Introduction
GraphQL Yoga has emerged as the modern standard for building lightweight, spec-compliant GraphQL servers in JavaScript and TypeScript. Created by The Guild (the team behind many popular GraphQL tools), Yoga v3 and v4 represent a complete rewrite built on the WHATWG Fetch API, making it platform-agnostic—it runs identically on Node.js, Deno, Bun, Cloudflare Workers, AWS Lambda, and any other JavaScript runtime.
Unlike heavier alternatives like Apollo Server that bundle extensive features and middleware, Yoga takes a batteries-included-yet-tree-shakeable approach. It provides everything you need for production GraphQL—subscriptions, file uploads, defer/stream support, persisted queries, and comprehensive error handling—while keeping the bundle size minimal and startup time fast. The plugin system allows extending functionality without modifying core code.
This guide covers building production GraphQL APIs with Yoga from scratch. We'll explore schema definition with GraphQL Tools, real-time subscriptions over Server-Sent Events, file upload handling, authentication middleware, and deployment to various platforms. By the end, you'll understand why teams like Airbnb and The New York Times have adopted Yoga for their GraphQL infrastructure.
Understanding GraphQL Yoga: Core Architecture
GraphQL Yoga is built on a layered architecture that separates concerns cleanly. At its core, it uses the WHATWG Fetch API for request handling, graphql-js for query execution, and a plugin system for extensibility. This design makes it truly platform-agnostic—you write your server once and deploy it anywhere JavaScript runs.
Platform-Agnostic Design
Traditional GraphQL servers assume a Node.js environment with Express or Fastify. Yoga uses the standard Request and Response interfaces, meaning your server code works identically across platforms without modification.
import { createYoga, createSchema } from 'graphql-yoga';
import { createServer } from 'node:http';
const yoga = createYoga({
schema: createSchema({
typeDefs: /* GraphQL */ `
type Query {
hello: String!
}
`,
resolvers: {
Query: {
hello: () => 'Hello from Yoga!',
},
},
}),
});
// Works on Node.js
const server = createServer(yoga);
server.listen(4000, () => {
console.log('Server running at http://localhost:4000/graphql');
});The same yoga instance works on Cloudflare Workers, Deno, Bun, or AWS Lambda without changes. This portability eliminates the need for platform-specific adapters that other GraphQL servers require.
Plugin Architecture
Yoga's plugin system intercepts every phase of the request lifecycle, from initial request parsing through response delivery. Plugins can modify requests, transform responses, add logging, implement authentication, and more.
import { createYoga, Plugin } from 'graphql-yoga';
const loggingPlugin: Plugin = {
onExecute({ args }) {
const start = Date.now();
console.log(`Executing: ${args.operationName || 'anonymous'}`);
return {
onExecuteDone({ result }) {
const duration = Date.now() - start;
console.log(`Completed in ${duration}ms`);
},
};
},
};
const authPlugin: Plugin = {
onRequest({ request, serverContext }) {
const token = request.headers.get('authorization')?.replace('Bearer ', '');
if (token) {
serverContext.user = verifyToken(token);
}
},
};Step-by-Step Implementation
Setting Up a Complete API
Let's build a full-featured GraphQL API with Yoga, including authentication, database integration, and real-time subscriptions.
npm install graphql-yoga graphql @prisma/client
npm install -D prisma typescript @types/nodeSchema Definition
Yoga works with any schema-building approach—SDL strings, graphql-tools, Pothos, TypeGraphQL, or Nexus. Here's a complete schema using graphql-tools:
import { createSchema } from 'graphql-yoga';
export const schema = createSchema({
typeDefs: /* GraphQL */ `
scalar DateTime
scalar JSON
type User {
id: ID!
name: String!
email: String!
avatar: String
role: Role!
posts: [Post!]!
createdAt: DateTime!
}
type Post {
id: ID!
title: String!
content: String!
status: PostStatus!
author: User!
comments: [Comment!]!
likeCount: Int!
tags: [String!]!
createdAt: DateTime!
updatedAt: DateTime!
}
type Comment {
id: ID!
content: String!
author: User!
createdAt: DateTime!
}
type PostConnection {
edges: [PostEdge!]!
pageInfo: PageInfo!
totalCount: Int!
}
type PostEdge {
node: Post!
cursor: String!
