GraphQL support on Zuplo
Zuplo treats GraphQL as a first-class backend. Proxy your existing GraphQL
server through the gateway, then layer on security, caching, analytics, and
documentation using policies built for the GraphQL request shape — where every
operation is a POST to a single URL, so URL-based gateway features don't
apply.
This page summarizes what Zuplo supports for GraphQL and links to each guide and policy reference.
New here?
Start with Set up an endpoint to proxy your GraphQL API through the gateway, then come back to layer on the capabilities below.
Connect and route
Proxy any GraphQL server through a POST /graphql route using the
URL Rewrite handler. The Route Designer ships a
GraphQL Endpoint template, and the x-graphql route extension marks a route
as GraphQL so the gateway and Dev Portal treat it accordingly.
- Set up an endpoint — add or mark a GraphQL route
Secure the endpoint
GraphQL's flexibility is also its attack surface: a single request can nest arbitrarily deep, fan out into thousands of resolver calls, or map your whole schema through introspection. Zuplo closes these gaps at the edge.
| Risk | What Zuplo does |
|---|---|
| Deep / costly query | Reject queries over a depth or complexity score |
| Schema discovery | Block introspection in production |
| Schema over-sharing | Strip chosen types and fields from introspection |
- Secure your GraphQL API — complexity limits and introspection controls
Accelerate with caching
A normal CDN keys on the URL, so it can't cache GraphQL queries sent as request bodies. The GraphQL cache parses each query, normalizes it into a canonical form, and serves semantically identical queries from one edge cache entry.
- Cache GraphQL responses — serve repeated queries from the edge
Observe traffic
Report GraphQL operations and their errors to analytics, even when the upstream
returns errors inside a 200 response. The GraphQL analytics dashboard surfaces
operation volume, latency, and error classes once traffic flows.
- GraphQL analytics — monitor operations, latency, and errors
Document in the Dev Portal
The @zudoku/plugin-graphql package renders a browsable type reference and an
interactive playground in your Dev Portal, generated from your schema or a live
endpoint. Register one instance per API.
- Document the API in your Dev Portal — add the GraphQL plugin
Expose GraphQL to AI agents
Turn GraphQL queries into MCP tools so AI agents can call your API through the Model Context Protocol, with the same policies and auth applied.
- MCP Server GraphQL endpoints — expose queries as MCP tools
Policies at a glance
Every GraphQL-aware policy Zuplo ships, with its direction and purpose:
| Policy | Direction | Purpose |
|---|---|---|
graphql-cache-inbound | Inbound | Cache repeated queries at the edge |
graphql-complexity-limit-inbound | Inbound | Reject queries that are too deep or too expensive |
graphql-disable-introspection-inbound | Inbound | Block schema introspection in production |
graphql-introspection-filter-outbound | Outbound | Hide chosen types and fields from introspection |
graphql-analytics-outbound | Outbound | Report operations and errors to analytics |
Next steps
- Set up an endpoint — proxy your GraphQL API through the gateway
- Secure your GraphQL API — complexity limits and introspection controls
- Cache GraphQL responses — cut latency with edge caching
- MCP Server GraphQL endpoints — expose queries to AI agents