTP library and the API docs can make their first call within minutes. GraphQL's introspection and playground are powerful — but they add onboarding friction that public API providers optimising for developer adoption prefer to avoid.
GraphQL Federation for Microservices
Large organisations (Netflix, Expedia) use GraphQL Federation: each microservice owns a portion of the graph schema, and a gateway layer federates queries across services. A user query might resolve user fields from the identity service, order history from the orders service, and recommendations from the ML service — all transparent to the client making a single GraphQL query. This avoids building a BFF (Backend for Frontend) REST aggregation layer while maintaining microservice ownership. Apollo Federation is the dominant implementation.
Verdict: REST by Default, GraphQL When the Data Graph Demands It
Start with REST. It's simpler to build, debug, cache, and document. For most APIs — especially public-facing ones — REST is the right default. The infrastructure of the web (CDNs, proxies, browsers) is built around REST's HTTP semantics.
Add GraphQL when your product has a complex, deeply connected data model and you control the consumers. Building a product with a sophisticated web and mobile client that needs flexible data access without repeated round trips? GraphQL pays off. Building a webhook-based integration API for third-party developers? REST keeps them from needing to install Apollo Client.
Decision Checklist
| Scenario | Choose |
|---|---|
| Public API for third-party developers | REST |
| First-party mobile app with complex data needs | GraphQL |
| Simple CRUD microservice | REST |
| Aggregating data from 5+ microservices for one UI | GraphQL |
| High-volume read API with CDN caching | REST |
| Rapid front-end iteration without API changes | GraphQL |
| Government or enterprise integration | REST |
| Building a design system or component library API | GraphQL |
| Webhook delivery or event notification API | REST |
| Mobile app with bandwidth-constrained users | GraphQL |
| Simple internal admin panel API | REST |
| Complex social graph or interconnected data | GraphQL |
Frequently Asked Questions
Does GraphQL always outperform REST?
No. GraphQL reduces over-fetching and under-fetching on the wire, which benefits bandwidth-constrained clients (mobile) and complex data graphs. But GraphQL queries cannot be cached by HTTP intermediaries (CDNs, proxies) the way REST GET requests can, because all queries are typically POST requests to a single endpoint. For public APIs with high read traffic, REST with HTTP caching often outperforms GraphQL significantly because CDN cache hits cost nearly zero server resources.
What is over-fetching and under-fetching?
Over-fetching: a REST endpoint returns more data than the client needs. A /users/:id endpoint might return 20 fields when the UI only needs name and avatar. All 20 fields are serialised, transmitted, and deserialised — wasted bandwidth and CPU. Under-fetching: a client needs data that requires multiple round trips. A blog post page needs /posts/:id, then /users/:authorId, then /comments?postId=:id — three sequential requests, each adding latency. GraphQL solves both: the client specifies exactly which fields it needs across any number of resources in a single query.
Is REST dead?
No. REST remains the dominant API style globally. The vast majority of public APIs (GitHub, Stripe, Twilio, AWS, every payment gateway, every government API) are REST. GraphQL has grown significantly — Facebook, GitHub, Shopify, GitHub all offer GraphQL APIs — but as a complement or replacement for internal/product APIs, not as an industry-wide replacement. REST's simplicity, universal tooling support, and HTTP caching make it the default choice for most API design decisions.
Can you use GraphQL and REST together?
Yes, and many large companies do. A common pattern: public-facing REST API (easier for third-party developers to consume, stable versioning) + internal GraphQL API (used by first-party web and mobile clients that need flexible, efficient data fetching). GraphQL can also sit in front of multiple REST microservices as a graph layer — clients query GraphQL, which federates requests across internal REST services. This architecture is popular at companies like Netflix and Airbnb.
How does GraphQL handle versioning?
GraphQL is designed to be versionless. Instead of creating /v2/ endpoints, you evolve the schema by adding new fields (non-breaking) and marking old fields as deprecated. Clients that haven't updated still receive the old fields; new clients use new fields. This is elegant but requires discipline: removing deprecated fields is a breaking change and requires coordination with all clients. REST versioning (/v1, /v2) is more explicit but creates parallel maintenance burden. GraphQL's schema evolution approach works best when you control all API consumers.
Is GraphQL harder to secure than REST?
GraphQL introduces security challenges that REST doesn't have. (1) Query depth/complexity attacks: a deeply nested GraphQL query can trigger exponential database joins. REST endpoints have fixed complexity; GraphQL queries can be crafted to be arbitrarily expensive. Mitigations: query depth limits, query complexity scoring, persisted queries. (2) Introspection exposure: GraphQL's introspection feature allows any client to discover the full schema — useful for development, a risk in production if schema reveals internal data model. Disable introspection in production for sensitive APIs. REST doesn't have this problem.
What is the N+1 problem in GraphQL?
The N+1 problem occurs when a GraphQL resolver fetches related data inefficiently. Querying 10 blog posts then resolving each post's author separately triggers 1 query for posts + 10 queries for authors = 11 database queries. In REST, a well-designed endpoint would JOIN and return all data in 1 query. The GraphQL solution is DataLoader (batching and caching): it collects all author IDs requested within a tick and resolves them in a single batched query. Without DataLoader, GraphQL APIs can generate dramatically more database load than equivalent REST endpoints.
Which is easier for third-party API consumers?
REST is significantly easier for third-party consumers. REST APIs work with any HTTP client, curl, Postman, browser fetch, or any programming language's HTTP library — zero special tooling. GraphQL requires understanding the query language, schemas, and ideally a GraphQL client library (Apollo, urql, URQL). For public APIs consumed by developers who may be unfamiliar with GraphQL, REST reduces onboarding friction substantially. This is why most public APIs (Stripe, Twilio, Sendgrid) default to REST even when internally using GraphQL.
Related Comparisons
Verdict: Choose Based On Your Situation
REST
- You need simple, standard API design
- You're building straightforward applications
- You want good caching and HTTP conventions
- You have simple data relationships
GraphQL
- You need flexible data querying
- You have complex nested data structures
- You want single endpoint for multiple resources
- You're optimizing client-specific queries