GraphQL persisted queries (hash allowlist)

11476 views

                  const allow = new Map<string, string>();
// allow.set('sha256:abc...', 'query GetSnip($id: ID!) { snip(id: $id) { id title } }')

export function resolvePersistedQuery(hash: string, query?: string) {
  if (query) return query; // migration period
  const q = allow.get(hash);
  if (!q) throw new Error('PERSISTED_QUERY_NOT_FOUND');
  return q;
}

GraphQL endpoints can be abused with huge queries that are expensive to parse and execute. Persisted queries let clients send a hash (e.g. sha256:...) instead of the full query, and the server only executes queries it recognizes. This reduces payload size, improves caching, and makes it easier to control what queries hit production. I like that it creates a reviewable surface area: you can audit the allowlist and know what’s running. The operational trick is rollout: accept full queries and hashes initially, then enforce hashes once clients are updated. Persisted queries aren’t a silver bullet, but they’re a pragmatic hardening step once GraphQL usage grows.

Mateo Rodriguez

More from Mateo Rodriguez

GraphQL persisted queries (hash allowlist)

0 Comments

More from Mateo Rodriguez