GraphQL support is now in general availability on the Supabase platform via our open source PostgreSQL extension,
[pg_graphql](https://supabase.github.io/pg_graphql/) (beta)
.
pg_graphql
enables you to query existing PostgreSQL databases using GraphQL, either from within SQL or over HTTP:
From SQL:
select graphql.resolve($$
{
accountCollection(first: 1) {
edges {
node {
id
firstName
address {
countryCode
}
}
}
}
}
$$);
or over HTTP:
curl -X POST https://<PROJECT_REF>.supabase.co/graphql/v1 \
-H 'apiKey: <API_KEY>'\
-H 'Content-Type: application/json' \
--data-raw '
{
"query":"{ accountCollection(first: 3) { edges { node { id } } } }"
}'
Schema Reflection
GraphQL types and fields are reflected from the SQL schema:
- Tables become types
- Columns become fields
- Foreign keys become relations
For example:
create table "Account"(
"id" serial primary key,
"email" varchar(255) not null,
"createdAt" timestamp not null,
"updatedAt" timestamp not null
);
Translates to the GraphQL base type
type Account {
id: Int!
email: String!
createdAt: DateTime!
updatedAt: DateTime!
}
And exposes bulk CRUD operations on the Query
and Mutation
types, complete with relay style keyset pagination, filters, and ordering and (optional) name inflection.
type Query {
accountCollection(
first: Int
last: Int
before: Cursor
after: Cursor
filter: AccountFilter
orderBy: [AccountOrderBy!]
): AccountConnection
}
type Mutation {
insertIntoAccountCollection(
objects: [AccountInsertInput!]!
): AccountInsertResponse
updateAccountCollection(
set: AccountUpdateInput!
filter: AccountFilter
atMost: Int! = 1
): AccountUpdateResponse!
deleteFromAccountCollection(
filter: AccountFilter
atMost: Int! = 1
): AccountDeleteResponse!
For a complete example with relationships, check out the reflection docs.
Security
An advantage to embedding GraphQL directly in the database is that we can lean on PostgreSQL's built-in primitives for authentication and authorization.
Authentication
The GraphQL types exposed by pg_graphql
are filtered according to the SQL role's INSERT/UPDATE/DELETE permissions.
At Supabase, each API request is resolved in the database using the role in the request's JWT.
Anonymous users receive the anon
role, and logged in users get the authenticated
role. In either case, pg_graphql resolves requests according to the SQL permissions.
The introspection schema is similarly filtered to limit exposed types and fields to those that the user has permission to access.
That means we can serve multiple GraphQL schemas for users of differing privilege levels from a single endpoint!
Authorization
Another nice side effect of making PostgreSQL do the heavy lifting is that GraphQL queries respect your existing row level security policies right out-of-the-box. No additional configuration required.
Performance
Each free tier database on the Supabase platform runs on a dedicated AWS t4g.micro instance with 2 vCPUs and 1 GB of memory. To squeeze the most out of that limited hardware we had to make a few significant optimizations:
GraphQL queries are always transpiled into exactly one SQL query
The SQL queries select and aggregate requested data into the shape of the GraphQL JSON response. In addition to solving the N+1 query problem, a common issue with GraphQL resolvers, GraphQL queries requiring multiple joins typically produce significantly less IO due to reduced data duplication.
For example, when selecting all comments for a blog post:
select
blog_posts.title,
comments.body as comment_body
from
blog_posts
join
comments on blog_posts.id = comments.blog_post_id
a SQL response would duplicate all data from the blog_posts
table (title).
| title | comment_body |
| ---------- | ------------------------------ |
| F1sRt P0$T | this guy gets it! |
| F1sRt P0$T | you should re-write it in rust |
| F1sRt P0$T | 10% off daily vitamin http:... |
Compared to the equivalent GraphQL response.
{
"blogPostCollection": {
"edges": {
"node":
"title": "F1sRt P0$T"
"commentCollection": {
"edges": [
"node": {
"body": "this guy gets it!"
},
"node": {
"body": "you should re-write it in rust"
},
"node": {
"body": "10% off daily vitamin http:..."
}
]
}
}
}
}
}
Which has no duplication of data.
The difference in payload size is negligible in this case, but as the number of 1-to-many joins grows, data duplication in the SQL response grows geometrically.
Queries are cached as prepared statements
After a GraphQL query is transpiled to SQL, it is added to the prepared statement cache so subsequent requests with the same structure (think pagination) can skip the transpilation step.
Using prepared statements also allows PostgreSQL to skip the overhead of computing a query plan. For small, on-index, queries, the query planning step can take several times as long as the query's execution time, so the saving is significant at scale.
All operations are bulk
Finally, all reflected query and mutation fields support bulk operations to nudge users towards consuming the API efficiently. Batching similar operations reduces network round-trips and time spent in the database.
Result
As a result of these optimizations, the throughput of a “hello world” equivalent query on Supabase free-tier hardware is:
- 377.4 requests/second through the API (mean)
- 656.2 queries/second through SQL (single connection, mean)
Getting Started
To enable GraphQL in your Supabase instance, enable pg_graphql
from the dashboard.
Or create the extension in your database
create extension pg_graphql;
And we're done!
The GraphQL endpoint is available at: https://<project_ref>.supabase.co/graphql/v1
Example app: Build a HN clone with Postgres and GraphQL
We're excited to have worked with The Guild to show you how to use pg_graphql
and their tools to build a HackerNews clone.
The demo application showcases:
- CRUD (Query + Mutation Operations).
Data is fetched from the GraphQL layer auto-generated via
pg_graphql
. - Cursor Based Pagination.
pg_graphql
generates standardized pagination types and fields as defined by the GraphQL Cursor Connections Specification. - Authorization / RLS. GraphQL requests made include Supabase authorization headers so that Row Level Security on the Postgres layer ensures that viewers can only access what they are allowed to — and authenticated users can only update what they should.
- Code generation. Introspect your GraphQL schema and operations to generates the types for full backend to frontend type-safety.
- Postgres Triggers and Functions. Recalculate the feed scoring each time someone votes.
- Supabase UI. Use Auth widget straight out the box to handle logins and access tokens.
Now instead of using the Supabase PostgREST API to query your database ...
// using Supabase PostgREST
const { data, error } = await supabase
.from('profile')
.select('id, username, bio, avatarUrl, website')
... all data fetching and updates are done using the same GraphQL operations you know and love! 🤯
// using GraphQL
query ProfilesQuery {
profileCollection {
edges {
node {
id
username
bio
avatarUrl
website
}
}
}
}
🎁 Get the code on GitHub here: github.com/supabase-community/supabase-graphql-example
Supabase + The Guild
This is just the start of what we hope to be a close collaboration with the Guild, whose expertise of the GraphQL ecosystem will guide the development of Supabase's GraphQL features. The Guild and Supabase share a similar approach to open source - we both favor collaboration and composability, making collaboration easy and productive.
Be sure to visit The Guild and follow them to stay informed of the latest developments in GraphQL.
Limitations & Roadmap
Our first general availability release of pg_graphql
supports:
- Full CRUD on table columns with scalar types
- Read only support for array types
- Extending types with computed fields
- Configuration with SQL comments
In the near term, we plan to fully support array and json/b types. Longer term, we intend to support views and custom mutations from user defined functions.
Didn't see the feature you're interested in? Let us know