We are building a GrahQL API which is mainly used by our own client. Nevertheless some queries and mutations can be open to the public for external developers.
According to
one should not allow introspection in production and I agree. The question is, if there is an easy way to create a documentation (online, pdf, … ) of the queries and mutations and fields you are willing to hand out to external persons. We are using Apollo Studio but I did not find an option there either.
I would simply require auth if it’s only for certain external users. Standard security practices here apply. If you don’t trust your customer to use your API correctly, then no amount of security through obscurity is foolproof.
As for malicious queries, one way to get around that is via query whitelisting/blacklisting, which is offered via Apollo Studio.
If my API is available externally from my network, introspection is on. Security beyond that point should be handled like any service you would normally operate. No point in having a query language if customers can’t write queries, and making them go to an external documentation site for the sake of security through obscurity can only make them neutral or angry at the development experience, ultimately hurting your company’s bottom line.