log in
consulting hosting industries the daily tools about contact

The Daily

A note a day on APIs and the realities of shipping web applications. Stuff I've actually learned across 25 years of doing the work.

$ ls -lt daily/
· 5 min read · GraphQL

Authorization in GraphQL: the field-level nightmare

GraphQL gives clients a lot of power. The authorization story for that power is, charitably, a mess you have to solve yourself.

GraphQL's authorization story is one of the most underestimated sources of production bugs I've encountered. Not because it's impossible to get right, but because the spec leaves it entirely to you — and the pit is deep enough that I've watched otherwise careful developers fall straight in. What GraphQL leaves on the…

Read the daily →
· 6 min read · PostGraphile

Row-Level Security in PostGraphile: Powerful, Brittle, and Misunderstood

PostGraphile's RLS integration is genuinely impressive — until it silently returns empty sets instead of errors. Here's what I've learned the hard way.

PostGraphile's row-level security integration is one of the most elegant things I've seen in the GraphQL ecosystem — and one of the easiest ways to accidentally expose data you thought you'd locked down, or hide data you thought was visible. After using it on three production projects, I have opinions. What Problem…

Read the daily →
· 6 min read · Postgres

Postgres VACUUM: The Maintenance Reality Tutorials Skip

Every Postgres tutorial shows you SELECT and INSERT. Almost none of them explain what happens to your table when you UPDATE a million rows.

Every Postgres tutorial shows you how to write a query. Almost none of them explain what happens to your table after you UPDATE a million rows — and why, six months later, a simple is taking four seconds on a table that should fit in RAM. That's bloat. And VACUUM is the thing standing between you and it. What Postgres…

Read the daily →
· 6 min read · GraphQL

GraphQL's N+1 Problem: The One It Hides and the One It Creates

GraphQL promises to fix over-fetching. What it doesn't tell you is that it ships its own N+1 problem in the box.

GraphQL will tell you it solves the N+1 problem. It doesn't. It trades the REST version for a worse one, wraps it in a type system, and ships it to production while you're still feeling good about your schema design. I've been burned by this on two separate projects now, and I want to save you the 2 a.m. Datadog…

Read the daily →
· 7 min read · PostGraphile

PostGraphile: The Schema You'll Regret in 18 Months

PostGraphile generates a GraphQL API from your Postgres schema in minutes. That speed comes with a tax you don't notice until you're deep in production.

PostGraphile will have you running a full GraphQL API against your Postgres database in under an hour. That is genuinely impressive and also, in my experience, the start of a slow-motion problem you won't fully see until your client is asking why a mobile app query takes 4 seconds. I've now used PostGraphile on three…

Read the daily →