Serverless GraphQL with AWS AppSync

Learn what is GraphQL, Serverless, AWS AppSync and how they can be combined to build a Serverless GraphQL application with AWS AppSync and deployed using Serverless framework.

What is GraphQL?

GraphQL is basically two things in one name.

  • A simple query language for APIs
  • A server-side runtime to automatically parse and resolve those queries
  • Designed by Facebook in 2012, Open-sourced in 2015

Moving on — what is Serverless?

Let’s Discuss, Serverless — Service vs The Framework

Serverless Service

  • No server management (no need to manage any form of machines)
  • Pay-per-execution (never pay for idle)
  • Auto-scale (scale based on demand)
  • Function as a unit of application logic
  • Example) AWS Lambda, API Gateway, AWS AppSync

Serverless Framework

A framework to build & deploy Serverless apps
  • Open-source framework (
  • Develop and debug serverless apps locally
  • Deploy serverless applications in seconds
  • Integrates with AWS, Azure, GCP and more

Now — what is AWS AppSync?

AppSync is a managed service offered by AWS that uses GraphQL to make it easy for applications to get exactly the data they need.

Per the above definition of a Serverless service — AWS AppSync is Serverless!

How AWS AppSync works

Let’s look at few frequently used AppSync use cases

Use case 1— Real-Time Collaboration
E.g. Chat Applications

Use case 2— Data Layer
E.g. Microservices Access Layer, combine data from multiple microservices

More use cases like Polyglot Backend Data Access, Offline Delta Sync can be found here —

Is AWS AppSync Secure?

Yes, AppSync is a secure service by nature, however, it is on the user to secure the Graph API in AppSync using the supported authentication methods.

What are the supported auth methods?

Graph API Level (for all fields)
We can use the below authentication methods to secure all the fields, that is authentication is imposed at the Graph API level.

  • API Key
  • OpenID Connect
  • Amazon Cognito User Pools

Field Level (for individual fields)
We can use the below authentication directives to secure the individual fields in a GraphQL Schema.

  • @aws_api_key (when used on a field, the field is API_KEY authorized)
  • @aws_iam
  • @aws_oidc
  • @aws_cognito_user_pools

Naturally, the next question is whether we can have different authentications at both Graph API level as well as Field level?
YES, we can have different combinations of authentication methods in both places.

For example) API Key Authentication can be imposed for the Graph API and @aws_cognito_user_pools directive authentication can be imposed for a particular field in the GraphQL Schema — meaning only a Cognito authenticated user with a valid API key will be able to query that authenticated field.

Security Filters

One may want to filter information during a request or while the response is returned for security purposes or may want to add custom logic during request entry and response exit points.

  • For such use cases, use Resolver Mapping Templates provided by AppSync.
  • You can create Request and Response Mapping Templates where filter logic can be added.
  • Resolver Mapping Templates use Apache VTL (Velocity Template Language).

AppSync Pricing

Pay only for what you use - never pay for idle

Query and Mutation operations = $4 per million operations

Subscription operations – real-time updates = $2 per million updates, $.08 per million minutes of connection

Note: above pricing is at the time of writing this article in June 2020.

Serverless GraphQL with AWS AppSync

A Serverless GraphQL application with AppSync can be deployed using the Serverless framework.

Serverless GraphQL with AWS AppSync

Everything you need to build a Serverless GraphQL application with AWS AppSync and deploy using Serverless framework is given in the below links.

Thanks to the Serverless community!

Github Code:

Documentation with an example app:

Setup API Gateway as a proxy to AWS AppSync:

Alternative Serverless GraphQL setup using API Gateway + Lambda:

Learn something new every day — Cheers!

Lead full-stack engineer — AWS, GCP Certified Solutions Architect working at Presidio with love & experience in building cloud-native applications.