DEV.co
Open-Source Databases · supabase

pg_graphql

pg_graphql is a PostgreSQL extension that automatically exposes your database schema as a GraphQL API without requiring separate servers or middleware. It translates SQL table definitions into GraphQL types and resolvers, allowing any client that speaks GraphQL to query PostgreSQL directly.

Source: GitHub — github.com/supabase/pg_graphql
3.3k
GitHub stars
134
Forks
Rust
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorysupabase/pg_graphql
Ownersupabase
Primary languageRust
LicenseApache-2.0 — OSI-approved
Stars3.3k
Forks134
Open issues49
Latest releasev1.6.1 (2026-05-07)
Last updated2026-06-03
Sourcehttps://github.com/supabase/pg_graphql

What pg_graphql is

Written in Rust, pg_graphql reflects PostgreSQL schemas into GraphQL by introspecting table structure, foreign keys, and custom types. It runs as a PostgreSQL extension, executing GraphQL queries server-side and mapping them to SQL, eliminating the need for a separate GraphQL layer.

Quickstart

Get the pg_graphql source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/supabase/pg_graphql.gitcd pg_graphql# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Rapid Internal/Admin APIs

Quickly expose read/write access to PostgreSQL tables via GraphQL without building a custom REST or GraphQL server. Ideal for admin panels, dashboards, and internal tools where schema-driven APIs suffice.

Serverless & Edge-Deployed Applications

Eliminates the need to deploy and manage a separate GraphQL server. GraphQL execution happens in-database, reducing infrastructure complexity for serverless or edge-native architectures.

Multi-Client Query Flexibility

Enables web, mobile, and desktop clients to query PostgreSQL via GraphQL without language-specific SDKs or middleware. Any HTTP client can consume the GraphQL endpoint exposed by PostgreSQL.

Implementation considerations

  • PostgreSQL version 14+ required; verify your production database meets this minimum before installation.
  • Schema design directly impacts GraphQL usability—naming conventions, foreign keys, and type definitions must be carefully planned; use inflection configuration to map snake_case SQL to camelCase GraphQL.
  • Introspection-based schema means schema changes in SQL are automatically reflected in GraphQL; test this behavior carefully in staging to avoid unexpected client breakage.
  • GraphQL query complexity and N+1 risks depend on SQL query translation; profile generated queries to ensure performance under load.
  • Authentication, authorization, and field-level access control must be implemented via PostgreSQL roles, RLS policies, or external middleware; no built-in GraphQL-level permission system apparent.

When to avoid it — and what to weigh

  • Complex Business Logic Required — If your API needs significant transformation, authentication per-request, caching strategies, rate limiting, or custom resolvers, pg_graphql's schema-first approach may force workarounds. A dedicated GraphQL server offers more flexibility.
  • Non-PostgreSQL Primary Datastore — pg_graphql only works with PostgreSQL. If your primary data lives in MongoDB, DynamoDB, or other databases, you will need an alternative GraphQL solution.
  • Subscription or Real-Time Requirements — The provided documentation excerpt does not mention WebSocket subscriptions or real-time query support. Verify capability before adopting for live-update features.
  • Multi-Tenant Isolation at Query Level — pg_graphql reflects the entire public schema by default. Fine-grained per-tenant field masking or row-level filtering requires careful Row-Level Security (RLS) policy design and may be complex to reason about.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license.

Apache-2.0 permits commercial use, modification, and distribution with conditions: include a copy of the license, state significant changes, and provide a license notice. No patent grant or liability indemnity. Suitable for commercial products, but review with legal counsel for specific use cases.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

No claims made here. Security posture depends on: (1) PostgreSQL version patching; (2) RLS policy correctness for row filtering; (3) role/authentication mapping at the application level; (4) GraphQL query complexity limits (not mentioned, verify). Rust implementation reduces memory-safety risks. External security audits not mentioned; assume standard OSS scrutiny applies.

Alternatives to consider

PostgREST

Similar schema-driven REST API from PostgreSQL; mature and widely used. Choose if REST is preferred over GraphQL, or if deployment flexibility (e.g., containerization) is required.

Hasura

GraphQL engine supporting PostgreSQL, MySQL, and others; offers advanced features (caching, subscriptions, custom resolvers, fine-grained permissions). Choose if multi-database or richer business logic is needed.

Custom GraphQL Server (Apollo, Express + graphql-js)

Full control over schema, resolvers, authentication, and optimization. Choose if pg_graphql's schema-first constraints are too limiting or if multiple data sources must be unified.

Software development agency

Build on pg_graphql with DEV.co software developers

Explore pg_graphql documentation, test schema reflection in your environment, and evaluate RLS policies for your auth model. Contact us to plan integration with your data stack.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

pg_graphql FAQ

Does pg_graphql require a separate GraphQL server?
No. pg_graphql runs as a PostgreSQL extension; GraphQL query execution happens in-database. Depending on your setup, you may use PostgREST or a thin HTTP wrapper to expose the GraphQL endpoint, but no separate Node/Go/Python GraphQL server is required.
Can I use pg_graphql with managed PostgreSQL (RDS, Cloud SQL, Supabase)?
Supabase explicitly supports it (Supabase maintains pg_graphql). Cloud RDS and Google Cloud SQL restrict custom extensions; check your provider's extension policy. Self-hosted or Supabase-managed PostgreSQL are simplest.
How do I handle authentication and authorization?
pg_graphql relies on PostgreSQL roles and Row-Level Security (RLS) policies. Your application must authenticate users and map them to database roles; then RLS policies enforce row-level filtering. GraphQL-level permission directives are not built-in.
Is pg_graphql suitable for production?
Yes, with caveats: active maintenance, used by Supabase in production, Apache-2.0 licensed. Verify PostgreSQL version compatibility, test RLS policies thoroughly, profile query performance, and ensure your deployment environment supports PostgreSQL extensions.

Custom software development services

Adopting pg_graphql is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source databases software in production.

Ready to add GraphQL to PostgreSQL?

Explore pg_graphql documentation, test schema reflection in your environment, and evaluate RLS policies for your auth model. Contact us to plan integration with your data stack.