The Ultimate API Showdown: Server Actions, tRPC, GraphQL, and REST Compared!

You'd be happy to know that ECMAScript 2 from 1998 still works. No need to learn new stuff.

@@mubashir3 obviously the syntactic sugar you use to make sure you transpile to ECMAScript 5 before you ship is needed to think it's worth, and maybe make you feel good on thinking you are smart 🤓 I love sarcasm btw

this is still the case even if you use Trpc tho - just give them the endpoints

@@chance2480 You mean if you're writing your API backend in TS? From my experience, most backend/Web API developers don't use JS/TS.

@@impregnat0r it's for JS/TS endpoints

@@impregnat0r I wasn't talking about things which can 'interact' with it but about beckend and languages and tech where you can utilize it. If you wrote your backend in Go, you won't / can't use trpc to send data between SPA and your (Go, C# etc) beckend.

Yes, as I mentioned in the video tRPC is not limited to TypeScript, the API that tRPC generates is really easy to understand and it is a simple matter of making the same kind of HTTP calls that you do with REST with tRPC.

Maybe I'm misunderstanding, but the only way different clients such as desktop or mobile apps can get consume data from a server is through an API that returns JSON. You can't do that with server actions or returning html unless you're scraping the data, but who does that? Am I correct or am I wrong? Is there something that I'm missingm

@@PS-dp8yg if you do not have javascript then the only way to respond and show data is by responding in html either for the whole page or an

@@PS-dp8yg well the response and request are separate things. If you are returning html, then you would not use it anywhere else, except the browser. You could return different things depending on the client, but that is not necessary efficient. Now we have this new standard called htmx which is all about returning html. Supposedly you can code without using javascript, except it is used for back-filling in older browsers.

@@breakablec Thanks for the response. I know that that response and request are two different things. The whole idea of returning JSON is to build multiple clients that consumes the same data. If the data changes, then all clients will have that change. If you need multiple different clients, it would be no problem. Once you start using Next.js and return react components, you are stuck with Next.js and React. If you return only HTML, you are stuck with building any platform that supports HTML(browser). Of course, you can have Next.js that returns react components, and at the same time, create and API endpoint for other clients. I heard of htmx and it seems promising, but we need to see how it will do against large applications.

TRPC. It’s easy and consistent. The typescript won’t help you with dart, but it’s not worse than rest in that regard.

Thanks, When your NextJs pro be launched?@@jherr

Awesome, and again, just my opinions on these. I gave GraphQL three arrows because any client can get the server schema and then build it's own types and query/mutation wrappers from there. AFAIK, tRPC doesn't have that language independent representation of the RPC API and its types.

@jherr It's not a primary feature, that's for sure. Idk about feasability, but it's possible to generate an OpenAPI Spec from your router def and from that, generate language-specific clients. Since the zod validation is all server side, you still get the runtime type-safety, but it's maybe not as a great a frontend DX 😅
Aww man, it's a brainworm, now. I'm going to have to ask my 🦀 friend to try it in Rust...
But yeah, you only get a well-defined API with tRPC and GQL.

@@Alec.Vision Cool, so, possible, but not out of the box and easy. I'll be excited to see if that happens for tRPC.

You could use a form post for a subset of REST (GET and POST).

it would make it as slow as the response time of the backend service, plus a small overhead. on the client it's a non-blocking promise.

I thought about putting it on here, but it doesn't natively sit on top of HTTP, and so I think it's uncommon at the FE level. You can do the proxy thing. It's just hard to compare that with these more common solutions.

you can create form actions through JS, so I would say no.

Could you expand on 'tRPC lacks flexibility for modeling complex business domains'? Can you give an example of a limitation you've encountered? Genuinely curious!

​@@Alec.Vision For me at least 3 reason why I personally don't use tRPC. First it works the best with monorepo and fullstrack framework as nextjs. Second the compatibility between tRPC and the latest releases for other packages or framework. Last it works only with Typescript. But what if a piece of the backend is using python for some IA functionalities. If I use tRPC in my code base I can see clearly what I will loose and the "package lock" that I will have, but I cannot see really the benefits. If it is only type safety, I can achieve it easily but just coping my types.ts file between my front end and backend and use RTK Query or React Query which will bring even more value than just type safety. Also I am big fun of Zod I use it a lot for my forms validations and for database queries but I don't think is suitable for API validation. I prefer using class validator for this part.

Yep. Glad you mentioned that since folks seem to think you can’t use tRPC with typescript.

