The REST vs. GraphQL debate in federal engineering teams isn't settled. REST wins on simplicity and ecosystem maturity; GraphQL wins on query flexibility and developer experience. For federal programs, the decision involves factors that don't appear in typical comparisons: authorization model complexity, ATO surface area, audit logging requirements, and the realities of legacy data model integration.
Rutagon has deployed both patterns in production government cloud environments. This comparison reflects what the tradeoffs look like when compliance requirements are first-class constraints, not afterthoughts.
The Core Distinction
REST exposes resources at fixed endpoints, each with defined operations:
GET /api/v1/missions
GET /api/v1/missions/{id}
GET /api/v1/missions/{id}/sensors
POST /api/v1/missionsEach endpoint returns a fixed shape — the server decides what data is included.
GraphQL exposes a single endpoint with a schema, and clients query for exactly what they need:
query {
mission(id: "M-2026-001") {
name
status
sensors {
id
type
lastReading {
timestamp
value
unit
}
}
}
}The client controls the response shape. This eliminates over-fetching (getting 50 fields when you need 3) and under-fetching (making multiple requests to assemble related data).
Where GraphQL Excels in Federal Programs
Data Aggregation Across Legacy Systems
Many federal programs stitch together data from multiple legacy systems — a 20-year-old Oracle database, a SOAP-era middleware system, and a modern cloud-native service. A GraphQL layer can expose these as a unified data graph:
# Schema — unified view across legacy systems
type Mission {
id: ID!
# From modern cloud-native service
name: String!
status: MissionStatus!
# From legacy Oracle system (resolved by dedicated resolver)
historicalData: [HistoricalRecord!]!
# From SOAP middleware (resolved by SOAP adapter)
certifications: [Certification!]!
}
# Mission resolver orchestrates data from multiple sourcesThis pattern — GraphQL as a data gateway over heterogeneous backends — is particularly valuable for legacy modernization programs where replacing the backing systems isn't feasible but the consuming applications need a modern API contract.
Mission Control and Analytics UIs
When the primary consumer is a rich analytics UI or mission control dashboard, GraphQL's client-driven query model dramatically reduces the iteration cycle. The front-end team requests exactly the data they need for each view; the API layer serves it from whatever backing sources are appropriate. No back-end API changes required when the UI evolves.
Data Products for Authorized Mission Partners
Data mesh architectures use GraphQL as the API layer for domain-owned data products. A mission domain team publishes a GraphQL schema that partner systems subscribe to — the schema becomes the formal contract, and schema changes go through a governance process before deployment.
Where REST Still Wins in Federal Programs
Simple CRUD Services
For straightforward resource management APIs — create/read/update/delete operations on well-defined resources — REST is simpler to implement, simpler to reason about, and better supported by existing government API governance documentation (like 18F's API standards).
Public-Facing and Integration APIs
REST with OpenAPI documentation is the standard for government APIs that other agencies or the public will consume. GraphQL requires consumers to understand the schema and query language — a meaningful adoption barrier for external integrations.
Streaming and Real-Time Data
REST with Server-Sent Events or WebSockets handles streaming use cases more idiomatically than GraphQL subscriptions for most federal patterns. Real-time telemetry feeds, status streams, and event notifications are typically REST-based in Rutagon's government deployments.
Federal Security Considerations for GraphQL
Authorization at the Resolver Level
The most critical GraphQL security requirement for federal programs is field-level authorization. In REST, each endpoint is a discrete authorization target — easy to apply ABAC policies. In GraphQL, a single query can traverse multiple data types with different classification levels.
Rutagon implements field-level authorization using graphql-shield or equivalent:
// GraphQL authorization rules — field-level access control
import { rule, shield, and } from 'graphql-shield'
import { getUserContext } from './auth'
const isAuthenticated = rule({ cache: 'contextual' })(
async (parent, args, ctx) => {
return ctx.user !== null && ctx.user !== undefined
}
)
const hasClearance = (requiredLevel: string) =>
rule({ cache: 'contextual' })(
async (parent, args, ctx) => {
return ctx.user?.clearanceLevel >= requiredLevel
}
)
const isMissionAuthorized = rule({ cache: 'strict' })(
async (parent, args, ctx) => {
// Check if user is authorized for this specific mission
return ctx.userMissions.includes(args.id || parent.missionId)
}
)
// Permission matrix — maps schema types/fields to auth rules
export const permissions = shield({
Query: {
mission: and(isAuthenticated, isMissionAuthorized),
missions: isAuthenticated,
classifiedAnalysis: and(isAuthenticated, hasClearance('SECRET')),
},
Mission: {
'*': isAuthenticated, // All fields require auth
sensitiveMetadata: hasClearance('SECRET'),
codewordData: hasClearance('TOP_SECRET'),
},
})This ensures that accessing a Mission type doesn't automatically expose codewordData fields to users without the required clearance — the authorization check is at the field resolver level, not just the top-level query.
