GraphQL vs REST API — UK Developer Guide 2025

🔗 REST + OpenAPI📊 GraphQL⚡ gRPC🔒 UK GDPR💷 FCA Aligned
July 202511 min readJames Whitmore, CTO

Direct Answer

REST with OpenAPI 3.0 is the right default for UK external APIs. It satisfies FCA COBS machine-readable disclosure requirements, provides natural UK GDPR data minimisation at the endpoint level, and has universal tooling support. GraphQL solves specific frontend over-fetching problems. gRPC is for high-performance internal microservices only. The choice affects UK GDPR compliance, FCA regulatory disclosure, and NHS FHIR R4 interoperability.

OpenAPI 3.0 — The UK Standard for External APIs

FCA COBS disclosure: financial APIs must disclose what data they expose. An OpenAPI spec is a machine-readable disclosure document — FCA-inspectable.

NHS FHIR R4: NHS APIs use FHIR R4 which is a REST API standard — OpenAPI-documented FHIR capability statements are DTAC Domain 4 evidence.

G-Cloud service description: API capabilities described in OpenAPI format are accepted for G-Cloud technical documentation.

Automated testing: OpenAPI spec generates contract tests (Prism mock server, Dredd) — API behaviour validated against spec in CI/CD.

OpenAPI 3.0 (formerly Swagger) is the de-facto standard for documenting REST APIs. For UK regulated software, OpenAPI provides additional value beyond documentation:

UK GDPR and API Design — Practical Rules

UK GDPR Principle

API Design Requirement

Implementation

Data minimisation (Art 5(1)(c))

Return only fields necessary for the client's stated purpose

Field-level response schemas — no catch-all response objects

Purpose limitation (Art 5(1)(b))

Separate endpoints for separate purposes — no multipurpose dumps

Endpoint-per-use-case (not GET /user returning all data)

Storage limitation (Art 5(1)(e))

API responses should not encourage unnecessary data storage by client

Documentation: specify which response fields should not be cached

Security (Art 32)

API authentication and authorisation enforced at gateway

AWS API Gateway + Cognito JWT validation on every request

Data subject rights (Art 15–22)

APIs for DSAR fulfilment, erasure, portability

Dedicated endpoints: GET /data (DSAR), DELETE /account (erasure), GET /data.json (portability)

NHS FHIR R4 — REST API for HealthTech

Resource-based: FHIR resources (Patient, Observation, Appointment, MedicationRequest) are REST resources — GET /Patient/{id}, POST /Appointment.

UK Core profiles: NHS England's UK Core constrains FHIR R4 for UK use — specific code systems (SNOMED CT UK, dm+d, ODS codes).

DTAC Domain 4: HealthTech SaaS must provide a FHIR Capability Statement (/metadata endpoint) as interoperability evidence.

GraphQL is not NHS FHIR: attempting to implement NHS APIs with GraphQL instead of FHIR R4 REST fails DTAC Domain 4 requirements.

FHIR R4 (Fast Healthcare Interoperability Resources) is an NHS-mandated REST API standard for health data exchange. Key principles:

When GraphQL Is Genuinely the Right Choice

Dashboard with many data sources: a single GraphQL query can fetch data from multiple resolvers in one network round-trip — reduces dashboard load time.

Mobile applications with bandwidth constraints: request only the fields needed for the current view — reduces payload size.

Rapid product iteration: add new fields to schema without creating new endpoints — frontend teams move faster.

B2B developer portals: GitHub, Shopify, and Atlassian all use GraphQL for their developer APIs — complex, nested relationship data.

GraphQL solves the over-fetching and under-fetching problems of REST for complex frontend applications. Genuine GraphQL use cases:

Frequently Asked Questions

Common questions about graphql vs rest api — uk developer guide 2025.

FCA does not mandate REST specifically — it requires APIs to be secure, well-documented, and compliant with COBS disclosure requirements. In practice: Open Banking (PSD2 mandate) requires OBIE-standard REST APIs. FCA Consumer Duty requires that product information is accessible — OpenAPI-documented REST APIs satisfy this. ClickMasters recommends REST + OpenAPI 3.0 for all FCA-regulated external APIs — it is the industry standard and simplest path through FCA technical review.

No — NHS FHIR R4 requires REST APIs conforming to the FHIR R4 specification. FHIR is a REST standard — GraphQL cannot substitute for FHIR endpoints. If your HealthTech application needs DTAC Domain 4 interoperability, you need FHIR R4 REST APIs. You can use GraphQL for your own internal data layer, but the NHS-facing interface must be FHIR R4 REST.

About the Author

James Whitmore, CTO UK API architecture specialist ClickMasters designs REST + OpenAPI 3.0 APIs for all UK external integrations as standard practice.

Free API Architecture Review ClickMasters will...

Free API Architecture Review ClickMasters will review your API architecture and confirm the right approach for your UK compliance requirements. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation