MCP GraphQL

MCP server that lets LLMs dynamically discover and query any GraphQL API by introspecting its schema, executing queries, and optionally executing mutations against a configured endpoint.

Evaluated Mar 06, 2026 (0d ago) vlatest
Homepage ↗ Repo ↗ Developer Tools graphql api schema-introspection queries typescript developer-tools
⚙ Agent Friendliness
68
/ 100
Can an agent use this?
🔒 Security
76
/ 100
Is it safe for agents?
⚡ Reliability
62
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
65
Documentation
70
Error Messages
50
Auth Simplicity
75
Rate Limits
65

🔒 Security

TLS Enforcement
90
Auth Strength
75
Scope Granularity
68
Dep. Hygiene
78
Secret Handling
70

GraphQL MCP server. Auth depends on GraphQL schema and resolvers. Introspection should be disabled in production. Query depth/complexity limits prevent DoS.

⚡ Reliability

Uptime/SLA
62
Version Stability
65
Breaking Changes
60
Error Recovery
62
AF Security Reliability

Best When

You have a GraphQL endpoint and want an AI agent to self-discover what queries are possible and execute them without you writing the queries manually.

Avoid When

You need strict query control, cost/complexity limiting on GraphQL operations, or your API requires mTLS or complex multi-step auth flows not supported by a static HEADERS env var.

Use Cases

  • Enabling an AI agent to explore and query an internal GraphQL API without hardcoded query definitions
  • Prototyping GraphQL queries interactively through Claude for API development and testing
  • Bridging AI workflows to GraphQL-backed services (e.g., Shopify, GitHub, Contentful)
  • Schema exploration for developers onboarding to an unfamiliar GraphQL API

Not For

  • REST-only APIs (no OpenAPI/REST support)
  • Production environments needing fine-grained query whitelisting or cost controls
  • Users who need mutations enabled by default (disabled for safety)

Interface

REST API
No
GraphQL
Yes
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: api_key bearer_token custom_headers
OAuth: No Scopes: No

Auth is passed as a JSON string in the HEADERS environment variable (e.g., {"Authorization":"Bearer token"}). No OAuth flow support — static headers only. Suitable for API key and bearer token scenarios.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Open source. Costs depend entirely on the GraphQL API being queried.

Agent Metadata

Pagination
none
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • Mutations disabled by default via ALLOW_MUTATIONS flag — must explicitly enable for write operations
  • Schema introspection must be enabled on the target GraphQL server (some production APIs disable it)
  • Static HEADERS env var means no dynamic token refresh — tokens must be rotated manually
  • No query complexity or depth limiting — agents could generate expensive queries

Alternatives

mcp-rest-api mcp-link graphql-playground

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for MCP GraphQL.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered