Headless CMS: REST vs JSON:API vs GraphQL
We compare REST, JSON:API and GraphQL — three different web services implementations — based on request efficiency, operational simplicity, API discoverability, and more.
The web used to be server-centric in that web content management systems managed data and turned it into HTML responses. With the rise of headless architectures a portion of the web is becoming server-centric for data but client-centric for its presentation; increasingly, data is rendered into HTML in the browser.
In this blog post, we will compare REST, JSON:API and GraphQL. First, we'll look at an architectural, CMS-agnostic comparison, followed by evaluating some Drupal-specific implementation details.
It's worth noting that there are of course lots of intricacies and "it depends" when comparing these three approaches. When we discuss REST, we mean the "typical REST API" as opposed to one that is extremely well-designed or following a specification (not REST as a concept). When we discuss JSON:API, we're referring to implementations of the JSON:API specification. Finally, when we discuss GraphQL, we're referring to GraphQL as it used in practice. Formally, it is only a query language, not a standard for building APIs.
The architectural comparison should be useful for anyone building decoupled applications regardless of the foundation they use because the qualities we will evaluate apply to most web projects.
To frame our comparisons, let's establish that most developers working with web services care about the following qualities:
- Request efficiency: retrieving all necessary data in a single network round trip is essential for performance. The size of both requests and responses should make efficient use of the network.
- API exploration and schema documentation: the API should be quickly understandable and easily discoverable.
- Operational simplicity: the approach should be easy to install, configure, run, scale and secure.
- Writing data: not every application needs to store data in the content repository, but when it does, it should not be significantly more complex than reading.
We summarized our conclusions in the table below, but we discuss each of these four categories (or rows in the table) in more depth below. If you aggregate the colors in the table, you see that we rank JSON:API above GraphQL and GraphQL above REST.
|Request efficiency||Poor; multiple requests are needed to satisfy common needs. Responses are bloated.||Excellent; a single request is usually sufficient for most needs. Responses can be tailored to return only what is required.||Excellent; a single request is usually sufficient for most needs. Responses only include exactly what was requested.|
|Documentation, API explorability and schema||Poor; no schema, not explorable.||Acceptable; generic schema only; links and error messages are self-documenting.||Excellent; precise schema; excellent tooling for exploration and documentation.|
|Operational simplicity||Acceptable; works out of the box with CDNs and reverse proxies; few to no client-side libraries required.||Excellent; works out of the box with CDNs and reverse proxies, no client-side libraries needed, but many are available and useful.||Poor; extra infrastructure is often necessary client side libraries are a practical necessity, specific patterns required to benefit from CDNs and browser caches.|
|Writing data||Acceptable; HTTP semantics give some guidance but how specifics left to each implementation, one write per request.||Excellent; how writes are handled is clearly defined by the spec, one write per request, but multiple writes is being added to the specification.||Poor; how writes are handled is left to each implementation and there are competing best practices, it's possible to execute multiple writes in a single request.|
If you're not familiar with JSON:API or GraphQL, I recommend you watch the following two short videos. They will provide valuable context for the remainder of this blog post:
- A 3-minute demo of Drupal's GraphQL implementation.
- A 5-minute demo of Drupal's JSON:API implementation.
Most REST APIs tend toward the simplest implementation possible: a resource can only be retrieved from one URI. If you want to retrieve article 42, you have to retrieve it from
https://example.com/article/42. If you want to retrieve article 42 and article 72, you have to perform two requests; one to
https://example.com/article/42 and one to
https://example.com/article/72. If the article's author information is stored in a different content type, you have to do two additional requests, say to
https://example.com/author/7. Furthermore, you can't send these requests until you've requested, retrieved and parsed the article requests (you wouldn't know the author IDs otherwise).
Consequently, client-side applications built on top of basic REST APIs tend to need many successive requests to fetch their data. Often, these requests can't be sent until earlier requests have been fulfilled, resulting in a sluggish experience for the website visitor.
GraphQL and JSON:API were developed to address the typical inefficiency of REST APIs. Using JSON:API or GraphQL, you can use a single request to retrieve both article 42 and article 72, along with the author information for each. It simplifies the developer experience, but more importantly, it speeds up the application.
Finally, both JSON:API and GraphQL have a solution to limit response sizes. A common complaint against typical REST APIs is that their responses can be incredibly verbose; they often respond with far more data than the client needs. This is both annoying and inefficient.
GraphQL eliminates this by requiring the developer to explicitly add each desired resource field to every query. This makes it difficult to over-fetch data but easily leads to very large GraphQL queries, making (cacheable) GET requests impossible.
