gRPC uses Protocol Buffers (binary) over HTTP/2; REST uses JSON over HTTP/1.1 or HTTP/2
gRPC supports four streaming patterns natively; REST needs workarounds like WebSockets
gRPC is 2-5x faster for frequent small-payload calls; REST is baseline
gRPC requires code-generated clients; REST works with any HTTP client
Biggest mistake: using gRPC for public APIs without a REST gateway
✦ Definition~90s read
What is gRPC vs REST?
gRPC and REST are two fundamentally different approaches to building APIs, and the choice between them directly impacts memory management in production systems. gRPC, developed by Google, uses HTTP/2 multiplexed streams and Protocol Buffers (protobuf) for binary serialization, enabling bidirectional streaming and low-latency communication. REST, the dominant architectural style for web APIs, relies on HTTP/1.1 or HTTP/2 with text-based formats like JSON, operating on a strict request-response model.
★
REST uses HTTP and JSON — the universal language of the web.
The critical difference for memory is that gRPC streams are long-lived, stateful connections where the server must buffer entire protobuf messages in memory before deserialization — if a client sends an unbounded stream of large messages, the server's memory grows linearly until it hits an OutOfMemory (OOM) error. REST, by contrast, processes each request independently, so memory pressure is bounded by concurrent requests, not stream duration.
In practice, gRPC's streaming capability is a double-edged sword. It excels for real-time data pipelines, IoT telemetry, or chat systems where you need persistent, low-latency bidirectional communication — think Netflix's API gateway or CoreOS's etcd.
But for the vast majority of CRUD APIs, REST wins because it's simpler to debug, cache, and load-balance. REST's stateless nature means you can horizontally scale with a simple round-robin load balancer, while gRPC's long-lived streams require sticky sessions or application-layer reconnection logic.
The tooling ecosystem also heavily favors REST: every browser, curl, and Postman can test a REST API, but gRPC requires specialized clients like grpcurl or BloomRPC, and you can't inspect gRPC traffic with standard HTTP debugging tools like Wireshark without protobuf descriptors.
The memory risk with gRPC streams is not theoretical — it's a common production incident. When a gRPC server receives a stream, it must allocate a buffer for each incoming message before it can start processing. If a client sends messages faster than the server can consume them, or if messages are large (e.g., 10MB protobuf blobs), the server's heap grows unboundedly.
REST avoids this entirely because each request has a fixed size limit (configurable via nginx or API gateway), and the server can reject oversized payloads with a 413 Payload Too Large before allocating memory. For most teams, the pragmatic choice is to use REST for standard APIs and reserve gRPC for the specific use cases that genuinely need streaming — and when you do use gRPC, always enforce per-stream memory limits and backpressure via flow control, or you will hit OOM in production.
Plain-English First
REST uses HTTP and JSON — the universal language of the web. Any browser, curl command, or HTTP client speaks it natively. gRPC uses Protocol Buffers and HTTP/2 — a binary format that's faster and more efficient but requires a code-generated client. REST is the front door everyone can use. gRPC is the dedicated freight entrance for services that need to move a lot of data fast.
I've built and maintained both REST and gRPC APIs in production. The decision is rarely about technical superiority — both work. It's about the consumers and their requirements. External API consumed by customers? REST. Internal microservice-to-microservice communication that processes 50,000 RPCs per second? gRPC. The mistake I see is teams defaulting to one or the other without asking 'who is consuming this and what do they need?'
In 2022, we migrated an internal order-processing service from REST to gRPC. The service handled inter-service communication between six microservices, averaging 30,000 requests per minute. After migration: 40% reduction in serialisation overhead, 60% reduction in request latency at P99. The consumer apps stayed on REST. The internal fabric went gRPC. Both in production, each doing what it's good at.
Why gRPC Streams Are Not REST — And Why That Matters for Memory
gRPC and REST are both client-server communication protocols, but they differ fundamentally in data model and transport. REST uses HTTP/1.1 or HTTP/2 with request-response semantics, typically exchanging JSON or XML payloads. gRPC uses HTTP/2 exclusively and Protocol Buffers (protobuf) for serialization, enabling bidirectional streaming — a single gRPC call can carry an unbounded sequence of messages over one connection. This streaming capability is the core mechanic that distinguishes gRPC from REST: REST treats each request as an atomic unit; gRPC treats a stream as a logical conversation.
In practice, gRPC's streaming model means the server can push data to the client without polling, and the client can send a stream of requests without waiting for individual responses. However, the protobuf deserialization on the receiving end is not inherently bounded — if the sender writes messages faster than the receiver reads them, the receiver's buffer grows until memory is exhausted. REST, by contrast, forces a one-to-one mapping between request and response, so backpressure is implicit: the client must wait for each response before sending the next request. gRPC's streaming removes that natural throttle, shifting the burden of flow control to the application.
Use gRPC when you need low-latency, high-throughput streaming (e.g., real-time feeds, event sourcing, or microservice-to-microservice communication). Avoid it for simple CRUD or browser-facing APIs where REST's request-response model and built-in backpressure are safer. The critical insight: gRPC's performance advantage comes with a memory safety cost that REST does not impose. Teams that adopt gRPC without implementing application-level flow control risk production OOMs.
