top of page

Web API Endpoints in ASP.NET Core

In today's fast-paced and interconnected digital world, building web applications and services is a common practice for developers and organizations. Whether you're creating a RESTful service to power a mobile app, providing data for a single-page application, or building a full-fledged web API, ASP.NET Core provides a robust framework for building web APIs with ease and efficiency.


In this comprehensive guide, we'll explore the process of creating Web API endpoints using ASP.NET Core. We'll cover the fundamentals of designing, developing, and testing your API to ensure it meets modern industry standards. This guide is designed for developers at all levels, from those just starting their journey into web development to experienced professionals looking to expand their skills in creating powerful and scalable APIs.


What is Web API Endpoints?

In ASP.NET Core, Web API endpoints are a crucial part of building web applications. They are responsible for exposing functionality that can be accessed and utilized by external clients, such as web browsers, mobile applications, or other services, through HTTP requests. Web API endpoints enable you to perform operations like retrieving data, updating records, and executing various tasks within your application.


Web API endpoints in ASP.NET Core are essential for several reasons, making them a fundamental component of modern web applications and services. Here's why we need Web API endpoints in ASP.NET Core:

  1. Data Access and Manipulation: Web API endpoints allow external clients, such as web browsers, mobile apps, and other services, to access and manipulate data within your application. Clients can perform operations like retrieving information, creating records, updating data, and deleting records through these endpoints.

  2. Cross-Platform Compatibility: Web APIs provide a platform-independent way to interact with your application. They use standard HTTP protocols, allowing clients running on various platforms to access your services. This cross-platform compatibility is crucial for reaching a broad audience.

  3. Service Integration: Web API endpoints enable integration with external services, applications, and third-party platforms. This is vital for scenarios like connecting your application to payment gateways, social media platforms, or other web services.

  4. Microservices Architecture: In microservices architectures, different components of an application are separated into smaller, independently deployable services. Web APIs facilitate communication between these microservices, allowing them to work together to provide a complete application.

  5. Mobile Apps: Mobile applications often rely on Web API endpoints to fetch and update data from server databases. APIs provide a mechanism for mobile apps to interact with the server and access real-time information.

  6. Single-Page Applications (SPAs): Single-page applications, built with frameworks like Angular, React, or Vue.js, often use Web API endpoints to fetch data dynamically and update the user interface without requiring full page reloads.

  7. Client-Server Separation: Web APIs promote a clear separation between the client and server. This architectural approach enhances maintainability, scalability, and allows for multiple client types (web, mobile, desktop) to interact with the same backend.

  8. Scaling and Performance: By using Web API endpoints, you can scale and optimize specific parts of your application independently. This is especially important for handling high traffic and ensuring responsiveness.

  9. Security: Web API endpoints can be secured with authentication and authorization mechanisms to ensure that only authorized users or applications can access certain functionality. This is crucial for protecting sensitive data and enforcing access control.

  10. Versioning and Evolution: APIs can be versioned to maintain backward compatibility as your application evolves. This ensures that existing clients can continue to work without disruptions when changes are made to the API.

Implementing Web API Endpoints in ASP.NET Core

Below, you'll find a step-by-step guide that will lead you through the process, ensuring that you have all the knowledge and skills needed to build robust and efficient APIs.


STEP 1: Create a Web Project

1. Open Visual Studio. From the File menu, select New > Project.


2. In the "Create a new project" window:

  • Enter "Web API" in the search box.

  • Select the "ASP.NET Core Web API" template.

  • Click Next.

3. In the "Configure your new project" dialog:

  • Name the project "TodoApi".

  • Click Create.

4. In the "Additional information" dialog:

  • Confirm that the Framework is set to ".NET 7.0" (or a later version).

  • Confirm that the checkbox for "Use controllers (uncheck to use minimal APIs)" is checked.

  • Click Create.

Your ASP.NET Core Web API project is now created.


STEP 2: Test the Project

To run the project without the debugger, press Ctrl+F5.


STEP 3: Add a Model Class

A "model" refers to a C# class or a data structure that represents the data and business entities your API deals with. These models define the structure and properties of the data that can be sent to or received from your API. Models play a crucial role in defining the schema of the data and how it should be processed within your API.


