diff --git a/src/Plugin/GraphQL/DataProducer/Entity/CreateEntity.php b/src/Plugin/GraphQL/DataProducer/Entity/CreateEntity.php
new file mode 100644
index 000000000..7fadf097e
--- /dev/null
+++ b/src/Plugin/GraphQL/DataProducer/Entity/CreateEntity.php
@@ -0,0 +1,115 @@
+<?php
+
+namespace Drupal\graphql\Plugin\GraphQL\DataProducer\Entity;
+
+use Drupal\Core\Access\AccessResultReasonInterface;
+use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
+use Drupal\graphql\Plugin\GraphQL\DataProducer\DataProducerPluginBase;
+use Drupal\graphql\Plugin\GraphQL\DataProducer\EntityValidationTrait;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+
+/**
+ * Creates an entity.
+ *
+ * @DataProducer(
+ *   id = "create_entity",
+ *   name = @Translation("Create Entity"),
+ *   produces = @ContextDefinition("entity",
+ *     label = @Translation("Entity")
+ *   ),
+ *   consumes = {
+ *     "entity_type" = @ContextDefinition("string",
+ *       label = @Translation("Entity Type"),
+ *       required = TRUE
+ *     ),
+ *     "values" = @ContextDefinition("any",
+ *       label = @Translation("Field values for creating the entity"),
+ *       required = TRUE
+ *     ),
+ *     "entity_return_key" = @ContextDefinition("string",
+ *       label = @Translation("Key name in the returned array where the entity
+ *   will be placed"), required = TRUE
+ *     ),
+ *     "save" = @ContextDefinition("boolean",
+ *       label = @Translation("Save entity"),
+ *       required = FALSE,
+ *       default_value = TRUE,
+ *     ),
+ *   }
+ * )
+ */
+class CreateEntity extends DataProducerPluginBase implements ContainerFactoryPluginInterface {
+
+  use EntityValidationTrait;
+
+  /**
+   * The entity type manager.
+   *
+   * @var \Drupal\Core\Entity\EntityTypeManager
+   */
+  protected $entityTypeManager;
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) {
+    $instance = new static($configuration, $plugin_id, $plugin_definition);
+    $instance->entityTypeManager = $container->get('entity_type.manager');
+    return $instance;
+  }
+
+  /**
+   * Resolve the values for this producer.
+   */
+  public function resolve(string $entity_type, array $values, string $entity_return_key, ?bool $save, $context) {
+    $storage = $this->entityTypeManager->getStorage($entity_type);
+    $accessHandler = $this->entityTypeManager->getAccessControlHandler($entity_type);
+
+    // Infer the bundle type from the response and return an error if the entity
+    // type expects one, but one is not present.
+    $entity_type = $this->entityTypeManager->getDefinition($entity_type);
+    $bundle = $entity_type->getKey('bundle') && !empty($values[$entity_type->getKey('bundle')]) ? $values[$entity_type->getKey('bundle')] : NULL;
+    if ($entity_type->getKey('bundle') && !$bundle) {
+      return [
+        'errors' => [$this->t('Entity type being created requires a bundle, but none was present.')],
+      ];
+    };
+
+    // Ensure the user has access to create this kind of entity.
+    $access = $accessHandler->createAccess($bundle, NULL, [], TRUE);
+    $context->addCacheableDependency($access);
+    if (!$access->isAllowed()) {
+      return [
+        'errors' => [$access instanceof AccessResultReasonInterface && $access->getReason() ? $access->getReason() : $this->t('Access was forbidden.')],
+      ];
+    }
+
+    $entity = $storage->create($values);
+
+    // Core does not have a concept of create access for fields, so edit access
+    // is used instead. This is consistent with how other Drupal APIs handle
+    // field based create access.