Unbounded Buffers Are the Default
gRPC's Java client uses an unbounded buffer by default for inbound messages — if the server streams faster than the client consumes, you get an OOM, not a graceful rejection.
Production Insight
A team migrated a real-time analytics pipeline from REST to gRPC for lower latency. Within hours, the Java client pods crashed with OutOfMemoryError because the server pushed events at 10k msg/s while the consumer processed at 2k msg/s — the gRPC stream buffer grew without limit.
Exact symptom: java.lang.OutOfMemoryError: Java heap space with stack trace pointing to io.grpc.internal.MessageDeframer.deliver — the deframer holds all unprocessed messages in memory.
Rule of thumb: Always set a maximum inbound message size (e.g., 4 MB) and implement client-side flow control via FlowControlHandler or manual request(1) calls — never rely on the default unbounded buffer.
Key Takeaway
gRPC streams are unbounded by default — the receiver must enforce backpressure or risk OOM.
REST's request-response model provides implicit backpressure; gRPC removes it, making flow control the application's responsibility.
Use gRPC for streaming workloads, but always cap inbound message size and implement manual flow control in production.
thecodeforge.io
gRPC vs REST: Stream Buffers & OOM Risks
Grpc Vs Rest
Protocol and Serialisation: Where the Performance Difference Comes From
REST typically sends JSON over HTTP/1.1. JSON is text — human readable, but verbose. Every field name is repeated as a string in every message. HTTP/1.1 opens a new TCP connection per request (or reuses one with keep-alive, but still has head-of-line blocking).
gRPC uses Protocol Buffers (protobuf) over HTTP/2. Protobuf is binary — fields are identified by integer tags, not string names. The same data that takes 200 bytes as JSON might take 40 bytes as protobuf. HTTP/2 multiplexes multiple requests over a single TCP connection and supports full-duplex streaming.
The performance difference is real but often overstated in benchmarks that don't reflect production conditions. The 3-5x latency improvement cited for gRPC over REST usually holds for high-frequency, small-payload inter-service calls. For large payloads or infrequent calls, the difference shrinks.
json serialisation overhead becomes a real cost above ~10k req/min.
protobuf encoding is not just smaller — it avoids the string parsing that spikes CPU.
observe the p99 latency shift when switching from Jackson to protobuf in your call chain.
Key Takeaway
protobuf beats json on wire size and parsing speed.
the difference matters most at scale.
never benchmark without realistic payload sizes and concurrency patterns.
Serialisation Choice
IfPayloads under 1KB, high frequency (>100 req/s)
→
UsegRPC/protobuf gives 3-5x latency improvement
IfPayloads over 100KB, low frequency
→
UseREST/JSON is fine — protobuf encoding cost offsets size advantage
REST: Why It Still Wins for Most APIs
REST's dominance for public and external APIs isn't about technical merit — it's about ubiquity. Every HTTP client in every language speaks REST. Browsers speak REST natively. curl speaks REST. Postman speaks REST. Your customers' mobile app developers know REST. Your partners' integration teams know REST.
gRPC requires a generated client from the .proto definition. Your API consumers need to run protoc, add gRPC dependencies, and handle the generated code. For internal services under your control, this is a minor inconvenience. For external API consumers who might be using PHP, Ruby, or a legacy Java stack, it's a barrier.
REST also wins on tooling maturity: API gateways, load balancers, proxies, observability tools, and browsers all understand HTTP/JSON natively. gRPC on HTTP/2 requires specific support at every layer.
A common production pattern: REST-facing API gateway that external consumers call, internally routing to gRPC microservices. The gateway translates HTTP/JSON to protobuf. External consumers get REST ergonomics. Internal services get gRPC performance. Tools like gRPC-Gateway or Envoy proxy make this straightforward. We run this exact architecture on a payments platform handling £2M daily volume.
Production Insight
forcing gRPC on external partners often results in abandonment or custom wrappers.
the cost of supporting protobuf clients for every consumer outweighs performance gains.
if you must expose gRPC externally, provide a REST proxy as a fallback.
Key Takeaway
REST wins on ecosystem penetration.
your api's success depends on consumers’ ability to consume it.
ubiquity trumps raw speed for public interfaces.
Streaming: The Capability REST Can't Match
gRPC's streaming support is its genuinely unique capability. REST over HTTP/1.1 is inherently request-response. Long polling, WebSockets, and Server-Sent Events are REST workarounds for streaming — they work but they're not native to the protocol.
gRPC has four communication patterns built into the protocol:
Unary: one request, one response. Same as REST.
Server streaming: one request, stream of responses. Useful for: real-time notifications, progress updates, large dataset pagination without polling.
Client streaming: stream of requests, one response. Useful for: bulk ingestion, file upload with progress tracking.
Bidirectional streaming: both sides stream simultaneously. Useful for: real-time chat, collaborative editing, live dashboards.
