diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
index 379d69b..94a4192 100644
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -1,14 +1,20 @@
 class GraphqlController < ApplicationController
+  GRAPHQL_TIMEOUT = 10
+
   before_action :authenticate
 
   def execute
     query_string = params[:query].to_s
     variables = ensure_hash(params[:variables])
-    context = {
-      user: @user
-    }
+    context = { user: @user }
+
+    result = Graph.query(
+      query_string,
+      variables: variables,
+      context: context,
+      timeout: GRAPHQL_TIMEOUT
+    )
 
-    result = Graph::Schema.execute(query_string, variables: variables, context: context)
     render json: result
   end
 
diff --git a/app/models/graph.rb b/app/models/graph.rb
index c8cb6d8..2486606 100644
--- a/app/models/graph.rb
+++ b/app/models/graph.rb
@@ -1,5 +1,13 @@
+require 'timeout'
+
 module Graph
   class << self
+    def query(query_string, variables: {}, context: {}, timeout: nil)
+      Timeout.timeout(timeout) do
+        Graph::Schema.execute(query_string, variables: variables, context: context)
+      end
+    end
+
     def find_by_id_field(type, model)
       GraphQL::Field.define do
         type type