[hamandcheese]

I am just pointing out that it is easy to make mistakes like this which would be, in this commenters experience, more obvious with a REST API.

In the equivalent REST API you would probably have to go far far out of your way to expose users order information in a reviews API, whereas in graphql that is the default.

In a typical REST application, it is enough to ask "does this user have permission to take this action".

In graphql, the question is rather different. It is "does this user have permission to access this data irrespective of the action they are taking", and you have to both ask that question and answer it correctly for everything in your graph.

[randomdata]

If you go back to the early stuff coming out of Facebook about GraphQL, it was designed to roll up all the REST services (or similar) into a single request for high latency clients. Occupying what has become known as the backends for frontends (BFF) layer.

In theory, it should be just as obvious either way as your actual services are going to be REST (or similar) either way. I recognize that some people have started using it as a poor man's SQL, but that's not really what it is for.

[hamandcheese]

In the wild, I primarily have seen graphql implemented instead of, or perhaps next to, REST. Not on top of REST.

I'm not sure what you mean about a poor man's SQL. Whether it's backed by micro-services via REST, or just a graphql API in a single app, the value prop for frontend<>backend communication is the same. It's not "using graphql wrong" to not have a micro service architecture.

[randomdata]

Using it as a poor man’s SQL was addressed, but using it that way doesn’t mean that’s what it is for.