To add a model class:


1. In Solution Explorer:

  • Right-click the project.

  • Select Add > New Folder.

  • Name the folder "Models."

2. Right-click the "Models" folder and select Add > Class.


3. Name the class "TodoItem" and click Add.


4. Replace the template code in "TodoItem.cs" with the following code:

using System;

namespace TodoApi.Models
{
    public class TodoItem
    {
        public long Id { get; set; }
        public string Name { get; set; }
        public bool IsComplete { get; set; }
    }
}

The TodoItem class represents the data structure for your API. It has properties for Id, Name, and IsComplete. You can use this class to manage "Todo" items in your API.


Remember to build your project after making these changes to ensure they take effect.


STEP 4: Add a Database Context

The database context is responsible for managing the database connection, mapping data between the database and the application's model objects, and executing database operations.


Here are the steps to add a Database Context:


1. Open your project in Visual Studio.


2. Add NuGet Packages: From the Tools menu, select NuGet Package Manager > Manage NuGet Packages for Solution.

In the Manage NuGet Packages for Solution window:

  • Select the Browse tab.

  • In the search box, enter "Microsoft.EntityFrameworkCore.InMemory."

  • In the left pane, select Microsoft.EntityFrameworkCore.InMemory.

  • In the right pane, select the Project checkbox, and then select Install.

3. Add the TodoContext Database Context: Right-click the Models folder in your project.

Select Add > Class.

Name the class "TodoContext" and click Add.

Replace the template code in "TodoContext.cs" with the following code:

using Microsoft.EntityFrameworkCore;

namespace TodoApi.Models
{
    public class TodoContext : DbContext
    {
        public TodoContext(DbContextOptions<TodoContext> options)
            : base(options)
        {
        }

        public DbSet<TodoItem> TodoItems { get; set; }
    }
}

The TodoContext class derives from DbContext and represents the database context for your application. It has a DbSet property for TodoItem entities.


Register the Database Context: In ASP.NET Core, services like the database context must be registered with the dependency injection (DI) container. The container provides these services to controllers.

Update your "Program.cs" file with the following code. Note the highlighted changes:

using Microsoft.EntityFrameworkCore;
using TodoApi.Models;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddControllers();
builder.Services.AddDbContext<TodoContext>(opt =>
    opt.UseInMemoryDatabase("TodoList"));
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();

var app = builder.Build();

if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

app.UseHttpsRedirection();
app.UseAuthorization();
app.MapControllers();
app.Run();

The added code:

  • Includes the necessary using directives.

  • Registers the TodoContext with Entity Framework to use an in-memory database.

This sets up your database context to work with Entity Framework Core and an in-memory database for your ASP.NET Core Web API project. Remember to replace "TodoItem" and "TodoList" with your actual model and database name as needed for your project.


STEP 5: Scaffold a Controller

Scaffolding a controller refers to an automated code generation process provided by ASP.NET that generates the basic structure of a controller class for your API. This generated controller includes common HTTP methods like GET, POST, PUT, and DELETE, along with associated actions, that allow you to interact with your data models. Scaffolding can save you time and effort in creating these controller classes manually.


Here's how to scaffold a controller for TodoItem Model:


In the Visual Studio: a. Right-click the Controllers folder in your project. b. Select Add > New Scaffolded Item. c. In the "Add Scaffold" dialog, select API Controller with actions, using Entity Framework. d. Click Add.


The generated code will have the following characteristics:

  • The generated class will be marked with the [ApiController] attribute, indicating that the controller responds to web API requests.

  • Dependency Injection (DI) is used to inject the database context (TodoContext) into the controller. The database context is used in each of the CRUD (Create, Read, Update, Delete) methods in the controller.

  • The route template for API controllers does not include [action]. This means the action name (method name) isn't included in the endpoint, and the action's associated method name isn't used in the matching route.