If your use case involves any of these patterns, gRPC's native streaming is significantly cleaner than working around REST's limitations.
TransactionStreamingService.javaJAVA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
package io.thecodeforge.payment.grpc;
import io.grpc.stub.StreamObserver;
import java.util.List;
publicclassTransactionStreamingServiceImplextendsTransactionServiceGrpc.TransactionServiceImplBase {
privatefinalTransactionRepository transactionRepo;
publicTransactionStreamingServiceImpl(TransactionRepository repo) {
this.transactionRepo = repo;
}
// Server streaming: client sends one filter, server streams matching transactions// Useful for: exporting large datasets without pagination loops
@OverridepublicvoidstreamTransactions(
TransactionFilter filter,
StreamObserver<Transaction> responseObserver) {
// Fetch and stream — client receives each transaction as it's sent// No need to buffer the entire result set in memory
transactionRepo.findByCustomerIdAndDateRange(
filter.getCustomerId(),
filter.getFromTimestamp(),
filter.getToTimestamp()
).forEach(tx -> {
Transaction proto = Transaction.newBuilder()
.setTransactionId(tx.getId())
.setAmountPence(tx.getAmountPence())
.setCurrency(tx.getCurrency())
.setTimestamp(tx.getTimestamp())
.build();
responseObserver.onNext(proto); // Each transaction sent immediately
});
responseObserver.onCompleted();
}
// Client streaming: client sends batch of payments, server responds once
@OverridepublicStreamObserver<PaymentRequest> batchPayments(
StreamObserver<BatchResult> responseObserver) {
returnnewStreamObserver<>() {
int processed = 0;
int failed = 0;
@OverridepublicvoidonNext(PaymentRequest request) {
// Process each payment as it arrives from clienttry {
processPayment(request);
processed++;
} catch (Exception e) {
failed++;
}
}
@OverridepublicvoidonCompleted() {
// Client done sending — send summary response
responseObserver.onNext(BatchResult.newBuilder()
.setProcessed(processed)
.setFailed(failed)
.build());
responseObserver.onCompleted();
}
@OverridepublicvoidonError(Throwable t) {
// Handle client-side error
}
};
}
}
streaming without backpressure is a memory leak waiting to happen.
always test streaming under realistic concurrency — one slow client can crash the server.
monitor the number of open streams; set a maximum via an interceptor.
Key Takeaway
native streaming is gRPC's killer feature.
rest workarounds are brittle and add operational complexity.
if your data flows in one direction for >1 second, streaming is the right choice.
thecodeforge.io
gRPC Streaming: 4 Patterns
Grpc Vs Rest
Error Handling and Status Codes: Differences That Matter in Production
REST uses HTTP status codes: 200 for success, 400 for bad request, 404 for not found, 500 for server error. These are well-understood but limited. Custom error messages go in the response body and are not standardised across implementations.
gRPC defines a set of status codes in protobuf (like INVALID_ARGUMENT, NOT_FOUND, INTERNAL, UNAVAILABLE) that are standard across all implementations. Every gRPC response includes a status code and an optional error message. Additionally, gRPC supports rich error models through the google.rpc.Status proto, including error details with structured information.
The critical difference is that gRPC's error model is consistent across all client languages — the same status code means the same thing in Java, Go, or Python. REST depends entirely on documentation and convention.
GrpcErrorHandling.javaJAVA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
package io.thecodeforge.payment.grpc;
import io.grpc.Status;
import io.grpc.StatusRuntimeException;
import io.grpc.protobuf.StatusProto;
import com.google.rpc.Code;
import com.google.rpc.RetryInfo;
import com.google.protobuf.Duration;
publicclassGrpcErrorHandling {
// ❌ Wrong: throwing generic Status.INTERNALpublicvoidprocessPaymentBad(String id) {
if (id == null) {
throwStatus.INTERNAL
.withDescription("null customer id")
.asRuntimeException();
}
// This gives no indication to client that it's a client error
}
// ✅ Correct: using the specific status code with rich error detailspublicvoidprocessPaymentGood(String id) {
if (id == null) {
// Build a structured error with retry information
com.google.rpc.Status status = com.google.rpc.Status.newBuilder()
.setCode(Code.INVALID_ARGUMENT.getNumber())
.setMessage("customer id must not be null")
.addDetails(
RetryInfo.newBuilder()
.setRetryDelay(Duration.newBuilder()
.setSeconds(5)
.build())
.build()
)
.build();
throwStatusProto.toStatusRuntimeException(status);
}
}
// Client side: different codes lead to different recoverypublicstaticvoidmain(String[] args) {
try {
// call grpc service
} catch (StatusRuntimeException e) {
switch (e.getStatus().getCode()) {
case INVALID_ARGUMENT:
// Log and stop retrying — bad requestbreak;
caseUNAVAILABLE:
// Retry with backoff — transientbreak;
case DEADLINE_EXCEEDED:
// Increase timeout or check downstreambreak;
}
}
}
}
Output
// Client output for INVALID_ARGUMENT error:
// StatusRuntimeException: INVALID_ARGUMENT: customer id must not be null
// Retry info: retry after 5 seconds
Mistake-Proof Your gRPC Status Codes
INVALID_ARGUMENT: client sent bad data — don't retry.