+    $field_access_errors = [];
+    foreach ($values as $field_name => $value) {
+      $create_access = $entity->get($field_name)->access('edit', NULL, TRUE);
+      if (!$create_access->isALlowed()) {
+        $field_access_errors[] = sprintf('%s: %s', $field_name, $create_access instanceof AccessResultReasonInterface ? $create_access->getReason() : $this->t('Access was forbidden.'));
+      }
+    }
+    if (!empty($field_access_errors)) {
+      return ['errors' => $field_access_errors];
+    }
+
+    if ($violation_messages = $this->getViolationMessages($entity)) {
+      return ['errors' => $violation_messages];
+    }
+
+    if ($save) {
+      $entity->save();
+    }
+    return [
+      $entity_return_key => $entity,
+    ];
+  }
+
+}
diff --git a/src/Plugin/GraphQL/DataProducer/Entity/DeleteEntity.php b/src/Plugin/GraphQL/DataProducer/Entity/DeleteEntity.php
new file mode 100644
index 000000000..7637af093
--- /dev/null
+++ b/src/Plugin/GraphQL/DataProducer/Entity/DeleteEntity.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace Drupal\graphql\Plugin\GraphQL\DataProducer\Entity;
+
+use Drupal\Core\Access\AccessResultReasonInterface;
+use Drupal\Core\Entity\ContentEntityInterface;
+use Drupal\graphql\Plugin\GraphQL\DataProducer\DataProducerPluginBase;
+
+/**
+ * Deletes an entity.
+ *
+ * @DataProducer(
+ *   id = "delete_entity",
+ *   name = @Translation("Delete Entity"),
+ *   produces = @ContextDefinition("entities",
+ *     label = @Translation("Entities")
+ *   ),
+ *   consumes = {
+ *     "entity" = @ContextDefinition("entity",
+ *       label = @Translation("Entity")
+ *     ),
+ *   }
+ * )
+ */
+class DeleteEntity extends DataProducerPluginBase {
+
+  /**
+   * Resolve the values for this producer.
+   */
+  public function resolve(ContentEntityInterface $entity, $context) {
+    $access = $entity->access('delete', NULL, TRUE);
+    $context->addCacheableDependency($access);
+    if (!$access->isAllowed()) {
+      return [
+        'was_successful' => FALSE,
+        'errors' => [$access instanceof AccessResultReasonInterface ? $access->getReason() : 'Access was forbidden.'],
+      ];
+    }
+
+    $entity->delete();
+    return [
+      'was_successful' => TRUE,
+    ];
+  }
+
+}
diff --git a/src/Plugin/GraphQL/DataProducer/Entity/UpdateEntity.php b/src/Plugin/GraphQL/DataProducer/Entity/UpdateEntity.php
new file mode 100644
index 000000000..722f1a9f2
--- /dev/null
+++ b/src/Plugin/GraphQL/DataProducer/Entity/UpdateEntity.php
@@ -0,0 +1,81 @@
+<?php
+
+namespace Drupal\graphql\Plugin\GraphQL\DataProducer\Entity;
+
+use Drupal\Core\Access\AccessResultReasonInterface;
+use Drupal\Core\Entity\ContentEntityInterface;
+use Drupal\graphql\Plugin\GraphQL\DataProducer\DataProducerPluginBase;
+use Drupal\graphql\Plugin\GraphQL\DataProducer\EntityValidationTrait;
+
+/**
+ * Updates entity values.
+ *
+ * @DataProducer(
+ *   id = "update_entity",
+ *   name = @Translation("Update Entity"),
+ *   produces = @ContextDefinition("entities",
+ *     label = @Translation("Entities")
+ *   ),
+ *   consumes = {
+ *     "entity" = @ContextDefinition("entity",
+ *       label = @Translation("Entity")
+ *     ),
+ *     "values" = @ContextDefinition("any",
+ *       label = @Translation("Field values for creating the entity"),
+ *       required = TRUE
+ *     ),
+ *     "entity_return_key" = @ContextDefinition("string",
+ *       label = @Translation("Key name in the returned array where the entity will be placed"),
+ *       required = TRUE
+ *     ),
+ *   }
+ * )
+ */
+class UpdateEntity extends DataProducerPluginBase {
+
+  use EntityValidationTrait;
+
+  /**
+   * Resolve the values for this producer.
