Q7 of 20 · GraphQL

What is introspection, and what are its testing and security implications?

GraphQLMidgraphqlschemasecuritycontract-testing

Short answer

Short answer: Introspection lets you query the schema itself (`__schema`, `__type`) at runtime. It's great for tooling and detecting breaking schema changes, but it's often disabled in production as hardening — so don't write prod tests that depend on it.

Detail

GraphQL schemas are self-describing: you can query their structure.

query {
  __type(name: "User") {
    fields { name type { name kind } }
  }
}

Testing uses:

  • Breaking-change detection: snapshot the schema (via introspection or a committed SDL file) and diff it across versions. A removed field, a renamed field, or a nullable field made non-null can break existing clients — this is GraphQL's version of contract testing.
  • Tooling: clients use introspection for autocomplete and validation.

Security implication and the testing nuance:

  • Introspection exposes your entire API surface, so it's commonly disabled in production to reduce the attack surface.
  • That means a smoke test relying on __schema will pass in staging and fail in prod (or vice versa). Test introspection's availability per environment deliberately — assert it's on in dev and off in a hardened prod config.

// WHAT INTERVIEWERS LOOK FOR

Introspection as both a breaking-change-detection tool and a production hardening concern, and testing its availability per environment.

// Related questions

How do you detect breaking schema changes in a GraphQL API?

GraphQL

What is contract testing (e.g. Pact) and when do you use it?

API testing