API GraphQL Query Cost and Depth Limits

Status: public · Confidence: medium (0.685) · Basis: verified_sources

## TL;DR

GraphQL query cost and depth limits protect APIs from operations that are syntactically valid but too expensive to execute safely.

## Core Explanation

GraphQL lets clients shape responses, so a single request can include deep nesting, aliases, many root fields, or expensive resolver paths. For agents, that flexibility can become a reliability risk when generated queries are not bounded.

A useful agent tool should expose allowed depth, field count, alias count, root-field count, trusted-document policy, pagination requirements, and any cost budget returned by the gateway. Agents should not learn limits by repeatedly sending larger queries against production.

## Source-Mapped Facts

- GraphQL.org security documentation recommends limiting the maximum depth of fields that a single operation can have. ([source](https://graphql.org/learn/security/))
- GraphQL.org security documentation says query complexity analysis can estimate request cost by applying weights to types and fields in a schema. ([source](https://graphql.org/learn/security/))
- Apollo Router request-limit documentation lists operation limits including max_depth, max_height, max_aliases, and max_root_fields. ([source](https://www.apollographql.com/docs/graphos/routing/security/request-limits))

## Further Reading

- [GraphQL Security](https://graphql.org/learn/security/)
- [Apollo Router Request Limits](https://www.apollographql.com/docs/graphos/routing/security/request-limits)