UNAVAILABLE: server can't serve — retry with backoff.
DEADLINE_EXCEEDED: slow processing — reduce load or increase timeout.
INTERNAL: unexpected server error — log, alert, fix code.
Teach your team this mapping to avoid debugging incidents.
Production Insight
using INTERNAL for everything hides the root cause from clients.
without structured errors, clients cannot differentiate between retryable and fatal.
always map domain errors to the most specific gRPC status code.
Key Takeaway
use specific status codes to let clients react intelligently.
rest forces clients to guess from ad-hoc error bodies.
gRPC's standard codes make distributed error handling a solvable problem.
thecodeforge.io
REST vs gRPC: Error Handling
Grpc Vs Rest
Tooling and Ecosystem: Where REST Still Leads
REST has decades of tooling maturity. Postman, Insomnia, curl, and browser dev tools all understand HTTP/JSON natively. API gateways like Kong, AWS API Gateway, and Nginx handle REST without configuration. Monitoring tools parse HTTP methods, status codes, and response times out of the box. Load balancers distribute REST requests without special setup.
gRPC tooling has improved but still lags. grpcurl and BloomRPC exist, but they're not as popular as Postman. API gateways need explicit HTTP/2 support and gRPC-web translation for browsers. Monitoring gRPC calls requires special instrumentation: you need the service name, method, and status code — not just HTTP metadata. Some tools now support gRPC natively (like gRPC reflection for service discovery), but the gap is real.
If your team is small or you need to onboard junior engineers quickly, the REST toolchain gives everyone a head start. gRPC requires learning protoc, generated stubs, and a new debugging workflow.
debug-tools.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/bin/bash
# Debugging tools comparison
# REST: universally available
curl https://api.thecodeforge.io/v1/payments/pay-123 -H 'Accept: application/json'
# gRPC: requires grpcurl and reflection or proto descriptors
grpcurl -plaintext payment-service.internal:50051 list
grpcurl -plaintext payment-service.internal:50051 io.thecodeforge.payment.grpc.PaymentService/ProcessPayment
# REST: easy to inspect in browser devtools
echo "Open Chrome DevTools → Network tab → any request"
# gRPC: need proxy or packet capture
echo "Use tcpdump or grpcurl with -d '{}' to send test calls"
# REST: metrics in every monitoring tool
curl http://prometheus:9090/api/v1/query?query=http_requests_total{handler="/api/v1/payments"}
# gRPC: metrics require custom interceptors (micrometer or prometheus client)
echo "Add gRPC server interceptor: new MetricsServerInterceptor(...)"
debugging a broken gRPC call without grpcurl is like debugging curl without httpie.
always deploy gRPC reflection in non-production environments — it saves hours of guessing.
invest in REST tooling for external debugging; invest in gRPC interceptors for internal observability.
Key Takeaway
rest eco-system is 10 years ahead on debugging and monitoring.
grpc is catching up but requires intentional tooling investment.
choose based on your current team's proficiency and support infrastructure.
The Auth Nightmare: Why gRPC Forces You to Rethink Every Token Strategy
REST hands you auth on a silver platter. JWT in the Authorization header, job done. gRPC rips that away. HTTP/2’s binary framing means your standard middleware that parses headers? It’s blind. You will spend a week debugging why your auth interceptor silently drops requests. The real problem isn’t the protocol — it’s that gRPC interceptor chains are global. You can’t selectively skip auth for health checks without writing a custom matcher that checks the service method name. That’s your life now. Production fix: use TLS client certificates for internal cluster traffic and reserve bearer tokens for external APIs. Or build a dedicated auth service that validates tokens via unary calls and caches the result in a shared Redis. Do not stuff user identity into gRPC metadata — it’s readable, mutable, and you’ll leak credentials into logs. You’ve been warned.
Interceptor runs on every RPC. Health check passes. All others abort with gRPC status code 16 (UNAUTHENTICATED) on invalid token.
Never Do This: Leaking Tokens in Logs
gRPC metadata is not automatically sanitised. If you log the full context in an interceptor, the JWT hits your log aggregator. One compromised Splunk dashboard later, you rotate keys at 3 AM.
Key Takeaway
Treat gRPC auth as a separate service layer, not middleware. Global interceptors will bite you — always exclude health checks explicitly.
Load Balancing gRPC: Round-Robin Will Burn Your Cluster
REST load balancing is brain-dead simple: throw a reverse proxy in front and let it round-robin. gRPC over HTTP/2 makes that strategy a performance trap. HTTP/2 multiplexes multiple streams over a single TCP connection. A naive L7 proxy keeps that connection alive. One backend gets all traffic. You’ve created a hot spot and you don’t even know it. The fix is client-side load balancing with a service mesh like Linkerd or Envoy. gRPC has a built-in balancer that uses the DNS resolver to pick backends per-stream. Or you use a proxy that terminates HTTP/2 and re-establishes connections — that’s Envoy’s game. But here’s the gotcha: with client-side balancing, you need a health-checking protocol that doesn’t rely on the proxy. That means your gRPC client must support subchannel-level connection management. If you’re on Kubernetes, use headless services and the gRPC resolver: dns:///service.namespace.svc.cluster.local:50051. No proxies, no hot spots. Production tested at scale.
GrpcClientBalancer.pyPYTHON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
// io.thecodeforge — system-design tutorial
import grpc
# Client-side load balancing with DNS and round_robin strategy# Requires headless service in Kubernetes
channel = grpc.insecure_channel(
target="dns:///my-grpc-service.default.svc.cluster.local:50051",
options=[
("grpc.lb_policy_name", "round_robin"), # Spread streams across backends
("grpc.dns_min_time_between_resolutions_ms", 10000), # Re-resolve every 10s
]
)
creds = grpc.ssl_channel_credentials()
secured_channel = grpc.secure_channel(
target="dns:///my-grpc-service.default.svc.cluster.local:50051",
credentials=creds,
options=[
("grpc.lb_policy_name", "pick_first"), # Default — dangerous for perf
]
)
Output
Client resolves DNS every 10 seconds. Round-robin distributes RPCs across all pod IPs. No single-connection bottleneck.
Senior Shortcut: Envoy as a Sidecar
Don’t reinvent the balancer. Drop an Envoy sidecar per pod. It handles HTTP/2 termination, circuit breaking, and retries. Your gRPC clients connect to localhost:50051. The mesh does the hard work.
Key Takeaway
Never proxy gRPC with a L7 balancer that doesn’t understand HTTP/2. Use client-side balancing or a service mesh. Round-robin on connections, not requests.
You'd think protocol buffers and HTTP/2 would make gRPC more secure by default. They don't. The wire format is binary, which means no accidental leaking via curl or browser dev tools, but that's a weak win. The real problem is that gRPC's TLS requirements (HTTP/2 mandates it) lull teams into thinking they're done. You're not.
gRPC's streaming model breaks traditional WAF inspection. Most web application firewalls parse HTTP/1.1 and look for SQL injection or XSS in JSON payloads. A binary proto stream? They see opaque bytes. That means you need proxy-level protocol decoding, or you fly blind. REST with JSON gets scanned by everything from Cloudflare to your nginx box. gRPC forces you to either trust the client implicitly or build custom middleware that deserializes every message before inspection.
The second nightmare is authentication. gRPC's per-RPC metadata headers look like HTTP/2 pseudo-headers but aren't subject to the same origin policies. Your OAuth2 token flow works on paper, but distributed tracing headers, custom metadata, and streaming context can accidentally leak tokens into logs or downstream services. REST's stateless token model is simpler to audit. gRPC's stateful interceptors make you think about token revocation in every service call.
grpc_interceptor_logging.pyPYTHON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
// io.thecodeforge — system-design tutorial
import grpc
from grpc_interceptor importServerInterceptorclassTokenLeakCatcher(ServerInterceptor):
defintercept(self, method, request, context, method_name):
metadata = dict(context.invocation_metadata())
if"authorization"in metadata:
token = metadata["authorization"]
if token.startswith("Bearer "):
# In production: redact before logging
context.set_trailing_metadata(("x-token-hash", hash(token)))
returnmethod(request, context, method_name)
Output
No output — interceptor applied at server init
Production Trap:
Never log raw gRPC metadata in production. A single streaming RPC can leak tokens to 10 microservices before you notice.
Key Takeaway
Binary wire formats ≠ secure. gRPC needs custom security middleware because standard WAFs can't inspect protobuf payloads.
Use Cases: When to Reach for gRPC and When to Run Away
Stop treating gRPC as a REST replacement. It's not. It's a different tool for a specific job: internal, high-throughput, low-latency communication between services you control end-to-end. If you're building a public API, REST wins every time. Your clients aren't going to generate protobuf stubs for a weather endpoint.
Here's where gRPC earns its keep: real-time data pipelines. Think financial ticker feeds, IoT sensor ingestion, multiplayer game state sync. The streaming model lets you push 10,000 events per second with sub-millisecond deserialization. REST would burn your CPU on JSON parsing and connection overhead. Second use case: microservice mesh calls. When Service A needs to call Service B 100,000 times per minute, protobuf's binary encoding cuts bandwidth by 60%, and HTTP/2 multiplexing kills TCP overhead.
