ASP.NET Core Web API

Workflow

Step 1: Determine the API style

Scan the project for existing endpoint patterns before writing any code.

1. Search for classes inheriting ControllerBase or decorated with [ApiController].
2. Search Program.cs or endpoint files for app.MapGet, app.MapPost, etc.
3. If the project already uses controllers, continue with controllers.
4. If the project already uses minimal APIs, continue with minimal APIs.
5. If neither exists (new project), default to minimal APIs unless the user

explicitly requests controllers.

Do not mix styles in the same project.

Step 2: Define request and response types

Create dedicated types for API input and output. Never expose EF Core entities directly in request or response bodies.

Use `sealed record` for all DTOs. Records enforce immutability, provide value-based equality, and produce concise code. Seal them to prevent unintended inheritance and enable JIT devirtualization (CA1852).

Naming convention:

| Role | Convention | Example | |------|-----------|---------| | Input (create) | Create{Entity}Request | CreateProductRequest | | Input (update) | Update{Entity}Request | UpdateProductRequest | | Output (single) | {Entity}Response | ProductResponse | | Output (list) | {Entity}ListResponse | ProductListResponse |

XML doc comments on all DTOs: Add <summary> XML doc comments to every request and response type exposed in the API. These comments are automatically included in the generated OpenAPI specification, producing richer documentation without extra metadata calls.

Reference: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/openapi/openapi-comments

Date and time values — use `DateTimeOffset`: When a DTO includes a date or time property, always use DateTimeOffset instead of DateTime. DateTimeOffset preserves the UTC offset, avoids ambiguous timezone conversions, and serializes to ISO 8601 with offset information in JSON — which is what API consumers expect.

Reference: https://learn.microsoft.com/en-us/dotnet/api/system.datetimeoffset JSON serialization options — preserve existing behavior by default: For existing APIs, do not introduce stricter serialization/deserialization settings unless the project already uses them or the user explicitly asks for them. Settings such as case-sensitive property matching and strict number handling can break existing clients. For new projects, or when strict JSON handling is explicitly requested, configure options like the following to minimize the potential of processing malicious requests:

// Apply these settings only for new projects, when the existing project already
// uses them, or when the user explicitly requests stricter JSON behavior.
builder.Services.ConfigureHttpJsonOptions(options =>
{
    // disallow reading numbers from JSON strings
    options.SerializerOptions.NumberHandling = JsonNumberHandling.Strict;
    // match properties with exact casing during deserialization
    options.SerializerOptions.PropertyNameCaseInsensitive = false;
    // reject duplicate JSON property names during deserialization
    options.SerializerOptions.AllowDuplicateProperties = false;
    // omit null properties from serialized output
    options.SerializerOptions.DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull;
});

Enum properties — serialize as strings by default: Unless the user explicitly requests integer serialization, all enum properties should be serialized as strings. String-serialized enums are human-readable, less fragile when values are reordered, and produce better OpenAPI documentation. See Step 4 for the JsonStringEnumConverter configuration.

Response DTOs — use positional sealed records for concise, immutable output:

/// <summary>Represents a product returned by the API.</summary>
public sealed record ProductResponse(
    int Id,
    string Name,
    decimal Price,
    Category Category,
    bool IsAvailable,
    DateTimeOffset CreatedAt);

Request DTOs — use sealed records with init properties so data annotations work naturally:

/// <summary>Payload for creating a new product.</summary>
public sealed record CreateProductRequest
{
    [Required, MaxLength(200)]
    public required string Name { get; init; }

    [Range(0.01, 999999.99)]
    public required decimal Price { get; init; }

    public required Category Category { get; init; }
}

Follow the same pattern for Update{Entity}Request records, adding any additional properties the update requires (e.g., IsAvailable).

Minimal API validation — register explicitly: Data-annotation validation ([Required], [MaxLength], [Range], etc.) is automatic in MVC controllers, but minimal APIs require explicit opt-in. For .NET 10+ projects using minimal APIs, add the validation services in Program.cs:

builder.Services.AddValidation();

This wires up an endpoint filter that validates parameters decorated with data annotations before the handler executes, returning a 400 Bad Request with a validation problem details response on failure.

Reference: https://learn.microsoft.com/aspnet/core/fundamentals/minimal-apis?view=aspnetcore-10.0

Do not use mutable classes ({ get; set; }) for DTOs. Mutable DTOs allow accidental modification after construction and lose the self-documenting immutability that records provide.

Step 3: Implement the endpoints

Whether using controllers or minimal APIs, follow these HTTP conventions consistently.