Introspection Control
GraphQL introspection lets clients discover the full schema — which is useful for development but is an information disclosure risk in production federal systems:
// Disable introspection in production
import { NoSchemaIntrospectionCustomRule } from 'graphql'
const server = new ApolloServer({
schema,
validationRules: process.env.NODE_ENV === 'production'
? [NoSchemaIntrospectionCustomRule]
: [],
})Schema documentation is distributed through controlled access (government GitHub or program document management) rather than discoverable via live API introspection.
Query Complexity Limits
Deeply nested GraphQL queries can generate N+1 database queries — a potential denial-of-service vector:
// Apollo Server — query complexity limits
import { createComplexityLimitRule } from 'graphql-validation-complexity'
const ComplexityLimit = createComplexityLimitRule(1000, {
scalarCost: 1,
objectCost: 2,
listFactor: 10,
})
const server = new ApolloServer({
schema,
validationRules: [ComplexityLimit],
})This satisfies NIST SC-5 (denial-of-service protection) at the API layer and prevents runaway queries from consuming excessive backend resources.
Audit Logging for GraphQL
Each GraphQL operation should be logged with sufficient detail for audit reconstruction (AU-2, AU-3):
// GraphQL audit logging plugin
const auditPlugin = {
requestDidStart() {
return {
didResolveOperation({ request, document }) {
logger.info({
event: 'graphql_operation',
operationName: request.operationName,
query: request.query, // Full query text
variables: request.variables,
userId: request.http?.headers.get('x-user-id'),
timestamp: new Date().toISOString(),
})
},
didEncounterErrors({ errors }) {
errors.forEach(err => logger.warn({
event: 'graphql_error',
message: err.message,
path: err.path,
}))
}
}
}
}The logged query text allows auditors to reconstruct exactly what data a user accessed in any given operation — more granular than REST endpoint logging for complex queries.
Recommendation by Use Case
| Use Case | Recommended Pattern | Reason | |---|---|---| | Public/external API | REST + OpenAPI | Ecosystem compatibility, clear documentation standard | | Internal data aggregation across legacy systems | GraphQL | Client-driven queries, federated schema | | Analytics/dashboard API | GraphQL | Reduce over-fetching, flexible query shape | | Simple CRUD microservice | REST | Simplicity, REST-native HTTP semantics | | Real-time streaming | REST + SSE/WebSocket | Better semantic fit for streaming patterns | | Mission partner data product | GraphQL | Schema contract, controlled field exposure |
The architecture decision is program-specific. Rutagon provides technical leadership during the API design phase to select the right pattern for each service — and maintains the security controls (authorization, introspection, complexity limits, audit logging) that make the chosen approach viable in an ATO context. For programs with complex data integration requirements, our cloud infrastructure capabilities cover the full API layer architecture.
Discuss API architecture for your program →
Frequently Asked Questions
Is GraphQL approved for use in FedRAMP-authorized systems?
GraphQL is an API design pattern, not a service — it doesn't have its own FedRAMP authorization status. GraphQL APIs running on FedRAMP-authorized infrastructure (AWS GovCloud, Azure Government) inherit the cloud service's authorization. The security controls required for FedRAMP compliance (authentication, audit logging, encryption) must be implemented at the application layer regardless of whether REST or GraphQL is used.
How does GraphQL field-level authorization map to NIST AC controls?
GraphQL field-level authorization implements NIST AC-3 (Access Enforcement) and AC-16 (Security and Privacy Attributes). AC-3 requires that access decisions be enforced at the appropriate granularity — in GraphQL, that means field-level checks, not just top-level query authorization. When a user's clearance level is used as the authorization attribute, this also satisfies elements of AC-16 (attribute-based access). The authorization logic must be documented in the SSP with the specific implementation approach.
Can a federal program use Apollo Federation for microservices?
Apollo Federation (GraphQL schema federation across multiple services) is technically viable in federal programs but adds architectural complexity. Each federated service must implement the same authorization controls, and cross-service queries must aggregate permissions checks correctly. For programs with multiple domain teams owning separate services, federation provides a clean separation-of-concerns — each team owns their schema — but requires coordination on the authentication/authorization model. Rutagon has deployed federated schemas in production SaaS platforms and can advise on the federal context requirements.
What GraphQL security risks are most relevant for DoD programs?
The top three: (1) authorization gaps — failing to check field-level permissions allows lower-clearance users to access higher-classification fields through complex queries; (2) introspection disclosure — leaving introspection enabled in production reveals the full data model to any authenticated user; (3) complexity attacks — deeply nested queries can be used to generate expensive backend operations. All three have straightforward mitigations that should be applied at implementation time, not retrofitted after ATO.
Does GraphQL subscription (real-time) work in GovCloud?
GraphQL subscriptions use WebSockets, which are supported in AWS GovCloud (API Gateway WebSocket APIs, Application Load Balancer). However, subscription authorization requires additional care — the initial WebSocket connection is authorized, but subsequent subscription events must also validate the subscriber's current authorization state (especially important if clearance or mission authorization can change during a session). Rutagon implements periodic subscription re-authorization as a defense-in-depth control for programs using GraphQL subscriptions.