Now the hard no: browser-based applications. You can't call gRPC from JavaScript without a proxy like Envoy or gRPC-Web. That's an extra hop, latency, and failure mode. Also skip gRPC for quick CRUD APIs, public-facing endpoints, or teams that can't commit to maintaining .proto files alongside your service definitions. If your deployment pipeline doesn't generate stubs automatically, you'll have version drift within a sprint.
grpc_client_stream.pyPYTHON
1
2
3
4
5
6
7
8
9
10
11
12
13
// io.thecodeforge — system-design tutorial
import grpc
import market_data_pb2_grpc as pb2_grpc
import market_data_pb2 as pb2
channel = grpc.insecure_channel("ticker-service:50051")
stub = pb2_grpc.MarketDataStub(channel)
for tick in stub.StreamTrades(
pb2.TradeFilter(symbol="AAPL", exchange="NASDAQ")
):
print(f"{tick.price} @ {tick.volume} ({tick.timestamp})")
Output
142.30 @ 1200 (1711000000)
142.31 @ 800 (1711000001)
142.28 @ 1500 (1711000002)
Senior Shortcut:
If you can't auto-generate client stubs from your CI pipeline, you're not ready for gRPC. Manual proto syncing is how production incidents start.
Key Takeaway
gRPC for internal, real-time, high-throughput systems. REST for public APIs, browser clients, and anything your ops team needs to debug with curl.
Serialization vs. Strong Typing: The Hidden Contract Cost
gRPC enforces a rigid contract via Protocol Buffers, while REST with JSON is schemaless by default. Strong typing in gRPC catches mismatches at compile time, but every schema change demands code regeneration and coordinated deployments across all clients. REST's flexibility allows partial responses, versioning via headers, and gradual migrations without breaking consumers. The tradeoff: gRPC eliminates runtime parsing errors at the cost of coupling your release cycle. For systems where client and server evolve independently, REST's loose contract reduces coordination overhead. In microservice meshes owned by one team, gRPC's strict typing prevents silent data corruption.
ContractCost.pyPYTHON
1
2
3
4
5
6
7
8
9
10
11
12
13
// io.thecodeforge — system-design tutorial
import json
from google.protobuf import json_format
# REST: optional fields survive silently
rest_payload = '{"name": "Alice"}' # no age field# gRPC: missing required field -> errorfrom person_pb2 importPerson
p = Person()
p.name = "Alice"
p.age = 30# if required in proto, must be set
Output
REST: { name: 'Alice' } (passes)
gRPC: ValueError if required field missing
Production Trap:
Adding a required field to a proto in production breaks all existing clients until they regenerate stubs. Always mark new fields as optional, then enforce after full rollout.
Key Takeaway
gRPC's strong typing trades deployment flexibility for compile-time safety.
Guidelines vs. Rules: Why REST's Convention Is gRPC's Enforcement
REST APIs rely on conventions—status codes, HTTP verbs, naming patterns—that teams must interpret. A 200 could mean success or partial failure, depending on who wrote the docs. gRPC enforces rules at the protocol level: a method either returns a defined message or a fixed status code (like INVALID_ARGUMENT). No ambiguous 200s. This eliminates guesswork in error handling and contract validation. However, enforcement restricts expressiveness: REST can return HTML, XML, or custom headers; gRPC cannot. The result: REST teams spend time aligning conventions; gRPC teams spend time regenerating stubs. For internal services, enforcement wins. For public APIs, conventions allow evolution without schema barbed wire.
VsRules.pyPYTHON
1
2
3
4
5
6
7
8
9
10
11
// io.thecodeforge — system-design tutorial
# REST convention: 2xx success, 4xx client error# But body format is team-defined
response = {"status": "ok", "data": {}}
# gRPC rule: every RPC returns typed response or errorimport grpc
from google.rpc import code_pb2
# No room for interpretation — status is numeric enum
In REST, a 200 with error body passes through load balancers and caches. In gRPC, a non-zero status code breaks the stream immediately.
Key Takeaway
gRPC rules remove ambiguity; REST conventions demand shared team discipline.
● Production incidentPOST-MORTEMseverity: high
gRPC Service Outage Due to Unbounded Stream Buffers
Symptom
gRPC service running on Kubernetes with 4GB heap crashes every 6 hours with OutOfMemoryError. Pods restart, but during restart the downstream services get connection errors.
Assumption
The team assumed gRPC's built-in flow control would prevent memory issues. They thought HTTP/2's stream multiplexing would handle backpressure automatically.
Root cause
The server-side implementation queued all outgoing messages in an in-memory list before calling onNext(). Under high load, the client consumed messages slower than the server produced them. gRPC's flow control paused the stream, but the server continued buffering because the StreamObserver didn't have a feedback mechanism. Heap grew until OOM.
Fix
Replaced the in-memory buffer with a bounded blocking queue. Set a maximum buffer size per stream. Added a direct flow-control check: if queue is full, reject the request with status RESOURCE_EXHAUSTED. Also enabled per-stream memory limits in the gRPC interceptor.
Key lesson
gRPC flow control stops transmission, but it does not stop you from buffering on the server side. Always pair streaming with bounded buffers.
Monitor JVM heap per stream during development — a single misbehaving client can eat all memory.
Use gRPC's FlowControlHandler or custom interceptors to enforce per-stream backpressure.
Production debug guideSymptom→Action guide for common gRPC and REST production failures4 entries
Symptom · 01
gRPC call fails with UNAVAILABLE status
→
Fix
Check if server is reachable: grpcurl -plaintext <host>:<port> list. If unreachable, verify DNS and firewall. If reachable, check the load balancer's HTTP/2 support — some LBs downgrade to HTTP/1.1.