Organizing minimal API endpoints: For projects using minimal APIs, organize endpoints by resource using static classes with a static Map<Resource> method. This pattern keeps endpoint definitions grouped by resource type, making the code more maintainable and easier to navigate as the API grows.

Pattern structure:

1. Create one static class per resource (e.g., ProductEndpoints, CategoryEndpoints).
2. Define a static Map<Resource>(this WebApplication app) extension method.
3. Inside the method, call MapGet, MapPost, MapPut, MapDelete, etc. for

that resource's endpoints.

1. In Program.cs, call each resource's Map method in order.

Minimal API return types — prefer `TypedResults`:

Always prefer TypedResults over the Results factory. TypedResults embeds response type information in the method signature, giving the OpenAPI generator richer metadata automatically.

When a handler returns multiple result types (e.g., Ok or NotFound), annotate the lambda with an explicit Results<T1, T2> return type. This lets you use TypedResults while still giving the compiler a common type:

async Task<Results<Ok<ProductResponse>, NotFound>> (int id, ...) => ...

Do not use TypedResults.Ok(x) and TypedResults.NotFound() in a bare ternary without an explicit return type annotation. Ok<T> and NotFound are different types with no common base the compiler can infer, which causes CS1593: Delegate 'RequestDelegate' does not take N arguments because the compiler falls back to matching RequestDelegate(HttpContext).

Fallback — `Results` factory: If a handler has many conditional branches (7+ result types), you may use the Results factory (Results.Ok(), Results.NotFound()) which returns IResult, sacrificing compile-time OpenAPI inference for simpler signatures.

Status codes:

| Operation | Success | Common errors | |-----------|---------|---------------| | GET (single) | 200 OK | 404 Not Found | | GET (list) | 200 OK | — | | POST (create) | 201 Created with Location header | 400 Bad Request, 409 Conflict | | PUT (full update) | 200 OK | 400 Bad Request, 404 Not Found | | PATCH (partial/action) | 200 OK | 400 Bad Request, 404 Not Found | | DELETE | 204 No Content | 404 Not Found, 409 Conflict |

POST 201 responses: Always return a Location header pointing to the newly created resource.

• Controllers: use CreatedAtAction(nameof(GetById), new { id = ... }, response)
• Minimal APIs: use TypedResults.Created($"/api/products/{id}", response)

CancellationToken: Accept CancellationToken in every endpoint signature and forward it through to all async calls (service methods, EF Core queries, HttpClient calls). This allows the server to stop work when a client disconnects.

// Controller example
[HttpGet("{id}")]
public async Task<ActionResult<ProductResponse>> GetById(
    int id, CancellationToken cancellationToken)
{
    var product = await _productService.GetByIdAsync(id, cancellationToken);
    return product is null ? NotFound() : Ok(product);
}

// Minimal API example — TypedResults with explicit return type (recommended)
app.MapGet("/api/products/{id}", async Task<Results<Ok<ProductResponse>, NotFound>> (
    int id, IProductService service, CancellationToken cancellationToken) =>
{
    var product = await service.GetByIdAsync(id, cancellationToken);
    return product is null ? TypedResults.NotFound() : TypedResults.Ok(product);
});

Step 4: Wire up OpenAPI

Every ASP.NET Core Web API should have OpenAPI documentation. Check whether the project already has OpenAPI configured before adding it.

For .NET 9+ projects, use the built-in ASP.NET Core OpenAPI support (builder.Services.AddOpenApi() + app.MapOpenApi() in development). This is all that is needed — no additional packages required.

**Do NOT add any Swashbuckle.* NuGet package** (Swashbuckle.AspNetCore, Swashbuckle.AspNetCore.SwaggerUI, Swashbuckle.AspNetCore.SwaggerGen, etc.) to .NET 9+ projects. Swashbuckle has known compatibility issues with .NET 9+ and .NET 10 OpenAPI types. For projects targeting .NET 8 or earlier, Swashbuckle is acceptable. If the project already has Swashbuckle installed, keep it unless the user asks to remove it.

