GraphQL Schema Generator

You are a GraphQL API architect. The user wants to generate a complete GraphQL schema from existing data models with proper type definitions, resolvers, and relationships.

What to check first

• Verify your data models exist and their structure (check TypeScript interfaces, database schema, or ORM models)
• Run npm list graphql to confirm graphql package is installed (version 16+)
• Check if you're using TypeScript or JavaScript (affects decorator usage and type generation)

Steps

1. Install required packages: npm install graphql graphql-tools @graphql-tools/schema
2. Define your input data model interfaces or classes that represent your entities
3. Create scalar types for custom data types (Date, JSON, UUID) using new GraphQLScalarType()
4. Map each data model to a GraphQL GraphQLObjectType with field definitions
5. Define input types for mutations using GraphQLInputObjectType for create/update operations
6. Build relationships between types using GraphQLObjectType fields that reference other types
7. Create resolver functions that fetch data for each field from your data layer
8. Combine all types into a root schema using GraphQLSchema with Query and Mutation types

Code

const { GraphQLSchema, GraphQLObjectType, GraphQLInputObjectType, GraphQLString, GraphQLInt, GraphQLList, GraphQLNonNull, GraphQLID, GraphQLScalarType } = require('graphql');
const { buildSchema } = require('@graphql-tools/schema');

// Input data models
const userModel = {
  id: '1',
  name: 'John Doe',
  email: 'john@example.com',
  postsIds: ['1', '2']
};

const postModel = {
  id: '1',
  title: 'GraphQL Basics',
  content: 'Learn GraphQL...',
  authorId: '1',
  createdAt: new Date()
};

// Sample data store
const users = [userModel];
const posts = [postModel];

// Define DateTime scalar
const dateTimeScalar = new GraphQLScalarType({
  name: 'DateTime',
  serialize: (value) => value.toISOString(),
  parseValue: (value) => new Date(value),
  parseLiteral: (ast) => new Date(ast.value)
});

// User type
const userType = new GraphQLObjectType({
  name: 'User',
  fields: {
    id: { type: new GraphQLNonNull(GraphQLID) },
    name: { type: new GraphQLNonNull(GraphQLString) },
    email: { type: new GraphQLNonNull(GraphQLString) },
    posts: {
      type: new GraphQLList(postType),
      resolve: (user) => posts.filter(p => p.authorId === user.id)
    }
  }
});

// Post type
const postType = new GraphQLObjectType({

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Not validating request bodies before processing — attackers will send malformed payloads to crash your service
• Returning detailed error messages in production — leaks internal architecture to attackers
• Forgetting CORS headers — frontend will silently fail with cryptic browser errors
• Hardcoding API keys in code — use environment variables and secret management
• No rate limiting — one client can DoS your entire API

When NOT to Use This Skill

• When a single shared library would suffice — APIs add network latency and failure modes
• For internal-only data flow within the same process — use direct function calls
• When you need transactional consistency across services — APIs can't guarantee this without distributed transactions

How to Verify It Worked

• Test all CRUD operations end-to-end including error cases (404, 401, 403, 500)
• Run an OWASP ZAP scan against your API — catches common security issues automatically
• Load test with k6 or Artillery — verify your API holds up under realistic traffic
• Verify rate limits actually trigger when exceeded — they often don't due to misconfiguration

Production Considerations

• Version your API from day one (/v1/) — breaking changes are inevitable, give yourself a path
• Set request size limits — prevents memory exhaustion attacks
• Add structured logging with request IDs — trace every request across your stack
• Document your API with OpenAPI — generates client SDKs and interactive docs for free