STEP 6: Update the Controller

After generating the controller, update the PostTodoItem create method to use the nameof operator. Here's the updated code for the PostTodoItem method:

[HttpPost]
public async Task<ActionResult<TodoItem>> PostTodoItem(TodoItem todoItem)
{
    _context.TodoItems.Add(todoItem);
    await _context.SaveChangesAsync();

    return CreatedAtAction(nameof(GetTodoItem), new { id = todoItem.Id }, todoItem);
}

The CreatedAtAction method is used here:

  • It returns an HTTP 201 status code if successful. HTTP 201 is the standard response for an HTTP POST method that creates a new resource on the server.

  • It adds a Location header to the response, specifying the URI of the newly created to-do item. This header tells the client where to find the newly created resource.

  • It references the GetTodoItem action to create the Location header's URI. The nameof keyword is used to avoid hard-coding the action name in the CreatedAtAction call.


Test PostTodoItem:

Press Ctrl+F5 to run the application.


In the Swagger browser window, select POST /api/TodoItems, and then select Try it out.


In the Request body input window, update the JSON. For example:

{"name": "walk dog","isComplete": true}

Select Execute.


This will create a new to-do item, and the response should include a Location header with the URI to the newly created resource.


Test the Location Header URI:

In the Swagger browser window, select GET /api/TodoItems/{id}, and then select Try it out.


Enter the ID of the newly created to-do item in the id input box (e.g., 1).


Select Execute.


This will retrieve the to-do item using the GetTodoItem action, and you can verify that the Location header's URI matches the one retrieved in the previous step.


STEP 7: Examine the GET Methods

You have two GET endpoints:

  1. GET /api/todoitems: This endpoint is responsible for retrieving a list of all todo items.

  2. GET /api/todoitems/{id}: This endpoint retrieves a specific todo item by its unique identifier (ID).

The in-memory database used in your application will only persist data as long as the application is running. When the application is stopped and restarted, any data added during a previous session is lost. This is why the first GET request after restarting the application may not return any data. To see data, you need to POST data to the application to populate the database.


Here's how to test the /api/todoitems route using Swagger:


STEP 1: Start the Application: If not already running, press Ctrl+F5 to start the application.


STEP 2: Create a Todo Item: Follow the POST instructions to add a new todo item. You can do this in Swagger by selecting the POST /api/TodoItems endpoint, providing the necessary data, and executing the request. You should receive a 201 response indicating that the todo item was created.


STEP 3: Test the /api/todoitems Route: In Swagger, navigate to the GET /api/todoitems endpoint.


STEP 4: Execute the Request: Click on the "Try it out" button to execute the GET request.


STEP 5: View the Response: The response will display a list of all the todo items that have been created. This list should include the todo item you added in step 2.


The GET /api/todoitems route is used to fetch a collection of todo items, and it should now return the data that you added in the previous step. You can continue to add more todo items, and they will be included in the response when you query this endpoint.


STEP 8: Routing and URL Paths

In your ASP.NET Core Web API, routing and URL paths are defined using attributes and conventions. Let's see how it works:

[Route("api/[controller]")]
[ApiController]
public class TodoItemsController : ControllerBase
  • [Route("api/[controller]")]: This attribute at the controller level sets a base route for all actions within the controller. [controller] is a token that's replaced with the name of the controller class, minus the "Controller" suffix. So, if your controller class is TodoItemsController, the base route becomes "api/TodoItems."

  • [HttpGet("{id}")]: This attribute at the method level specifies the route template for the GetTodoItem method. {id} is a placeholder variable for the unique identifier of the to-do item.

Return Values:

The return types of the GetTodoItems and GetTodoItem methods are ActionResult<T> to allow different HTTP status codes to be returned. JSON serialization is handled automatically.

[HttpGet("{id}")]
public async Task<ActionResult<TodoItem>> GetTodoItem(long id)
{
    // ... code to retrieve the todo item
    if (todoItem == null)
    {
        return NotFound(); // 404 Not Found
    }

    return todoItem; // 200 OK with JSON response
}

ActionResult return types can represent a wide range of HTTP status codes. For example, a 404 status (NotFound) is returned when no item matches the requested ID, and a 200 status (OK) with a JSON response is returned when an item is found.


