Build web APIs with ASP.NET Core

By Scott Addie

View or download sample code (how to download)

This document explains how to build a web API in ASP.NET Core and when it's most appropriate to use each feature.

Derive class from ControllerBase

Inherit from the ControllerBase class in a controller that's intended to serve as a web API. For example:

[Produces("application/json")]
[Route("api/[controller]")]
public class PetsController : ControllerBase
{
    private readonly PetsRepository _repository;

    public PetsController(PetsRepository repository)
    {
        _repository = repository;
    }

    [HttpGet]
    public ActionResult<List<Pet>> Get()
    {
        return _repository.GetPets();
    }

    [HttpGet("{id}")]
    [ProducesResponseType(404)]
    public ActionResult<Pet> GetById(int id)
    {
        if (!_repository.TryGetPet(id, out var pet))
        {
            return NotFound();
        }

        return pet;
    }

    [HttpPost]
    [ProducesResponseType(400)]
    public async Task<ActionResult<Pet>> CreateAsync(Pet pet)
    {
        if (!ModelState.IsValid)
        {
            return BadRequest(ModelState);
        }

        await _repository.AddPetAsync(pet);

        return CreatedAtAction(nameof(GetById),
            new { id = pet.Id }, pet);
    }
}
[Produces("application/json")]
[Route("api/[controller]")]
public class PetsController : ControllerBase
{
    private readonly PetsRepository _repository;

    public PetsController(PetsRepository repository)
    {
        _repository = repository;
    }

    [HttpGet]
    [ProducesResponseType(typeof(IEnumerable<Pet>), 200)]
    public IActionResult Get()
    {
        return Ok(_repository.GetPets());
    }

    [HttpGet("{id}")]
    [ProducesResponseType(typeof(Pet), 200)]
    [ProducesResponseType(404)]
    public IActionResult GetById(int id)
    {
        if (!_repository.TryGetPet(id, out var pet))
        {
            return NotFound();
        }

        return Ok(pet);
    }

    [HttpPost]
    [ProducesResponseType(typeof(Pet), 201)]
    [ProducesResponseType(400)]
    public async Task<IActionResult> CreateAsync([FromBody] Pet pet)
    {
        if (!ModelState.IsValid)
        {
            return BadRequest(ModelState);
        }

        await _repository.AddPetAsync(pet);

        return CreatedAtAction(nameof(GetById),
            new { id = pet.Id }, pet);
    }
}

The ControllerBase class provides access to numerous properties and methods. In the preceding example, some such methods include BadRequest and CreatedAtAction. These methods are invoked within action methods to return HTTP 400 and 201 status codes, respectively. The ModelState property, also provided by ControllerBase, is accessed to perform request model validation.

Annotate class with ApiControllerAttribute

ASP.NET Core 2.1 introduces the [ApiController] attribute to denote a web API controller class. For example:

[Route("api/[controller]")]
[ApiController]
public class ProductsController : ControllerBase

This attribute is commonly coupled with ControllerBase to gain access to useful methods and properties. ControllerBase provides access to methods such as NotFound and File.

Another approach is to create a custom base controller class annotated with the [ApiController] attribute:

[ApiController]
public class MyBaseController
{
}

The following sections describe convenience features added by the attribute.

Automatic HTTP 400 responses

Validation errors automatically trigger an HTTP 400 response. The following code becomes unnecessary in your actions:

if (!ModelState.IsValid)
{
    return BadRequest(ModelState);
}

This default behavior is disabled with the following code in Startup.ConfigureServices:

services.Configure<ApiBehaviorOptions>(options =>
{
    options.SuppressConsumesConstraintForFormFileParameters = true;
    options.SuppressInferBindingSourcesForParameters = true;
    options.SuppressModelStateInvalidFilter = true;
});

Binding source parameter inference

A binding source attribute defines the location at which an action parameter's value is found. The following binding source attributes exist:

Attribute Binding source
[FromBody] Request body
[FromForm] Form data in the request body
[FromHeader] Request header
[FromQuery] Request query string parameter
[FromRoute] Route data from the current request
[FromServices] The request service injected as an action parameter

Note

Do not use [FromRoute] when values might contain %2f (that is /) because %2f won't be unescaped to /. Use [FromQuery] if the value might contain %2f.

Without the [ApiController] attribute, binding source attributes are explicitly defined. In the following example, the [FromQuery] attribute indicates that the discontinuedOnly parameter value is provided in the request URL's query string:

[HttpGet]
public ActionResult<List<Product>> Get([FromQuery] bool discontinuedOnly = false)
{
    List<Product> products = null;

    if (discontinuedOnly)
    {
        products = _repository.GetDiscontinuedProducts();
    }
    else
    {
        products = _repository.GetProducts();
    }

    return products;
}

Inference rules are applied for the default data sources of action parameters. These rules configure the binding sources you're otherwise likely to manually apply to the action parameters. The binding source attributes behave as follows:

  • [FromBody] is inferred for complex type parameters. An exception to this rule is any complex, built-in type with a special meaning, such as IFormCollection and CancellationToken. The binding source inference code ignores those special types. When an action has more than one parameter explicitly specified (via [FromBody]) or inferred as bound from the request body, an exception is thrown. For example, the following action signatures cause an exception:
// Don't do this. All of the following actions result in an exception.
[HttpPost]
public IActionResult Action1(Product product, 
                             Order order) => null;

[HttpPost]
public IActionResult Action2(Product product, 
                             [FromBody] Order order) => null;

[HttpPost]
public IActionResult Action3([FromBody] Product product, 
                             [FromBody] Order order) => null;
  • [FromForm] is inferred for action parameters of type IFormFile and IFormFileCollection. It's not inferred for any simple or user-defined types.
  • [FromRoute] is inferred for any action parameter name matching a parameter in the route template. When multiple routes match an action parameter, any route value is considered [FromRoute].
  • [FromQuery] is inferred for any other action parameters.

The default inference rules are disabled with the following code in Startup.ConfigureServices:

services.Configure<ApiBehaviorOptions>(options =>
{
    options.SuppressConsumesConstraintForFormFileParameters = true;
    options.SuppressInferBindingSourcesForParameters = true;
    options.SuppressModelStateInvalidFilter = true;
});

Multipart/form-data request inference

When an action parameter is annotated with the [FromForm] attribute, the multipart/form-data request content type is inferred.

The default behavior is disabled with the following code in Startup.ConfigureServices:

services.Configure<ApiBehaviorOptions>(options =>
{
    options.SuppressConsumesConstraintForFormFileParameters = true;
    options.SuppressInferBindingSourcesForParameters = true;
    options.SuppressModelStateInvalidFilter = true;
});

Attribute routing requirement

Attribute routing becomes a requirement. For example:

[Route("api/[controller]")]
[ApiController]
public class ProductsController : ControllerBase

Actions are inaccessible via conventional routes defined in UseMvc or by UseMvcWithDefaultRoute in Startup.Configure.

Additional resources