JSON:API solves this with the concept of sparse fieldsets or lists of desired resource fields. These behave in much the same fashion as GraphQL does, however, when they're omitted JSON:API will typically return all fields. An advantage, though, is that when a JSON:API query gets too large, sparse fieldsets can be omitted so that the request remains cacheable.
|Multiple data objects in a single response||Usually; but every implementation is different (for Drupal: custom "REST Export" view or custom REST plugin needed).||Yes||Yes|
|Embed related data (e.g. the author of each article)||No||Yes||Yes|
|Only needed fields of a data object||No||Yes; servers may choose sensible defaults, developers must be diligent to prevent over-fetching.||Yes; strict, but eliminates over-fetching, at the extreme, it can lead to poor cacheability.|
Documentation, API explorability and schema
As a developer working with web services, you want to be able to discover and understand the API quickly and easily: what kinds of resources are available, what fields does each of them have, how are they related, etc. But also, if this field is a date or time, what machine-readable format is the date or time specified in? Good documentation and API exploration can make all the difference.
|Auto-generated documentation||Depends; if using the OpenAPI standard.||Depends; if using the OpenAPI standard.||Yes; various tools available.|
|Interactivity||Poor; navigable links rarely available.||Acceptable; observing available fields and links in its responses enable exploration of the API.||Excellent; autocomplete feature, instant results or compilation errors, complete and contextual documentation.|
|Validatable and programmable schema.||Depends; if using the OpenAPI standard.||Depends; the JSON:API specification defines a generic schema, but a reliable field-level schema is not yet available.||Yes; a complete and reliable schema is provided (with very few exceptions).|
GraphQL has superior API exploration thanks to GraphiQL (demonstrated in the video above), an in-browser IDE of sorts, which lets developers iteratively construct a query. As the developer types the query out, likely suggestions are offered and can be auto-completed. At any time, the query can be run and GraphiQL will display real results alongside the query. This provides immediate, actionable feedback to the query builder. Did they make a typo? Does the response look like what was desired? Additionally, documentation can be summoned into a flyout, when additional context is needed.
On the other hand, JSON:API is more self-explanatory: APIs can be explored with nothing more than a web browser. From within the browser, you can browse from one resource to another, discover its fields, and more. So, if you just want to debug or try something out, JSON:API is usable with nothing more than cURL or your browser. Or, you can use Postman (demonstrated in the video above) — a standalone environment for developing on top of an any HTTP-based API. Constructing complex queries requires some knowledge, however, and that is where GraphQL's GraphiQL shines compared to JSON:API.
We use the term operational simplicity to encompass how easy it is to install, configure, run, scale and secure each of the solutions.
The table should be self-explanatory, but we want to provide some more details about the "scalability" row. To scale a REST-based or JSON:API-based web service so that it can handle a large volume of traffic, you can use the same approach websites (and Drupal) already use, including reverse proxies like Varnish or a CDN. To scale GraphQL, you can't rely on HTTP caching as with REST or JSON:API without persisted queries. Persisted queries are not part of the official GraphQL specification but they are a widely-adopted convention amongst GraphQL users. They essentially store a query on the server, assign it an ID and permit the client to get the result of the query using a
GET request with only the ID. Persisted queries add more operational complexity, and it also means the architecture is no longer fully decoupled — if a client wants to retrieve different data, server-side changes are required.
|Scalability: additional infrastructure requirements||Excellent; same as a regular website (Varnish, CDN, etc).||Excellent; same as a regular website (Varnish, CDN, etc).||Usually poor; only the simplest queries can use GET requests; to reap the full benefit of GraphQL, servers needs their own tooling.|
|Tooling ecosystem||Acceptable; lots of developer tools available, but for the best experience they need to be customized for the implementation.||Excellent; lots of developer tools available; tools don't need to be implementation-specific.||Excellent; lots of developer tools available; tools don't need to be implementation-specific.|
|Typical points of failure||Fewer; server, client.||Fewer; server, client.||Many; server, client, client-side caching, client and build tooling.|
For most REST APIs and JSON:API, writing data is as easy as fetching it: if you can read information, you also know how to write it. Instead of using the
GET HTTP request type you use
PATCH requests. JSON:API improves on typical REST APIs by eliminating differences between implementations. There is just one way to do things and that enabled better, generic tooling and less time spent on server-side details.
The nature of GraphQL's write operations (called mutations) means that you must write custom code for each write operation; unlike JSON:API the specification, GraphQL doesn't prescribe a single way of handling write operations to resources, so there are many competing best practices. In essence, the GraphQL specification is optimized for reads, not writes.
On the other hand, the GraphQL specification supports bulk/batch operations automatically for the mutations you've already implemented, whereas the JSON:API specification does not. The ability to perform batch write operations can be important. For example, in our running example, adding a new tag to an article would require two requests; one to create the tag and one to update the article. That said, support for bulk/batch writes in JSON:API is on the specification's roadmap.
|Writing data||Acceptable; every implementation is different. No bulk support.||Excellent; JSON:API prescribes a complete solution for handling writes. Bulk operations are coming soon.||Poor; GraphQL supports bulk/batch operations, but writes can be tricky to design and implement. There are competing conventions.|
Up to this point we have provided an architectural and CMS-agnostic comparison; now we also want to highlight a few Drupal-specific implementation details. For this, we can look at the ease of installation, automatically generated documentation, integration with Drupal's entity and field-level access control systems and decoupled filtering.