}
type PageInfo {
hasNextPage: Boolean!
endCursor: String
}
enum Role {
USER
ADMIN
}
enum PostStatus {
DRAFT
PUBLISHED
ARCHIVED
}
type Query {
me: User
user(id: ID!): User
posts(
filter: PostFilter
first: Int = 10
after: String
): PostConnection!
post(id: ID!): Post
}
input PostFilter {
authorId: ID
status: PostStatus
searchTerm: String
tags: [String!]
}
type Mutation {
createPost(input: CreatePostInput!): Post!
updatePost(id: ID!, input: UpdatePostInput!): Post!
deletePost(id: ID!): Boolean!
likePost(postId: ID!): Post!
addComment(postId: ID!, content: String!): Comment!
}
input CreatePostInput {
title: String!
content: String!
tags: [String!]
}
input UpdatePostInput {
title: String
content: String
status: PostStatus
tags: [String!]
}
type Subscription {
postCreated: Post!
commentAdded(postId: ID!): Comment!
postUpdated(postId: ID!): Post!
}
schema {
query: Query
mutation: Mutation
subscription: Subscription
}
`,
resolvers: {
Query: {
me: (_, __, ctx) => ctx.user ? ctx.prisma.user.findUnique({ where: { id: ctx.user.id } }) : null,
user: (_, { id }, ctx) => ctx.prisma.user.findUnique({ where: { id } }),
posts: async (_, { filter, first, after }, ctx) => {
const where: any = {};
if (filter?.authorId) where.authorId = filter.authorId;
if (filter?.status) where.status = filter.status;
if (filter?.tags) where.tags = { hasSome: filter.tags };
if (filter?.searchTerm) {
where.OR = [
{ title: { contains: filter.searchTerm, mode: 'insensitive' } },
{ content: { contains: filter.searchTerm, mode: 'insensitive' } },
];
}
if (after) {
where.createdAt = { lt: new Date(Buffer.from(after, 'base64').toString()) };
}
const [posts, totalCount] = await Promise.all([
ctx.prisma.post.findMany({
where,
take: first + 1,
orderBy: { createdAt: 'desc' },
include: { author: true, tags: true },
}),
ctx.prisma.post.count({ where }),
]);
const hasNextPage = posts.length > first;
const edges = posts.slice(0, first).map(post => ({
node: post,
cursor: Buffer.from(post.createdAt.toISOString()).toString('base64'),
}));
return {
edges,
totalCount,
pageInfo: {
hasNextPage,
endCursor: edges[edges.length - 1]?.cursor,
},
};
},
post: (_, { id }, ctx) =>
ctx.prisma.post.findUnique({
where: { id },
include: { author: true, comments: { include: { author: true } } },
}),
},
Mutation: {
createPost: async (_, { input }, ctx) => {
if (!ctx.user) throw new GraphQLError('Authentication required');
const post = await ctx.prisma.post.create({
data: {
...input,
authorId: ctx.user.id,
},
include: { author: true },
});
ctx.pubsub.publish('POST_CREATED', { postCreated: post });
return post;
},
updatePost: async (_, { id, input }, ctx) => {
if (!ctx.user) throw new GraphQLError('Authentication required');
const existing = await ctx.prisma.post.findUnique({ where: { id } });
if (!existing) throw new GraphQLError('Post not found');
if (existing.authorId !== ctx.user.id) throw new GraphQLError('Not authorized');
const post = await ctx.prisma.post.update({
where: { id },
data: input,
include: { author: true },
});
ctx.pubsub.publish(`POST_UPDATED_${id}`, { postUpdated: post });
return post;
},
deletePost: async (_, { id }, ctx) => {
if (!ctx.user) throw new GraphQLError('Authentication required');
const existing = await ctx.prisma.post.findUnique({ where: { id } });
if (!existing) throw new GraphQLError('Post not found');
if (existing.authorId !== ctx.user.id) throw new GraphQLError('Not authorized');
await ctx.prisma.post.delete({ where: { id } });
return true;
},
likePost: async (_, { postId }, ctx) => {
if (!ctx.user) throw new GraphQLError('Authentication required');