+   */
+  public function resolve(ContentEntityInterface $entity, array $values, string $entity_return_key, $context) {
+    // Ensure the user has access to perform an update.
+    $access = $entity->access('update', NULL, TRUE);
+    $context->addCacheableDependency($access);
+    if (!$access->isAllowed()) {
+      return [
+        'errors' => [$access instanceof AccessResultReasonInterface ? $access->getReason() : 'Access was forbidden.'],
+      ];
+    }
+
+    // Filter out keys the user does not have access to update, this may include
+    // things such as the owner of the entity or the ID of the entity.
+    $update_fields = array_filter($values, function (string $field_name) use ($entity, $context) {
+      if (!$entity->hasField($field_name)) {
+        throw new \Exception("Could not update '$field_name' field, since it does not exist on the given entity.");
+      }
+      $access = $entity->{$field_name}->access('edit', NULL, TRUE);
+      $context->addCacheableDependency($access);
+      return $access->isAllowed();
+    }, ARRAY_FILTER_USE_KEY);
+
+    // Hydrate the entity with the values.
+    foreach ($update_fields as $field_name => $field_value) {
+      $entity->set($field_name, $field_value);
+    }
+
+    if ($violation_messages = $this->getViolationMessages($entity)) {
+      return [
+        'errors' => $violation_messages,
+      ];
+    }
+
+    // Once access has been granted, the save can be committed and the entity
+    // can be returned to the client.
+    $entity->save();
+    return [
+      $entity_return_key => $entity,
+    ];
+  }
+
+}
diff --git a/src/Plugin/GraphQL/DataProducer/EntityValidationTrait.php b/src/Plugin/GraphQL/DataProducer/EntityValidationTrait.php
new file mode 100644
index 000000000..0506b8890
--- /dev/null
+++ b/src/Plugin/GraphQL/DataProducer/EntityValidationTrait.php
@@ -0,0 +1,44 @@
+<?php
+
+namespace Drupal\graphql\Plugin\GraphQL\DataProducer;
+
+use Drupal\Core\Entity\ContentEntityInterface;
+
+/**
+ * Trait for entity validation.
+ *
+ * Ensure the entity passes validation, any violations will be reported back
+ * to the client. Validation will catch issues like invalid referenced entities,
+ * incorrect text formats, required fields etc. Additional validation of input
+ * should not be put here, but instead should be built into the entity
+ * validation system, so the same constraints are applied in the Drupal admin.
+ */
+trait EntityValidationTrait {
+
+  /**
+   * Get violation messages from an entity.
+   *
+   * @param \Drupal\Core\Entity\ContentEntityInterface $entity
+   *   An entity to validate.
+   *
+   * @return array
+   *   Get a list of violations.
+   */
+  public function getViolationMessages(ContentEntityInterface $entity): array {
+    $violations = $entity->validate();
+
+    // Remove violations of inaccessible fields as they cannot stem from our
+    // changes.
+    $violations->filterByFieldAccess();
+
+    if ($violations->count() > 0) {
+      $violation_messages = [];
+      foreach ($violations as $violation) {
+        $violation_messages[] = sprintf('%s: %s', $violation->getPropertyPath(), strip_tags($violation->getMessage()));
+      }
+      return $violation_messages;
+    }
+    return [];
+  }
+
+}
diff --git a/tests/src/Kernel/DataProducer/Entity/CreateEntityTest.php b/tests/src/Kernel/DataProducer/Entity/CreateEntityTest.php
new file mode 100644
index 000000000..1763e52fb
--- /dev/null
+++ b/tests/src/Kernel/DataProducer/Entity/CreateEntityTest.php
@@ -0,0 +1,120 @@
+<?php
+
+namespace Drupal\Tests\graphql\Kernel\DataProducer\Entity;
+
+use Drupal\node\Entity\NodeType;
+use Drupal\Tests\graphql\Kernel\GraphQLTestBase;
+use Drupal\Tests\graphql\Traits\DataProducerExecutionTrait;
+use Drupal\Tests\user\Traits\UserCreationTrait;
+
+/**
+ * Test the CreateEntity producer.
