# GraphQL support on Zuplo

Zuplo treats GraphQL as a first-class backend. Proxy your existing GraphQL
server through the gateway, then layer on security, caching, analytics, and
documentation using policies built for the GraphQL request shape — where every
operation is a `POST` to a single URL, so URL-based gateway features don't
apply.

This page summarizes what Zuplo supports for GraphQL and links to each guide and
policy reference.

:::tip{title="New here?"}

Start with [Set up an endpoint](./graphql.mdx) to proxy your GraphQL API through
the gateway, then come back to layer on the capabilities below.

:::

## Connect and route

Proxy any GraphQL server through a `POST /graphql` route using the
[URL Rewrite handler](../handlers/url-rewrite.mdx). The Route Designer ships a
**GraphQL Endpoint** template, and the `x-graphql` route extension marks a route
as GraphQL so the gateway and Dev Portal treat it accordingly.

- [Set up an endpoint](./graphql.mdx) — add or mark a GraphQL route

## Secure the endpoint

GraphQL's flexibility is also its attack surface: a single request can nest
arbitrarily deep, fan out into thousands of resolver calls, or map your whole
schema through introspection. Zuplo closes these gaps at the edge.

| Risk                | What Zuplo does                                  |
| ------------------- | ------------------------------------------------ |
| Deep / costly query | Reject queries over a depth or complexity score  |
| Schema discovery    | Block introspection in production                |
| Schema over-sharing | Strip chosen types and fields from introspection |

- [Secure your GraphQL API](./graphql-security.mdx) — complexity limits and
  introspection controls

## Accelerate with caching

A normal CDN keys on the URL, so it can't cache GraphQL queries sent as request
bodies. The GraphQL cache parses each query, normalizes it into a canonical
form, and serves semantically identical queries from one edge cache entry.

- [Cache GraphQL responses](./graphql-caching.mdx) — serve repeated queries from
  the edge

## Observe traffic

Report GraphQL operations and their errors to analytics, even when the upstream
returns errors inside a `200` response. The GraphQL analytics dashboard surfaces
operation volume, latency, and error classes once traffic flows.

- [GraphQL analytics](../analytics/tabs/graphql.md) — monitor operations,
  latency, and errors

## Document in the Dev Portal

The `@zudoku/plugin-graphql` package renders a browsable type reference and an
interactive playground in your Dev Portal, generated from your schema or a live
endpoint. Register one instance per API.

- [Document the API in your Dev Portal](./graphql.mdx#document-the-api-in-your-dev-portal)
  — add the GraphQL plugin

## Expose GraphQL to AI agents

Turn GraphQL queries into MCP tools so AI agents can call your API through the
Model Context Protocol, with the same policies and auth applied.

- [MCP Server GraphQL endpoints](../mcp-server/graphql.mdx) — expose queries as
  MCP tools

## Policies at a glance

Every GraphQL-aware policy Zuplo ships, with its direction and purpose:

| Policy                                                                                           | Direction | Purpose                                           |
| ------------------------------------------------------------------------------------------------ | --------- | ------------------------------------------------- |
| [`graphql-cache-inbound`](../policies/graphql-cache-inbound.mdx)                                 | Inbound   | Cache repeated queries at the edge                |
| [`graphql-complexity-limit-inbound`](../policies/graphql-complexity-limit-inbound.mdx)           | Inbound   | Reject queries that are too deep or too expensive |
| [`graphql-disable-introspection-inbound`](../policies/graphql-disable-introspection-inbound.mdx) | Inbound   | Block schema introspection in production          |
| [`graphql-introspection-filter-outbound`](../policies/graphql-introspection-filter-outbound.mdx) | Outbound  | Hide chosen types and fields from introspection   |
| [`graphql-analytics-outbound`](../policies/graphql-analytics-outbound.mdx)                       | Outbound  | Report operations and errors to analytics         |

## Next steps

- [Set up an endpoint](./graphql.mdx) — proxy your GraphQL API through the
  gateway
- [Secure your GraphQL API](./graphql-security.mdx) — complexity limits and
  introspection controls
- [Cache GraphQL responses](./graphql-caching.mdx) — cut latency with edge
  caching
- [MCP Server GraphQL endpoints](../mcp-server/graphql.mdx) — expose queries to
  AI agents