await ctx.prisma.like.upsert({
where: { userId_postId: { userId: ctx.user.id, postId } },
create: { userId: ctx.user.id, postId },
update: {},
});
return ctx.prisma.post.findUnique({ where: { id: postId }, include: { author: true } });
},
addComment: async (_, { postId, content }, ctx) => {
if (!ctx.user) throw new GraphQLError('Authentication required');
const comment = await ctx.prisma.comment.create({
data: { content, postId, authorId: ctx.user.id },
include: { author: true },
});
ctx.pubsub.publish(`COMMENT_ADDED_${postId}`, { commentAdded: comment });
return comment;
},
},
Subscription: {
postCreated: {
subscribe: (_, __, ctx) => ctx.pubsub.subscribe('POST_CREATED'),
},
commentAdded: {
subscribe: (_, { postId }, ctx) => ctx.pubsub.subscribe(`COMMENT_ADDED_${postId}`),
},
postUpdated: {
subscribe: (_, { postId }, ctx) => ctx.pubsub.subscribe(`POST_UPDATED_${postId}`),
},
},
},
});Server Setup with Plugins
import { createYoga } from 'graphql-yoga';
import { createServer } from 'node:http';
import { PrismaClient } from '@prisma/client';
import { PubSub } from 'graphql-subscriptions';
import jwt from 'jsonwebtoken';
const prisma = new PrismaClient();
const pubsub = new PubSub();
const yoga = createYoga({
schema,
plugins: [
// Authentication plugin
{
onRequest({ request, serverContext }) {
const token = request.headers.get('authorization')?.replace('Bearer ', '');
if (token) {
try {
const payload = jwt.verify(token, process.env.JWT_SECRET);
serverContext.user = payload;
} catch {
// Invalid token
}
}
},
},
// Logging plugin
{
onExecute({ args }) {
const start = Date.now();
return {
onExecuteDone() {
console.log(`${args.operationName || 'anonymous'} completed in ${Date.now() - start}ms`);
},
};
},
},
// CORS plugin (built-in)
{
onResponse({ response, serverContext }) {
response.headers.set('Access-Control-Allow-Origin', '*');
},
},
],
context: ({ request }) => ({
prisma,
pubsub,
request,
}),
graphiql: {
subscriptionsProtocol: 'SSE',
},
});
const server = createServer(yoga);
server.listen(4000, () => {
console.log('🚀 GraphQL Yoga running at http://localhost:4000/graphql');
});
Architecture and Design Patterns
Real-Time with Server-Sent Events
Yoga v4 supports GraphQL subscriptions over Server-Sent Events (SSE), which works through standard HTTP and doesn't require WebSocket infrastructure. This makes subscriptions work on platforms that don't support WebSockets, like serverless functions.
import { createYoga } from 'graphql-yoga';
const yoga = createYoga({
schema,
subscriptionsProtocol: 'SSE', // Use SSE instead of WebSocket
});
// Subscriptions work over standard HTTP - no WebSocket server needed
// Client connects via EventSource or fetch with ReadableStreamClient-side subscription handling with SSE:
const subscribeSSE = (query, variables) => {
const eventSource = new EventSource(
`/graphql?query=${encodeURIComponent(query)}&variables=${encodeURIComponent(JSON.stringify(variables))}`
);
eventSource.onmessage = (event) => {
const data = JSON.parse(event.data);
handleSubscriptionData(data);
};
eventSource.onerror = (error) => {
console.error('Subscription error:', error);
eventSource.close();
};
return () => eventSource.close();
};File Upload Support
Yoga supports the GraphQL multipart request specification for file uploads without external middleware.
import { createYoga } from 'graphql-yoga';
const typeDefs = /* GraphQL */ `
scalar Upload
type File {
url: String!
filename: String!
mimetype: String!
}
type Mutation {
uploadFile(file: Upload!): File!
uploadFiles(files: [Upload!]!): [File!]!