The PutTodoItem Method:

The PutTodoItem method is used to update a todo item:

[HttpPut("{id}")]
public async Task<IActionResult> PutTodoItem(long id, TodoItem todoItem)
{
    // ... code to update the todo item
    if (id != todoItem.Id)
    {
        return BadRequest(); // 400 Bad Request
    }

    // ... code to save changes
    return NoContent(); // 204 No Content
}
  • [HttpPut("{id}")]: This attribute specifies the route for the PutTodoItem method and expects the id of the todo item in the URL.

  • A PUT request requires the client to send the entire updated entity, not just the changes. If the id in the URL does not match the todoItem.Id, a 400 status (BadRequest) is returned.

  • The method returns a 204 status (No Content), indicating that the update was successful.


The DeleteTodoItem Method:

The DeleteTodoItem method is used to delete a todo item:

[HttpDelete("{id}")]
public async Task<IActionResult> DeleteTodoItem(long id)
{
    // ... code to find and delete the todo item
    if (todoItem == null)
    {
        return NotFound(); // 404 Not Found
    }

    // ... code to remove and save changes
    return NoContent(); // 204 No Content
}
  • [HttpDelete("{id}")]: This attribute specifies the route for the DeleteTodoItem method and expects the id of the todo item in the URL.

  • If the specified id does not correspond to an existing todo item, the method returns a 404 status (NotFound).

  • If the id corresponds to an existing todo item, it is removed from the database. The method returns a 204 status (No Content) to indicate successful deletion.

You can test these methods using Swagger or tools like http-repl, Postman, or curl.


let's see how you can test the methods in your ASP.NET Core Web API using various tools mentioned in the original text:


Swagger:

Swagger is a popular tool for testing and documenting APIs. In your ASP.NET Core Web API project, Swagger provides a user-friendly interface to interact with your API endpoints.


To test your API using Swagger, follow these steps:

  1. Run your ASP.NET Core Web API application (press Ctrl+F5).

  2. Open a web browser and navigate to the Swagger UI, which is usually accessible at https://localhost:<port>/swagger/index.html, where <port> is the port number your application is running on.

  3. You can explore your API endpoints, provide input data, and execute HTTP requests directly from the Swagger UI interface.

http-repl:

http-repl is a command-line tool provided by Microsoft that allows you to interact with HTTP APIs directly from the command line. It's particularly useful for quick API testing and exploration.


To use http-repl:

  1. Install http-repl using the .NET CLI: dotnet tool install -g Microsoft.dotnet-httprepl.

  2. Run http-repl by executing httprepl https://localhost:<port>/ in your command prompt, replacing <port> with your application's port number.

  3. You can navigate through API routes, send HTTP requests, and view responses directly from the command line.

Postman:

Postman is a popular API testing tool that provides a graphical user interface for testing and interacting with APIs.


To test your API using Postman:

  1. Launch Postman and create a new request.

  2. Specify the request method (GET, PUT, POST, DELETE, etc.) and the URL for your API endpoint (e.g., https://localhost:<port>/api/todoitems).

  3. Configure headers, request parameters, and request body if needed.

  4. Click the "Send" button to execute the request and view the response.

curl:

curl is a command-line tool that can be used for making HTTP requests. It is available on various platforms, including Unix-based systems and Windows through tools like Git Bash.


To use curl to test your API:

  1. Open a command prompt.

  2. Construct a curl command that specifies the HTTP method, headers, URL, and any necessary data.

  3. For example, to send a GET request to your API endpoint, you can use a command like curl -X GET https://localhost:<port>/api/todoitems.

These tools provide different ways to test your API, allowing you to send HTTP requests, inspect responses, and validate the behavior of your API endpoints. You can choose the tool that best suits your workflow and preferences for API testing and exploration.


STEP 9: Prevent Over-Posting

Preventing over-posting is a security and data integrity measure that focuses on limiting the data that can be sent from the client to the server. It is a practice to ensure that clients cannot send more data than is necessary or safe when making HTTP POST or PUT requests to your API. This concept is also known as "binding and model validation.


