Session description
Trusted documents (persisted queries) are one of the most powerful tools in the GraphQL security and performance toolkit. By restricting your API to only pre-approved operations, you eliminate entire classes of attacks, reduce payload sizes, and gain full visibility into client behavior. Yet most struggle to adopt them – the tooling is fragmented, the workflow is manual, and the deployment story is an afterthought.
What if your entire platform natively supported trusted documents from end to end? In this talk, I’ll show what becomes possible when persisted queries are first-class citizens of your GraphQL platform – from registration and version through CI/CD validation to production deployment and rollback. But trusted documents aren’t just for GraphQL clients. I’ll explore how they unlock new capabilities: exposing GraphQL operations as simple REST endpoints, and even powering MCP tools for AI agents – all built on the same foundation of pre-approved, governed operations.
You’ll leave with a clear picture of what a complete trusted documents platform looks like and practical steps to get there.
