Labsco
Docat0209 logo

graphql-to-mcp

from Docat0209

Turn any GraphQL API into MCP tools. Auto-introspection, flat schemas.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedFreeQuick setup

graphql-to-mcp

npm downloads

Turn any GraphQL API into MCP tools โ€” zero config, zero code.

Point graphql-to-mcp at a GraphQL endpoint and it auto-generates one MCP tool per query/mutation via introspection. Works with Claude Desktop, Cursor, Windsurf, and any MCP client.

Features

  • Zero config โ€” just provide a GraphQL endpoint URL
  • Auto-introspection โ€” discovers all queries and mutations automatically
  • Flat parameter schemas โ€” nested input objects are flattened for better LLM accuracy
  • Smart truncation โ€” large responses are intelligently pruned (array slicing + depth limiting)
  • Auth support โ€” Bearer tokens, API keys (header or query)
  • Retry logic โ€” automatic retries on 429/5xx with exponential backoff
  • Include/exclude filters โ€” expose only the operations you want
  • Schema caching โ€” skip re-introspection with --schema-cache for faster startup
  • Mutation safety โ€” auto-detect destructive mutations (delete*, remove*, etc.) and warn or block them

How It Works

  1. Introspect โ€” Fetches the GraphQL schema via introspection query
  2. Flatten โ€” Nested InputObject types are flattened into simple key-value parameters (e.g., input.name โ†’ input_name)
  3. Generate โ€” Each query/mutation becomes an MCP tool with a flat JSON Schema
  4. Execute โ€” When an LLM calls a tool, the flat args are reconstructed into proper GraphQL variables and sent to your endpoint

Why Flat Schemas?

LLMs are significantly better at filling flat key-value parameters than deeply nested JSON objects. By flattening InputObject types, we get:

  • Higher accuracy in parameter filling
  • Fewer hallucinated nested structures
  • Better compatibility across different LLM providers

Options

OptionDescriptionDefault
--bearer <token>Bearer token authโ€”
--api-key <name:value:in>API key authโ€”
-H, --header <name:value>Custom header (repeatable)โ€”
--include <pattern>Include only matching operationsall
--exclude <pattern>Exclude matching operationsnone
--prefix <name>Tool name prefixโ€”
--timeout <ms>Request timeout30000
--max-retries <n>Retry on 429/5xx3
--transport <stdio|sse>MCP transportstdio
--schema-cache <path>Save/load introspection cacheโ€”
--force-refreshIgnore cache, re-introspectfalse
--mutation-safety <mode>warn | safe | unrestrictedwarn

Smart Truncation

GraphQL APIs can return large payloads that overwhelm LLM context windows. graphql-to-mcp automatically:

  • Slices arrays to 20 items (with metadata showing total count)
  • Prunes depth beyond 5 levels (with object/array summaries)
  • Hard truncates at 50K characters as a safety net

Schema Caching

Introspection queries can be slow on large schemas. Use --schema-cache to save the introspection result locally:

# First run: introspects and saves to cache
npx graphql-to-mcp https://api.example.com/graphql --schema-cache ./schema.json

# Subsequent runs: loads from cache (instant startup)
npx graphql-to-mcp https://api.example.com/graphql --schema-cache ./schema.json

# Force re-introspection when the API schema changes
npx graphql-to-mcp https://api.example.com/graphql --schema-cache ./schema.json --force-refresh

The cache file stores the endpoint URL and timestamp. If you point at a different endpoint, it automatically re-introspects.

Mutation Safety

By default, graphql-to-mcp detects destructive mutations and adds warnings to their descriptions. This helps LLMs understand the risk before executing them.

Detected patterns: delete*, remove*, drop*, clear*, truncate*, destroy*, purge*, reset* (case-insensitive).

ModeBehavior
warn (default)Adds "DESTRUCTIVE:" prefix to dangerous mutation descriptions
safeCompletely excludes dangerous mutations from the tool list
unrestrictedNo filtering or warnings (previous behavior)
# Safe mode: only expose read queries + non-destructive mutations
npx graphql-to-mcp https://api.example.com/graphql --mutation-safety safe

# Unrestricted: expose everything (use with caution)
npx graphql-to-mcp https://api.example.com/graphql --mutation-safety unrestricted

Use with REST APIs Too

Pair with mcp-openapi to give Claude access to both REST and GraphQL APIs:

{
  "mcpServers": {
    "github-graphql": {
      "command": "npx",
      "args": ["-y", "graphql-to-mcp", "https://api.github.com/graphql", "--bearer", "ghp_xxx", "--prefix", "gh"]
    },
    "petstore-rest": {
      "command": "npx",
      "args": ["-y", "mcp-openapi", "https://petstore3.swagger.io/api/v3/openapi.json"]
    }
  }
}
  • mcp-openapi โ€” Same zero-config approach for REST/OpenAPI APIs