+ *
+ * @group graphql
+ */
+class CreateEntityTest extends GraphQLTestBase {
+
+  use DataProducerExecutionTrait;
+  use UserCreationTrait;
+
+  /**
+   * The plugin ID.
+   *
+   * @var string
+   */
+  protected $pluginId = 'create_entity';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp(): void {
+    parent::setUp();
+
+    $content_type = NodeType::create([
+      'type' => 'lorem',
+      'name' => 'ipsum',
+    ]);
+    $content_type->save();
+  }
+
+  /**
+   * Test creating entities.
+   */
+  public function testCreateEntity() {
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity_type' => 'node',
+      'values' => [
+        'type' => 'lorem',
+      ],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertSame('Access was forbidden.', (string) $result['errors'][0]);
+
+    $this->setCurrentUser($this->createUser(['bypass node access', 'access content']));
+
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity_type' => 'node',
+      'values' => [
+        'type' => 'lorem'
+      ],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertSame([
+      'title: This value should not be null.',
+    ], $result['errors']);
+
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity_type' => 'node',
+      'save' => TRUE,
+      'values' => [
+        'type' => 'lorem',
+        'title' => 'bar',
+      ],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertEquals('bar', $result['foo']->label());
+    $this->assertFalse($result['foo']->isNew());
+
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity_type' => 'node',
+      'save' => FALSE,
+      'values' => [
+        'type' => 'lorem',
+        'title' => 'bar',
+      ],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertEquals('bar', $result['foo']->label());
+    $this->assertTrue($result['foo']->isNew());
+  }
+
+  /**
+   * Test field access when creating entities.
+   */
+  public function testCreateEntityFieldAccess() {
+    $this->setCurrentUser($this->createUser(['bypass node access', 'access content']));
+
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity_type' => 'node',
+      'values' => [
+        'type' => 'lorem',
+        'nid' => 123,
+      ],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertSame('nid: The entity ID cannot be changed.', (string) $result['errors'][0]);
+  }
+
+  /**
+   * Test creating an entity with a missing bundle.
+   */
+  public function testCreateEntityMissingBundle() {
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity_type' => 'node',
+      'values' => [],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertSame('Entity type being created requried a bundle, but none was present.', (string) $result['errors'][0]);
+  }
+
+}
diff --git a/tests/src/Kernel/DataProducer/Entity/DeleteEntityTest.php b/tests/src/Kernel/DataProducer/Entity/DeleteEntityTest.php
new file mode 100644
index 000000000..86358c566
--- /dev/null
+++ b/tests/src/Kernel/DataProducer/Entity/DeleteEntityTest.php
@@ -0,0 +1,59 @@
+<?php
+
+namespace Drupal\Tests\graphql\Kernel\DataProducer\Entity;
+
+use Drupal\node\Entity\Node;
+use Drupal\node\Entity\NodeType;
+use Drupal\Tests\graphql\Kernel\GraphQLTestBase;
+use Drupal\Tests\graphql\Traits\DataProducerExecutionTrait;
+use Drupal\Tests\user\Traits\UserCreationTrait;
+
+/**
+ * Test the DeleteEntity producer.
+ *
+ * @group graphql
+ */
+class DeleteEntityTest extends GraphQLTestBase {
+
+  use DataProducerExecutionTrait;
+  use UserCreationTrait;
+
+  /**
+   * The plugin ID.
+   *
+   * @var string
+   */
+  protected $pluginId = 'delete_entity';
+
+  /**
+   * Test deleting entities.
