Turning a private GraphQL API into a public one comes with unexpected challenges. We’ll share how we approached this transition—starting from an existing internal schema that wasn’t shaped for external consumers—and the steps we took to expose only what was ready. Using Apollo Federation Contracts, we filtered out unstable or sensitive parts of the graph. Along the way, we defined best practices for the public schema, like cursor-based pagination, using oneOf for inputs and results. We’ll also touch on how we serve the schema through Hive Gateway with a supergraph setup, and the security measures we added, like depth limiting and complexity analysis. To keep things evolving safely, we rely on GraphQL Hive to track usage and guide deprecations.

If you’re thinking about exposing a GraphQL API—or just want ideas for keeping one clean and manageable—this talk will share what worked for us, what didn’t, and what we learned.

Are you running a GraphQL API in production? Have you thought about securing it? Well, you probably should!

Join Laurin on teaching about possible solutions for securing GraphQL APIs, whether you are building an internal or public graph, he will have you covered using open source solutions from the GraphQL ecosystem! After this talk you will for sure be an expert on query complexity analysis and trusted documents!