}
`;
const resolvers = {
Mutation: {
uploadFile: async (_, { file }, ctx) => {
const { createReadStream, filename, mimetype } = await file;
const chunks = [];
for await (const chunk of createReadStream()) {
chunks.push(chunk);
}
const buffer = Buffer.concat(chunks);
const url = await uploadToS3(buffer, filename, mimetype);
return { url, filename, mimetype };
},
uploadFiles: async (_, { files }, ctx) => {
const results = await Promise.all(
files.map(async (file) => {
const { createReadStream, filename, mimetype } = await file;
const chunks = [];
for await (const chunk of createReadStream()) {
chunks.push(chunk);
}
const buffer = Buffer.concat(chunks);
const url = await uploadToS3(buffer, filename, mimetype);
return { url, filename, mimetype };
})
);
return results;
},
},
};Defer and Stream Support
Yoga supports the @defer and @stream directives for progressive data delivery, sending critical data immediately and deferring expensive fields.
import { createYoga } from 'graphql-yoga';
import { useDeferStream } from '@graphql-yoga/plugin-defer-stream';
const yoga = createYoga({
schema,
plugins: [useDeferStream()],
});
// Client can now use @defer and @stream directives
const query = /* GraphQL */ `
query UserProfile($id: ID!) {
user(id: $id) {
id
name
... @defer {
posts(last: 50) {
title
content
}
}
... @defer {
activityLog {
action
timestamp
}
}
}
}
`;Real-World Use Cases
Use Case 1: Serverless GraphQL API
Deploying to AWS Lambda, Vercel Functions, or Cloudflare Workers without code changes demonstrates Yoga's platform-agnostic design. The same schema, resolvers, and plugins work identically on local development and serverless production.
Use Case 2: Real-Time Collaboration Platform
A collaborative document editing system uses Yoga's SSE-based subscriptions to broadcast changes to all connected clients. The lightweight server handles thousands of concurrent SSE connections efficiently without WebSocket infrastructure.
Use Case 3: Mobile Backend
A mobile application's GraphQL backend uses Yoga's file upload support for image uploads and the defer directive to deliver critical content first, with expensive operations like AI-generated recommendations streaming in after the initial response.
Best Practices for Production
-
Use environment-specific configurations: Configure different logging levels, CORS origins, and rate limits for development, staging, and production environments.
-
Implement persisted queries: Use Automatic Persisted Queries (APQ) to reduce bandwidth and prevent arbitrary query execution. Clients send query hashes instead of full query strings.
-
Set up health check endpoints: Add a simple health check endpoint separate from GraphQL to enable load balancer health checks and uptime monitoring.
-
Use the Hive plugin for production monitoring: The Hive plugin integrates with GraphQL Hive for query analytics, error tracking, and schema change detection.
-
Implement request size limits: Configure maximum request body size to prevent denial-of-service attacks through large payloads. Yoga's built-in limits can be customized per endpoint.
-
Enable CORS appropriately: Configure CORS headers based on your deployment environment. Use specific origins in production rather than wildcard (
*). -
Monitor resolver performance: Track resolver execution times and identify slow queries. Use the logging plugin to capture timing information for every operation.
-
Implement rate limiting: Add rate limiting at the application level to prevent abuse. Track requests per IP or per authenticated user and return appropriate error responses.
Common Pitfalls and Solutions
| Pitfall | Impact | Solution |
|---|---|---|
| Missing context initialization | Undefined errors in resolvers | Always provide context factory in createYoga options |
| Unhandled subscription errors | Silent failures in real-time data | Implement error handling in subscription resolvers |
| Oversized file uploads | Memory exhaustion | Set file size limits and use streaming processing |
| Missing CORS headers | Browser blocks cross-origin requests | Configure CORS in Yoga options or plugin |
| WebSocket fallback issues | Subscriptions fail on some platforms | Use SSE protocol for maximum compatibility |
| N+1 queries in resolvers | Database overload | Use DataLoader for relationship fields |
| Schema not validated | Runtime errors from invalid schema | Enable schema validation in development |
Performance Optimization
Response Compression
Yoga supports built-in response compression to reduce bandwidth usage.