Symptom · 02
REST endpoint returns 502 Bad Gateway
→
Fix
Check upstream service health endpoint. If healthy, look at timeout configuration in the API gateway. Many 502s come from gateway timeout settings mismatched with upstream processing time.
Symptom · 03
gRPC streaming call slowly consumes more memory
→
Fix
Attach heap dump and look for large byte arrays held by netty or gRPC OutboundMessageQueue. Use jmap -heap:format=b and analyze with Eclipse MAT. Look for 'io.grpc.internal.MessageDeframer' instances.
Symptom · 04
REST API response times increase linearly with concurrent requests
→
Fix
Check connection pool exhaustion. Use netstat to see TIME_WAIT connections. Increase max connections or switch to HTTP/2 to multiplex.
★ Quick Debug Cheat Sheet: gRPC & RESTCommands and immediate actions for the most common production issues.
gRPC call returns DEADLINE_EXCEEDED−
Immediate action
Check downstream service latency. Then verify deadline propagation across service chain.
Commands
grpcurl -plaintext -d '{}' <host>:<port> <service>/<method> | head -c 200
Rollback the API to previous version and add proper version negotiation.
gRPC vs REST at a Glance
Aspect
REST
gRPC
Protocol
HTTP/1.1 or HTTP/2
HTTP/2 only
Serialisation
JSON (text)
Protocol Buffers (binary)
Contract
OpenAPI/Swagger (optional)
.proto file (required)
Code generation
Optional
Required (client + server stubs)
Browser support
Native
Requires grpc-web proxy
Streaming
Workarounds (SSE, WebSocket)
Native (4 patterns)
Performance
Baseline
~2-5x faster for frequent calls
Error handling
HTTP status codes + custom body
Standardised status codes + rich error model
Tooling
Universal (Postman, curl, etc.)
Specialised (BloomRPC, grpcurl)
Best for
Public APIs, external consumers
Internal microservices, high-frequency calls
Key takeaways
1
REST over HTTP/JSON for external APIs, public-facing endpoints, and any consumer you don't control
ubiquity and tooling win.
2
gRPC over protobuf/HTTP/2 for internal microservice communication, high-frequency calls, and when streaming is required.
3
gRPC is 2-5x faster for frequent small-payload calls. For large payloads or infrequent calls, the difference is smaller.
4
The .proto file is the source of truth for a gRPC API
it enforces a strict contract, enables code generation in any language, and prevents the schema drift common in JSON APIs.
5
You don't have to choose
REST gateway for external traffic routing to internal gRPC services is a standard production pattern.
Common mistakes to avoid
4 patterns
×
Using gRPC for a public API without a REST/JSON facade
Symptom
External developers cannot easily consume gRPC without generated clients. They complain about setup complexity. Some abandon the API entirely.
Fix
Provide a REST gateway that translates HTTP/JSON to protobuf. Deploy gRPC-Gateway or Envoy in front of the gRPC service. Offer both gRPC and REST endpoints documented side by side.
×
Choosing REST for high-frequency internal service calls because 'it's simpler'
Symptom
At 10,000+ RPCs per minute, CPU usage spikes due to JSON serialisation. P99 latency grows due to HTTP/1.1 connection overhead and head-of-line blocking.
Fix
Migrate to gRPC for internal services that exchange small payloads frequently. Use protobuf for the serialisation improvement and HTTP/2 for multiplexing. The migration effort pays off within weeks at that scale.
×
Not defining .proto contracts upfront for gRPC
Symptom
After a few field modifications, the .proto file no longer matches the actual data structure. Field numbers are reused or changed, causing silent data corruption. Clients break at runtime without obvious errors.
Fix
Treat the .proto file as the single source of truth. Never change field numbers or types after the contract is in use. Use reserved fields for retired fields. Enforce schema validation in CI to detect drift.
A chain of microservices (A→B→C) where only A sets a deadline. B and C have no deadline context, so B waits indefinitely for C. A eventually times out, but B is stuck handling a request that A already gave up on. Cascading timeout storms follow.
Fix
Always propagate the gRPC deadline via the Context. Use Context.current().withDeadlineAfter(...) and pass it to downstream calls. Set a maximum deadline at the edge service. Never create a new Context without inheriting the deadline.
INTERVIEW PREP · PRACTICE MODE
Interview Questions on This Topic
Q01JUNIOR
What are the main differences between gRPC and REST? When would you choo...
Q02SENIOR
Explain how Protocol Buffers differ from JSON and what performance impli...
Q03SENIOR
What are the four communication patterns in gRPC and when would you use ...
Q04SENIOR
You're designing a microservices architecture with 8 internal services a...
Q05SENIOR
What is gRPC-Gateway and why would you use it?
Q01 of 05JUNIOR
What are the main differences between gRPC and REST? When would you choose each?
ANSWER
gRPC uses Protocol Buffers over HTTP/2, supports four streaming patterns, requires code-generated clients, and has standardised status codes. REST uses JSON over HTTP/1.1 (or HTTP/2), is request-response only, works with any HTTP client, and uses HTTP status codes.