To prevent over-posting and hide certain fields in your ASP.NET Core Web API, you can create a Data Transfer Object (DTO) and use it to expose a limited subset of your model. Here's a step-by-step explanation of the code:


Step 1: Update the TodoItem Model:

First, update your TodoItem model to include a "secret" field, which you want to hide:

namespace TodoApi.Models
{
    public class TodoItem
    {
        public long Id { get; set; }
        public string? Name { get; set; }
        public bool IsComplete { get; set; }
        public string? Secret { get; set; } // Add the secret field
    }
}

In a production scenario, you would want to hide the "Secret" field from the API.


Step 2: Create a DTO Model:

Next, create a DTO model, TodoItemDTO, that represents the subset of your TodoItem model you want to expose. In this case, it excludes the "Secret" field:

namespace TodoApi.Models
{
    public class TodoItemDTO
    {
        public long Id { get; set; }
        public string? Name { get; set; }
        public bool IsComplete { get; set; }
    }
}

The TodoItemDTO is used to provide a limited view of the TodoItem data.


Step 3: Update the TodoItemsController:

Now, update your TodoItemsController to use the TodoItemDTO instead of the full TodoItem model for the GET, PUT, and POST methods:

using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using TodoApi.Models;

namespace TodoApi.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    public class TodoItemsController : ControllerBase
    {
        private readonly TodoContext _context;

        public TodoItemsController(TodoContext context)
        {
            _context = context;
        }

        // GET: api/TodoItems
        [HttpGet]
        public async Task<ActionResult<IEnumerable<TodoItemDTO>>>
            GetTodoItems()
        {
            return await _context.TodoItems
                .Select(x => ItemToDTO(x))
                .ToListAsync();
        }

        // GET: api/TodoItems/5
        [HttpGet("{id}")]
        public async Task<ActionResult<TodoItemDTO>>
            GetTodoItem(long id)
        {
            var todoItem = await _context.TodoItems.FindAsync(id);

            if (todoItem == null)
            {
                return NotFound();
            }

            return ItemToDTO(todoItem);
        }

        // PUT: api/TodoItems/5
        [HttpPut("{id}")]
        public async Task<IActionResult> PutTodoItem(long id, TodoItemDTO todoDTO)
        {
            if (id != todoDTO.Id)
            {
                return BadRequest();
            }

            var todoItem = await _context.TodoItems.FindAsync(id);
            if (todoItem == null)
            {
                return NotFound();
            }

            todoItem.Name = todoDTO.Name;
            todoItem.IsComplete = todoDTO.IsComplete;

            try
            {
                await _context.SaveChangesAsync();
            }
            catch (DbUpdateConcurrencyException) when (!TodoItemExists(id))
            {
                return NotFound();
            }

            return NoContent();
        }

        // POST: api/TodoItems
        [HttpPost]
        public async Task<ActionResult<TodoItemDTO>>
            PostTodoItem(TodoItemDTO todoDTO)
        {
            var todoItem = new TodoItem
            {
                IsComplete = todoDTO.IsComplete,
                Name = todoDTO.Name
            };

            _context.TodoItems.Add(todoItem);
            await _context.SaveChangesAsync();

            return CreatedAtAction(
                nameof(GetTodoItem),
                new { id = todoItem.Id },
                ItemToDTO(todoItem));
        }

        // ... (other methods)
        private bool TodoItemExists(long id)
        {
            return _context.TodoItems.Any(e => e.Id == id);
        }

        private static TodoItemDTO ItemToDTO(TodoItem todoItem) =>
            new TodoItemDTO
            {
                Id = todoItem.Id,
                Name = todoItem.Name,
                IsComplete = todoItem.IsComplete
            };
    }
}

The TodoItemsController now operates on TodoItemDTO instead of the full TodoItem. This ensures that the "Secret" field is hidden from the API.


With these changes, you can post and get data without exposing the "Secret" field, as the TodoItemDTO represents a limited view of the TodoItem data.


Conclusion

Implementing Web API endpoints in ASP.NET allows you to build powerful APIs for your applications. This journey covered setting up a project, handling databases, generating controllers, working with HTTP methods, data validation, and routing. ASP.NET Core provides flexibility and customization, making it a versatile framework for building efficient, secure, and scalable APIs.


Continuous learning is key to mastering the evolving world of API development. With this foundation, you're ready to create APIs that connect applications and drive innovation.

Comments


bottom of page