import { createYoga } from 'graphql-yoga';
import { useDisableIntrospection } from '@graphql-yoga/plugin-disable-introspection';
const yoga = createYoga({
schema,
plugins: [
// Disable introspection in production for security
process.env.NODE_ENV === 'production' && useDisableIntrospection(),
].filter(Boolean),
});Caching with Response Cache
import { useResponseCache } from '@graphql-yoga/plugin-response-cache';
const yoga = createYoga({
schema,
plugins: [
useResponseCache({
session: (request) => request.headers.get('authorization'),
ttl: 60_000, // 1 minute
ttlPerSchemaCoordinate: {
'Query.me': 0, // Never cache authenticated user data
'Query.posts': 300_000, // Cache post listings for 5 minutes
},
}),
],
});Monitoring with Prometheus
import { usePrometheus } from '@graphql-yoga/plugin-prometheus';
const yoga = createYoga({
schema,
plugins: [
usePrometheus({
http: true,
execute: true,
errors: true,
context: true,
}),
],
});Comparison with Alternatives
| Feature | GraphQL Yoga | Apollo Server | Mercurius | graphql-http |
|---|---|---|---|---|
| Bundle Size | ~50KB | ~150KB | ~100KB | ~10KB |
| Platform Support | Universal | Node.js | Node.js/Fastify | Universal |
| Subscriptions | SSE + WebSocket | WebSocket | WebSocket | None |
| File Uploads | Built-in | graphql-upload | Built-in | None |
| Defer/Stream | Built-in | Manual | None | None |
| Caching | Plugin | Plugin | Built-in | None |
| GraphiQL | Built-in | Sandbox | Altair | None |
| Learning Curve | Low | Moderate | Low | Low |
| Production Monitoring | Hive/Prometheus | Studio | Prometheus | None |
Advanced Patterns
Custom Directive Implementation
import { mapSchema, getDirective, MapperKind } from '@graphql-tools/utils';
const authDirectiveTransformer = (schema) => {
return mapSchema(schema, {
[MapperKind.OBJECT_FIELD]: (fieldConfig) => {
const authDirective = getDirective(schema, fieldConfig, 'auth')?.[0];
if (authDirective) {
const { requires } = authDirective;
const originalResolve = fieldConfig.resolve;
fieldConfig.resolve = async (source, args, context, info) => {
if (!context.user) {
throw new GraphQLError('Authentication required');
}
if (requires && context.user.role !== requires) {
throw new GraphQLError('Insufficient permissions');
}
return originalResolve(source, args, context, info);
};
}
return fieldConfig;
},
});
};Testing GraphQL Yoga Servers
import { createYoga } from 'graphql-yoga';
import { describe, it, expect } from 'vitest';
describe('GraphQL Yoga API', () => {
const yoga = createYoga({ schema });
it('returns hello world', async () => {
const response = await yoga.fetch('http://localhost:4000/graphql', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
query: '{ hello }',
}),
});
const body = await response.json();
expect(body.data.hello).toBe('Hello from Yoga!');
});
it('handles mutations with authentication', async () => {
const response = await yoga.fetch('http://localhost:4000/graphql', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': 'Bearer valid-token',
},
body: JSON.stringify({
query: `
mutation CreatePost($input: CreatePostInput!) {
createPost(input: $input) { id title }
}
`,
variables: { input: { title: 'Test', content: 'Content' } },
}),
});
const body = await response.json();
expect(body.data.createPost.title).toBe('Test');
});
});Future Outlook
GraphQL Yoga continues evolving as the reference implementation for the GraphQL over HTTP specification. The trend toward platform-agnostic serverless deployments makes Yoga's Fetch API foundation increasingly valuable. The Guild's active development ensures compatibility with the latest GraphQL specification features.
The emergence of GraphQL Mesh and Hive ecosystem positions Yoga as a central component in the modern GraphQL stack. Integration with tools like Pothos for type-safe schema building and GraphQL Code Generator for client-side type safety creates a comprehensive development experience.
Conclusion
GraphQL Yoga delivers on the promise of a lightweight, spec-compliant, platform-agnostic GraphQL server. Its Fetch API foundation ensures portability across every JavaScript runtime, the plugin system provides extensibility without complexity, and built-in support for SSE subscriptions, file uploads, and defer/stream eliminates the need for external middleware.
The key advantages over alternatives are minimal bundle size, universal platform support, and adherence to the latest GraphQL specifications. Whether you're building a serverless API on Cloudflare Workers, a real-time application on Node.js, or a quick prototype on Deno, Yoga provides a consistent, production-ready foundation.
For teams starting new GraphQL projects, Yoga represents the most forward-looking choice. Its active development by The Guild, adoption by major companies, and alignment with web standards ensure long-term viability. Start with the patterns in this guide, leverage the plugin ecosystem for production concerns, and deploy to whatever platform best serves your users.