@@jherrhey jack, i was actually asking you how to use trpc with c# backend

@@dgcp354 oh, yeah, i don't know. the types are driven by the server.

Rate limiting and query cost are fantastic B2B. But if it's B2C then are you going to charge your customer directly? Or rate limit their eCommerce session? The only thing I've seen work there is to white list specific queries, which ends up defeating the value of GraphQL in the first place.

nextjs.org/docs/app/api-reference/functions/server-actions

All is well. Thanks!

You'd have to cache it yourself. It's primarily meant as a mutation mechanism, not a query mechanism, so consider it like you would a POST HTTP fetch.

The server action can still call microservices on the backend.

That's why it's a mix of a score. It can be really great and flexible BUT you have to be cognisant of a significant downside. Which, given some of the comments, folks are unaware of.

What tRPC lacks is the self identifying schema which allows any client in any language to create type safe bindings right out of the box. You may not need that, but it does distinguish GraphQL in terms of type safety.

@@jherr yeah the fact that tRPC can't be consumed by external services easily is a downside for sure. For our own software we use monorepos to solve this issue but when other 3rd parties we have to use the OpenAPII adapter to allow it to be consumed just like a normal REST API with a generated swagger page to at least provide some kind of schema to use (granted with the lack of type safety you pointed out for REST).

@@tom.watkins From an external source perspective it's no better or worse than just plain REST.

Actually, REST is not a standard, it's an "architectural style", which is why you'll never see a one size fits all REST client that doesn't have a ton of configuration options.

​@@jherrI think what they mean is "de-facto"

@@mayanksharma6927 Yeah, ok, that's fair. I just find it frustrating when folks call it a standard because I've never worked with a pure "REST" interface that didn't leak. They always need a non-standard set of RPCs for reports, multi-table inserts, etc..

HTTP is the protocol. REST sits on top of HTTP and is an "architectural style" that covers the actions you can take on the entity or entities using HTTP verbs.

@@jherrIt's an abstraction of HTTP, but it's still a protocol. It responds to requests with data, the same as HTTP does.

@@Dylan_thebrand_slayer_Mulveiny It's common for developers to say that any w use fetch to get data we are "making a REST request". That's not the case. Fetch is a replacement for XMLHttpRequest. Note "http". fetch makes http requests of all types, including JSON and XML, but also HTML, images, etc. fetch makes HTTP requests.
REST is a specific "architectural style" that loosely defines entities as a hierarchy, referential data that should exist in the return body, and it recommends the meaning of HTTP verbs. en.wikipedia.org/wiki/REST#Applied_to_web_services
When the REST paper was published (which came well after the releases of IE and Netscape Navigator that supported client-side XML requests (with different APIs of course)) it was a lightweight response to SOAP. SOAP was a very specific protocol where both requests and responses could be validated to conform to the protocol. REST was much less strict (and easier to use), but you couldn't make a universal REST client because there was no set protocol to validate against.
The whole appeal of REST is that it wasn't a protocol like SOAP. You didn't need to adopt most of the recommendations. IIS at the time couldn't respond to anything other than GET/POST, so Microsoft REST APIs didn't use the verbs. A bug in a version of Flash player meant that it would only handle 200 responses, so we stopped using error codes and instead encoded error responses as 200s (sigh, a mistake we are still paying for today.)
From the jump the abstraction of REST leaked terribly. If you do /[customer]/[orders] and /[products] how do you get all the orders for a particular product without duplicating orders under products (a REST no-no). So 100% of all "REST" services I've worked with have always had an adjunct RPC API to handle the leaks.
That leakage and need for reporting in a uniform protocol was what gave us GraphQL. And GraphQL is a protocol where requests and responses can be validated to the point where we can build clients that are guaranteed to work based on that protocol.
So no, REST is not a protocol, and that's by design. GraphQL, gRPC, HTTP, FTP, TCP/IP, those are well structured communications protocols.

wundergraph.com/blog/graphql_is_not_meant_to_be_exposed_over_the_internet#do-you-fully-understand-the-risks "GraphQL on the other hand, a single Query might result in thousands of calls on the controllers (resolvers) of the API. There is no simple way to solve this problem."
We ran into the issue at a major eCommerce company where we deployed end-user facing GQL with open requests and the API got frequently attacked and it was impossible to tell valid requests from malicious requests at the edge becauase the query was in the payload. We ended up going to white-listed query which defeats the purpose of GQL in the first place.
The query complexity issue is the reason why B2B GQL APIs have per-query cost calculations.