For APIs, REST is the normal way. But REST is not perfect.
You can, for instance, have too many requests. If you request a user
/users/1) and the user has a list of friends, you have to grab the user
page of all those friends also. You could make a special endpoint where you
get the names of the friends, but can end up with many endpoints
/users-with-friends-and-images/1). Or with very
big responses that contain everything you might need.
Graphql was created to solve some of these issues. You have a single
/graphql endpoint, which you POST to. You post the data structure that you
want to get back. There’s the option of adding types. So you’re not bound to
pre-defined REST responses, but you can tell exactly how much or how few you
need and in what form.
Almost every graphql instance has introspection enabled. You can discover the API that way, including which data types to expect.
There is also integration for django REST framework in graphene-django. Quite useful when you already have all of your serializers.
For trying out a graphql API, https://github.com/graphql/graphiql is a handy in-browser IDE to “play” with it.
(He demoed it: looked nice and useful.)
What about security/authentication? Standard session based authentication. Or you can use an authentication header.
What about malicious queries? You could get big exploding responses by following a foreignkey relation back and forth (author->posts->authors->posts etc).
In the end, graphql is quite handy, especially when you’re working with many developers. With REST, you’d have just finished one response when the UI people were already clamoring for other, different responses. That problem is gone with graphql.
Photo explanation: station signs on the way from Utrecht (NL) to Heidelberg (DE).
My name is Reinout van Rees and I work a lot with Python (programming language) and Django (website framework). I live in The Netherlands and I'm happily married to Annie van Rees-Kooiman.
Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):