GraphQL Monitoring
Proxy

Enterprise-grade GraphQL gateway with Prometheus metrics, smart caching, circuit breaker, rate limiting, request coalescing, WebSocket subscriptions, and comprehensive security - all at zero cost.

Get Started View on GitHub
Version License Go Report
terminal 
# Run with Docker
$ docker run -p 8080:8080 -p 9393:9393 \
    -e GMP_HOST_GRAPHQL=http://your-graphql:4000/ \
    -e GMP_ENABLE_GLOBAL_CACHE=true \
    -e GMP_ENABLE_CIRCUIT_BREAKER=true \
    ghcr.io/lukaszraczylo/graphql-monitoring-proxy:latest
100k+

Requests/second

10MB

RAM usage

0.1%

CPU usage

$0

Cost

View benchmarks

Feature Overview

Everything you need for production GraphQL

Monitoring

Prometheus metrics, OpenTelemetry tracing, admin dashboard

Speed

Smart caching, request coalescing, read-only replicas

Security

Rate limiting, introspection blocking, user banning

Resilience

Circuit breaker, retry budget, connection recovery

Monitoring

Complete observability for your GraphQL API

Prometheus Metrics

  • Query execution timing with histograms
  • User ID extraction from JWT tokens
  • Operation name and type tracking
  • Cache hit/miss ratios
  • Success/failure/skipped counters
  • Configurable metrics purging

OpenTelemetry Tracing

  • Distributed tracing support
  • Configurable OTLP collector endpoint
  • Trace context propagation via headers
  • Child span creation for each request
GMP_ENABLE_TRACE=true
GMP_TRACE_ENDPOINT=localhost:4317

Real-Time Admin Dashboard

Web-based UI at /admin with auto-refresh every 5 seconds:

System Health

  • Backend GraphQL status
  • Redis connectivity
  • Response times

Live Statistics

  • Request coalescing rate
  • Retry budget tokens
  • Active WebSocket connections

Controls

  • Circuit breaker state
  • Cache statistics
  • Reset/clear actions

Speed

Maximize throughput, minimize latency

Request Coalescing

Deduplicate concurrent identical queries - only one request hits the backend, response is shared with all waiting clients.

  • Reduces backend load 50-80%
  • Prevents thundering herd on cache expiry
  • Zero latency for primary request
  • Enabled by default

Smart Caching

Memory-aware caching with per-user isolation, compression, and flexible TTL control.

  • In-memory with LRU eviction
  • Distributed Redis cache support
  • Per-query TTL via @cached(ttl: 90)
  • Force refresh via @cached(refresh: true)
  • Automatic gzip compression
  • Per-user cache isolation (security)

WebSocket Subscriptions

Native GraphQL subscription support with bidirectional proxying.

  • Automatic ping/pong keep-alive
  • Configurable message size limits
  • Connection statistics in dashboard
  • Graceful connection handling
GMP_WEBSOCKET_ENABLE=true
GMP_WEBSOCKET_PING_INTERVAL=30

Read-Only Replica Support

Route queries to read replicas, mutations to primary for maximum throughput.

  • Automatic query/mutation routing
  • Scales read capacity horizontally
  • Works with Hasura read replicas
GMP_HOST_GRAPHQL=http://primary:8080/
GMP_HOST_GRAPHQL_READONLY=http://replica:8080/

Security

Protect your GraphQL API from abuse

Role-Based Rate Limiting

Different rate limits per user role with burst control and dynamic config reload.

{
  "ratelimit": {
    "admin": { "req": 1000, "interval": "second", "burst": 2000 },
    "premium": { "req": 500, "interval": "second" },
    "guest": { "req": 10, "interval": "second" },
    "-": { "req": 5, "interval": "second" }
  }
}

Introspection Blocking

Block schema introspection to prevent API discovery attacks, with configurable allowlists.

  • Blocks __schema, __type, etc.
  • Deep nested query inspection
  • Allowlist specific introspections
GMP_BLOCK_SCHEMA_INTROSPECTION=true
GMP_ALLOWED_INTROSPECTION="__typename"

User Ban/Unban API

Block misbehaving users detected by your monitoring system.

curl -X POST http://localhost:9090/api/user-ban \
  -H 'Content-Type: application/json' \
  -d '{"user_id": "1337", "reason": "Scraping"}'

Additional Security

  • Read-only mode: Block all mutations
  • URL allowlist: Restrict accessible endpoints
  • JWT claim extraction: User ID and role from tokens
  • API authentication: Optional X-API-Key for admin endpoints
  • Log sanitization: Automatic redaction of sensitive data
  • SQL injection prevention: Parameterized queries

Resilience

Handle failures gracefully

Circuit Breaker

Prevent cascading failures with automatic detection and recovery.

  • Trip on consecutive failures or ratio
  • Automatic recovery after timeout
  • Serve cached responses when open
  • Configurable for timeouts, 5XX, 4XX
  • Exponential backoff support
  • Health endpoint: /api/circuit-breaker/health

Retry Budget

Prevent retry storms with token bucket rate limiting.

  • Token bucket algorithm
  • Configurable refill rate
  • Prevents overwhelming recovering backends
  • Enabled by default
GMP_RETRY_BUDGET_ENABLE=true
GMP_RETRY_BUDGET_TOKENS_PER_SEC=10
GMP_RETRY_BUDGET_MAX_TOKENS=100

Connection Recovery

Automatic connection pool management and backend health monitoring.

  • Backend startup readiness probe
  • Keep-alive with health checks
  • Automatic pool reset on failures
  • Intelligent retry with backoff

Graceful Degradation

Informative error responses with retry recommendations.

{
  "errors": [{
    "message": "Backend temporarily unavailable",
    "extensions": {
      "code": "SERVICE_UNAVAILABLE",
      "retryable": true,
      "retry_after": 60
    }
  }]
}

Maintenance

Built-in tools for Hasura users

Hasura Event Cleaner

Automatically clean up old event logs to prevent database bloat. Runs hourly.

Tables Cleaned

  • hdb_catalog.event_invocation_logs
  • hdb_catalog.event_log
  • hdb_catalog.hdb_action_log
  • hdb_catalog.hdb_cron_event_invocation_logs
  • hdb_catalog.hdb_scheduled_event_invocation_logs

Configuration

GMP_HASURA_EVENT_CLEANER=true
GMP_HASURA_EVENT_CLEANER_OLDER_THAN=14
GMP_HASURA_EVENT_METADATA_DB=postgres://...

Installation

Deploy in seconds

Docker 

docker pull ghcr.io/lukaszraczylo/graphql-monitoring-proxy:latest

Binary Download

Download from the releases page.

Supported: Darwin ARM64/AMD64, Linux ARM64/AMD64, Windows AMD64

Kubernetes

Example manifests available:

Endpoints

Available HTTP endpoints

:8080/* GraphQL passthrough endpoint
:8080/admin Admin dashboard UI
:9393/metrics Prometheus metrics
:8080/healthz Health check (with optional backend verification)
:8080/livez Liveness probe
:9090/api/* Management API (user-ban, cache-clear, circuit-breaker)