Drupal 8's REST module is practically impossible to set up without the contributed REST UI module, and its configuration can be daunting. Drupal's JSON:API module is far superior to Drupal's REST module at this point. It is trivial to set up: install it and you're done; there's nothing to configure. The GraphQL module is also easy to install but does require some configuration.
Client-generated collection queries allow a consumer to filter an application's data down to just what they're interested in. This is a bit like a Drupal View except that the consumer can add, remove and control all the filters. This is almost always a requirement for public web services, but it can also make development more efficient because creating or changing a listing doesn't require server-side configuration changes.
Drupal's REST module does not support client-generated collection queries. It requires a "REST Views display" to be setup by a site administrator and since these need to be manually configured in Drupal; this means a client can't craft its own queries with the filters it needs.
JSON:API and GraphQL, clients are able to perform their own content queries without the need for server-side configuration. This means that they can be truly decoupled: changes to the front end don't always require a back-end configuration change.
These client-generated queries are a bit simpler to use with the JSON:API module than they are with the GraphQL module because of how each module handles Drupal's extensive access control mechanisms. By default JSON:API ensures that these are respected by altering the incoming query. GraphQL instead requires the consumer to have permission to simply bypass access restrictions.
Most projects using GraphQL that cannot grant this permission use persisted queries instead of client-generated queries. This means a return to a more traditional Views-like pattern because the consumer no longer has complete control of the query's filters. To regain some of the efficiencies of client-generated queries, the creation of these persisted queries can be automated using front-end build tooling.
|Ease of installation and configuration||Poor; requires contributed module REST UI, easy to break clients by changing configuration.||Excellent; zero configuration!||Poor; more complex to use, may require additional permissions, configuration or custom code.|
|Automatically generated documentation||Acceptable; requires contributed module OpenAPI.||Acceptable; requires contributed module OpenAPI.||Excellent; GraphQL Voyager included.|
|Security: content-level access control (entity and field access)||Excellent; content-level access control respected.||Excellent; content-level access control respected, even in queries.||Acceptable; some use cases require the consumer to have permission to bypass all entity and/or field access.|
|Decoupled filtering (client can craft queries without server-side intervention)||No||Yes||Depends; only in some setups and with additional tooling/infrastructure.|
What does this mean for Drupal's roadmap?
Drupal grew up as a traditional web content management system but has since evolved for this API-first world and industry analysts are praising us for it.
As Drupal's project lead, I've been talking about adding out-of-the-box support for both JSON:API and GraphQL for a while now. In fact, I've been very bullish about GraphQL since 2015. My optimism was warranted; GraphQL is undergoing a meteoric rise in interest across the web development industry.
Based on this analysis, for Drupal core's needs, we rank JSON:API above GraphQL and GraphQL above REST. As such, I want to change my recommendation for Drupal 8 core. Instead of adding both JSON:API and GraphQL to Drupal 8 core, I believe only JSON:API should be added. That said, Drupal's GraphQL implementation is fantastic, especially when you have the developer capacity to build a bespoke API for your project.
On the four qualities by which we evaluated the REST, JSON:API and GraphQL modules, JSON:API has outperformed its contemporaries. Its web standards-based approach, its ability to handle reads and writes out of the box, its security model and its ease of operation make it the best choice for Drupal core. Additionally, where JSON:API underperformed, I believe that we have a real opportunity to contribute back to the specification. In fact, one of the JSON:API module's maintainers and co-authors of this blog post, Gabe Sullice (Acquia), recently became a JSON:API specification editor himself.
This decision does not mean that you can't or shouldn't use GraphQL with Drupal. While I believe JSON:API covers the majority of use cases, there are valid use cases where GraphQL is a great fit. I'm happy that Drupal is endowed with such a vibrant contributed module ecosystem that provides so many options to Drupal's users.
I'm excited to see where both the JSON:API specification and Drupal's implementation of it goes in the coming months and years. As a first next step, we're preparing the JSON:API to be added to Drupal 8.7.
Special thanks to Wim Leers (Acquia) and Gabe Sullice (Acquia) for co-authoring this blog post and to Preston So (Acquia) and Alex Bronstein (Acquia) for their feedback during the writing process.
— Dries Buytaert
Dries Buytaert is an Open Source advocate and technology executive. More than 10,000 people are subscribed to his blog. Sign up to have new posts emailed to you or subscribe using RSS. Write to Dries Buytaert at firstname.lastname@example.org.