Choose gRPC for internal microservice communication, high-throughput scenarios (>10k req/min), and when you need native streaming. Choose REST for public APIs, any consumer you don't control, browser-facing services, or when onboarding simplicity matters more than raw performance.
Q02 of 05SENIOR
Explain how Protocol Buffers differ from JSON and what performance implications that has.
ANSWER
Protocol Buffers are binary — fields are identified by integer tags, not string names. The same data as JSON takes roughly one-third the bytes. Parsing protobuf is a direct binary read, while JSON requires string tokenization and object construction. For frequent small payloads (<1KB), protobuf is 3-5x faster. For infrequent or large payloads, the benefit narrows because parsing time is dominated by I/O. The catch: protobuf requires a schema and code generation, so it adds a dependency and build step.
Q03 of 05SENIOR
What are the four communication patterns in gRPC and when would you use each?
ANSWER
1) Unary: one request, one response — replaces REST endpoints.
2) Server streaming: one request, streamed responses — for real-time notifications, progress updates, pagination without polling.
3) Client streaming: streamed requests, one response — for batch uploads, sensor data ingestion, where client sends multiple items and server responds once.
4) Bidirectional streaming: both sides stream independently — for chat, collaborative editing, real-time dashboards, or any scenario where both sides send data simultaneously.
Use server or bidirectional streaming when latency matters and you want to avoid polling. Use client streaming when you want to process data as it arrives instead of waiting for a complete batch.
Q04 of 05SENIOR
You're designing a microservices architecture with 8 internal services and a public API. How would you decide which services use gRPC vs REST?
ANSWER
Start by identifying service boundaries: internal services that communicate frequently (high request rate, small payloads) are candidates for gRPC. The public API layer should expose REST endpoints for external consumers. Use a gateway (e.g., gRPC-Gateway) to translate REST to internal gRPC calls. Services that stream data or require real-time updates (like a notification service) benefit from gRPC streaming. Services that rarely communicate or have large payloads (like a reporting service) can stay on REST. The decision should be based on request volume, latency requirements, and consumer type — not a blanket choice.
Q05 of 05SENIOR
What is gRPC-Gateway and why would you use it?
ANSWER
gRPC-Gateway is a tool that generates a reverse proxy server from a .proto file. It exposes a RESTful JSON API that translates HTTP requests to gRPC calls. You'd use it when you want to offer both gRPC and REST interfaces to the same backend without writing separate controllers. It's especially useful when you have internal services using gRPC but external clients require REST. The alternative is manual implementation with something like Envoy's gRPC-JSON transcoder.
01
What are the main differences between gRPC and REST? When would you choose each?
JUNIOR
02
Explain how Protocol Buffers differ from JSON and what performance implications that has.
SENIOR
03
What are the four communication patterns in gRPC and when would you use each?
SENIOR
04
You're designing a microservices architecture with 8 internal services and a public API. How would you decide which services use gRPC vs REST?
SENIOR
05
What is gRPC-Gateway and why would you use it?
SENIOR
FAQ · 5 QUESTIONS
Frequently Asked Questions
01
When should I use gRPC instead of REST?
Use gRPC for internal microservice-to-microservice communication where performance matters, when you need native streaming (server push, client streaming, bidirectional), or when strong schema contracts and code generation are important. Use REST for public APIs, external consumers, browser-facing services, or any situation where you can't control client code generation.
Was this helpful?
02
Is gRPC faster than REST?
Yes, typically 2-5x faster for frequent small-payload calls. The advantages come from Protocol Buffers (binary serialisation, smaller payloads than JSON) and HTTP/2 (multiplexing, header compression, no head-of-line blocking). For infrequent calls or large payloads, the performance gap narrows. The difference matters most at high request volumes — 10,000+ RPCs per minute.
Was this helpful?
03
Can gRPC and REST coexist in the same system?
Yes, and this is a common production pattern. A REST/JSON API gateway handles external traffic and translates to internal gRPC calls. External consumers get REST ergonomics and universal tooling. Internal services get gRPC performance and streaming. gRPC-Gateway and Envoy proxy both support this pattern out of the box.
Was this helpful?
04
Does gRPC work in browsers?
Not natively. Browsers cannot make HTTP/2 requests with the required trailers that gRPC uses. The solution is grpc-web, a modified protocol with a JavaScript client library, combined with an Envoy or Nginx proxy that translates grpc-web to grpc on the server side. For browser-facing APIs, REST remains the simpler choice.
Was this helpful?
05
What's the biggest pitfall when implementing gRPC streaming in production?
The biggest pitfall is forgetting backpressure. gRPC's flow control pauses transmission, but it doesn't stop the server from buffering messages in memory. If the client is slow, the server's outbound buffer grows until OOM. Always use bounded queues and set per-stream memory limits. Monitor heap per stream in development. Also be wary of deadlock: if two services use bidirectional streaming and each blocks on the other's response, you get a deadlock. Design for non-blocking processing.