At a company like Booking.com, every sensitive field in the GraphQL schema has more than one team with a legitimate claim on it — Security, Identity, Legal, Privacy, Data Governance, the Traffic Gateway, the Federation Platform, and the hundreds of domain teams that own the data itself. When that many stakeholders need to agree on what "authorized" means for a single field, you don't have a security problem; you have a coordination problem. And solving it as security only makes it worse.This talk shares how we turned that coordination problem into a contract using a single federation directive — @policy. Domain teams author rules for the data they own. Privacy and Identity contribute cross-cutting concerns. Other domains compose by reference instead of re-authoring. The router is the only place enforcement happens. One audit trail. No cross-team meetings. What you'll learn:
Booking.com, Senior Software Engineer
Minghe is a Senior Engineer at Booking.com with over 15 years of industry experience spanning DevOps, web, and mobile development. Recently, he has been maintaining the GraphQL federation platform at Booking.com, focusing on efficiently managing large scale schemas and federating high traffic systems.
Join two transformative days of expert insights and innovation to shape the next decade of APIs!