+   */
+  public function testDeleteEntity() {
+    $content_type = NodeType::create([
+      'type' => 'lorem',
+      'name' => 'ipsum',
+    ]);
+    $content_type->save();
+
+    $node = Node::create([
+      'type' => 'lorem',
+      'title' => 'foo',
+    ]);
+    $node->save();
+
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity' => $node,
+    ]);
+    $this->assertSame("The 'delete any lorem content' permission is required.", $result['errors'][0]);
+
+    $account = $this->createUser(['bypass node access']);
+    $this->setCurrentUser($account);
+
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity' => $node,
+    ]);
+    $this->assertTrue($result['was_successful']);
+    $this->assertNull(Node::load($node->id()));
+  }
+
+}
diff --git a/tests/src/Kernel/DataProducer/Entity/UpdateEntityTest.php b/tests/src/Kernel/DataProducer/Entity/UpdateEntityTest.php
new file mode 100644
index 000000000..48134a690
--- /dev/null
+++ b/tests/src/Kernel/DataProducer/Entity/UpdateEntityTest.php
@@ -0,0 +1,119 @@
+<?php
+
+namespace Drupal\Tests\graphql\Kernel\DataProducer\Entity;
+
+use Drupal\node\Entity\Node;
+use Drupal\node\Entity\NodeType;
+use Drupal\Tests\graphql\Kernel\GraphQLTestBase;
+use Drupal\Tests\graphql\Traits\DataProducerExecutionTrait;
+use Drupal\Tests\user\Traits\UserCreationTrait;
+
+/**
+ * Test the UpdateEntity producer.
+ *
+ * @group graphql
+ */
+class UpdateEntityTest extends GraphQLTestBase {
+
+  use DataProducerExecutionTrait;
+  use UserCreationTrait;
+
+  /**
+   * The plugin ID.
+   *
+   * @var string
+   */
+  protected $pluginId = 'update_entity';
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp(): void {
+    parent::setUp();
+
+    $content_type = NodeType::create([
+      'type' => 'lorem',
+      'name' => 'ipsum',
+    ]);
+    $content_type->save();
+  }
+
+  /**
+   * Test updating an entity.
+   */
+  public function testUpdateEntity() {
+    $entity = Node::create([
+      'type' => 'lorem',
+      'title' => 'foo',
+      'uuid' => 'adf834bd-9e70-4c2a-bf8a-3ef2382e1d78',
+    ]);
+    $entity->save();
+
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity' => $entity,
+      'values' => [
+        'title' => 'bar',
+      ],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertSame("The 'edit any lorem content' permission is required.", $result['errors'][0]);
+
+    $this->setCurrentUser($this->createUser(['bypass node access', 'access content']));
+
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity' => $entity,
+      'values' => [
+        'type' => 'something_wacky',
+      ],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertSame('type.0.target_id: The referenced entity (node_type: something_wacky) does not exist.', $result['errors'][0]);
+
+    // Reload the article, since the data producer hydrates the passed in entity
+    // with values, but does not reset them.
+    $entity = Node::load($entity->id());
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity' => $entity,
+      'values' => [
+        'title' => 'bar',
+      ],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertEquals('bar', $result['foo']->label());
+
+    // Fields which do not pass field-access checks are filtered out.
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity' => $entity,
+      'values' => [
+        'uuid' => '1c41245d-d173-4861-8524-8dd50ef7668d',
+      ],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertArrayNotHasKey('errors', $result);
+    $this->assertEquals('adf834bd-9e70-4c2a-bf8a-3ef2382e1d78', $result['foo']->uuid());
+  }
+
+  /**
+   * Test updating an entity with an invalid field.
+   */
+  public function testUpdateEntityInvalidField() {
+    $entity = Node::create([
+      'type' => 'lorem',
+      'title' => 'foo',
+      'uuid' => 'adf834bd-9e70-4c2a-bf8a-3ef2382e1d78',
+    ]);
+    $entity->save();
+    $this->setCurrentUser($this->createUser(['bypass node access', 'access content']));
+
+    $this->expectExceptionMessage("Could not update 'not_a_real_field' field, since it does not exist on the given entity.");
+    $result = $this->executeDataProducer($this->pluginId, [
+      'entity' => $entity,
+      'values' => [
+        'not_a_real_field' => 'bar',
+      ],
+      'entity_return_key' => 'foo',
+    ]);
+    $this->assertSame("The 'edit any lorem content' permission is required.", $result['errors'][0]);
+  }
+
+}