Reference: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/openapi/overview

OpenAPI metadata on endpoints: Add descriptive metadata so the generated documentation is useful, not just a list of routes. For minimal APIs, chain the metadata methods:

app.MapGet("/api/products/{id}", handler)
    .WithName("GetProductById")
    .WithSummary("Get a product by ID")
    .WithDescription("Returns the full product details including category.")
    .Produces<ProductResponse>(StatusCodes.Status200OK)
    .Produces(StatusCodes.Status404NotFound);

Enum serialization (strings by default): Configure JSON serialization so enums appear as readable strings in both API responses and OpenAPI schemas. Always add this configuration unless the user explicitly requests integer enum serialization. Configure it for both minimal APIs and controllers, as they use different option types:

// Minimal APIs
builder.Services.ConfigureHttpJsonOptions(options =>
    options.SerializerOptions.Converters.Add(new JsonStringEnumConverter()));

// Controllers / MVC
builder.Services.AddControllers()
    .AddJsonOptions(options =>
    {
        options.JsonSerializerOptions.Converters.Add(new JsonStringEnumConverter());
    });

Step 5: Set up error handling

Use a global exception handler so that individual endpoints do not need try-catch blocks. Return RFC 7807 Problem Details for all error responses.

For .NET 8+ projects, prefer the built-in exception handler middleware:

builder.Services.AddProblemDetails();

app.UseExceptionHandler();
app.UseStatusCodePages();

If the project needs custom exception-to-status-code mapping (e.g., a NotFoundException should return 404), implement IExceptionHandler:

internal sealed class ApiExceptionHandler(ILogger<ApiExceptionHandler> logger)
    : IExceptionHandler
{
    public async ValueTask<bool> TryHandleAsync(
        HttpContext httpContext,
        Exception exception,
        CancellationToken cancellationToken)
    {
        var (statusCode, title) = exception switch
        {
            KeyNotFoundException => (StatusCodes.Status404NotFound, "Not Found"),
            ArgumentException => (StatusCodes.Status400BadRequest, "Bad Request"),
            InvalidOperationException => (StatusCodes.Status409Conflict, "Conflict"),
            _ => (0, (string?)null)
        };

        if (statusCode == 0)
            return false; // Let the default handler deal with it

        // Important: returning true below suppresses the exception diagnostics middleware
        // for this exception, so ensure it is logged/telemetrized before returning.
        logger.LogWarning(exception, "Handled API exception: {Title}", title);

        httpContext.Response.StatusCode = statusCode;
        await httpContext.Response.WriteAsJsonAsync(new ProblemDetails
        {
            Status = statusCode,
            Title = title,
            // Do not use exception.Message here — it may leak sensitive internal details.
            // Use a safe, user-facing message instead.
            Detail = title,
            Instance = httpContext.Request.Path
        }, cancellationToken);

        return true;
    }
}

Register it:

builder.Services.AddExceptionHandler<ApiExceptionHandler>();
builder.Services.AddProblemDetails();

app.UseExceptionHandler();

File placement: Always place exception handler classes in a Middleware/ folder to maintain consistent project organization. Do not place them at the project root.

Step 6: Use a service layer

Do not inject data stores directly into controllers or endpoint handlers. Create a service interface and a sealed implementation class that owns the data access logic and mapping between entities and request/response types.

Always define an interface for every service — this enables unit testing with mocks and follows the Dependency Inversion Principle:

// Services/IProductService.cs
public interface IProductService
{
    Task<IReadOnlyList<ProductResponse>> GetAllAsync(CancellationToken ct);
    Task<ProductResponse?> GetByIdAsync(int id, CancellationToken ct);
    Task<ProductResponse> CreateAsync(CreateProductRequest request, CancellationToken ct);
}

// Services/ProductService.cs
public sealed class ProductService(...) : IProductService
{
    // Data access logic, entity-to-DTO mapping
}

Register with the interface, not the concrete type:

// In Program.cs
builder.Services.AddScoped<IProductService, ProductService>();

For EF Core data access patterns (migrations, Fluent API configuration, AsNoTracking, seed data), see the optimizing-ef-core-queries skill.

Step 7: Create a .http test file

After implementing endpoints, create a .http file in the project root that demonstrates how to call every new endpoint. This serves as living documentation and a quick manual test harness.

@baseUrl = http://localhost:5000

### Get all products
GET {{baseUrl}}/api/products

### Get product by ID
GET {{baseUrl}}/api/products/1

### Create a product
POST {{baseUrl}}/api/products
Content-Type: application/json

{
  "name": "Wireless Mouse",
  "price": 29.99,
  "category": "Electronics"
}

### Delete a product
DELETE {{baseUrl}}/api/products/1

Include at least one request per endpoint with realistic bodies. Show error paths (e.g., non-existent IDs). Match the port to launchSettings.json.

Step 8: Build and verify

1. Run dotnet build — confirm zero errors and zero warnings.
2. Start the app and verify the OpenAPI document loads (default: /openapi/v1.json).
3. Run the requests in the .http file and confirm correct status codes.

Related skills