I’m Nick, the Engineering Manager for the team responsible for our GraphQL API - some of you have probably seen me around and/or have been frustrated at me in the past when a request hasn’t moved quickly, or when we push back (like in this issue!) on adding a feature.
When we created the GraphQL v4 API, one of the first things we wanted to do was throw out all of the assumptions that we’d made for our REST v3 API, and start fresh. On top of that, we knew that it wasn’t going to be a super straightforward task to distill all of GitHub’s public surface into a GraphQL schema that worked for every use case from the beginning, so we decided to start small and build it out piece by piece in coordination with our users.
One of the pieces of the REST API that we did not want to launch with immediately was anonymous requests - not because we wanted to push away anybody who needed that feature, but because we weren’t happy with the user experience that customers had while doing unauthenticated requests with the REST API, and figured it’d be even worse with GraphQL. Unfortunately, as everyone on this thread knows all too well, that removes a use-case that a significant amount of people used the REST v3 API for!
If anything, as has been said previously, we’re not blocking anonymous access because we’re worried about any additional load - for the most part, if people could port their REST queries over to GraphQL, we’d expect that it would actually decrease the number of requests and transferred data!
Instead, we’ve not implemented this because we don’t feel like we’ve nailed the end-to-end experience around rate limiting, permissions, and overall API quality as an anonymous user. If I had unlimited resources and time to do everything, I would absolutely love to sit down and craft a GraphQL API that serverless/zero-storage apps could use, but so far a myriad of other components of the API have taken priority over this.
I care deeply about making sure that as many people as possible can use our APIs to provide deep and rich integrations on top of our platform, but doing that with a userbase the size of GitHub means meeting a nearly infinite number of requirements, so we have to pick and choose.
The REST API’s isn’t going anywhere anytime soon, and neither is anonymous access to it. Over time, I’m optimistic that we can fold this access method into the GraphQL API one way or another while providing an improved user experience.