ASP.NET Core Web API
Produce well-structured ASP.NET Core Web API endpoints with proper HTTP
semantics, OpenAPI documentation, and error handling.
When to Use
Use this skill when working on ASP.NET Core HTTP APIs, including:
- adding or modifying Web API endpoints implemented with controllers or minimal APIs;
- wiring up OpenAPI/Swagger metadata and endpoint documentation;
- defining request/response DTOs and consistent HTTP status code behavior;
- adding files or similar request-based API testing artifacts;
- configuring centralized API error handling middleware or exception mapping.
When Not to Use
Do not use this skill for:
- general C# coding style or non-API refactoring;
- EF Core data modeling or query optimization work; use
optimizing-ef-core-queries
- frontend, Razor, or Blazor UI changes;
- gRPC services;
- SignalR hubs or real-time messaging flows.
Inputs / prerequisites
Before applying this skill, gather the project context needed to match the
existing API style and wiring:
- the ASP.NET Core entry point, typically ;
- any existing controllers, especially classes inheriting or
using ;
- any existing minimal API registrations such as , ,
, or ;
- related DTO, model, validation, and error-handling types already used by the project;
- available build, run, and test commands so changes can be verified.
If the user asks for a new endpoint, inspect the current project structure first
so the implementation follows the established conventions rather than mixing styles.
Workflow
Step 1: Determine the API style
Scan the project for existing endpoint patterns before writing any code.
- Search for classes inheriting or decorated with .
- Search or endpoint files for , , etc.
- If the project already uses controllers, continue with controllers.
- If the project already uses minimal APIs, continue with minimal APIs.
- If neither exists (new project), default to minimal APIs unless the user
explicitly requests controllers.
Do not mix styles in the same project.
Step 2: Define request and response types
Create dedicated types for API input and output. Never expose EF Core entities
directly in request or response bodies.
Use for all DTOs. Records enforce immutability, provide
value-based equality, and produce concise code. Seal them to prevent unintended
inheritance and enable JIT devirtualization (CA1852).
Naming convention:
| Role | Convention | Example |
|---|
| Input (create) | | |
| Input (update) | | |
| Output (single) | | |
| Output (list) | | |
XML doc comments on all DTOs: Add
XML doc comments to every
request and response type exposed in the API. These comments are automatically
included in the generated OpenAPI specification, producing richer documentation
without extra metadata calls.
Date and time values — use : When a DTO includes a date or
time property, always use
instead of
.
preserves the UTC offset, avoids ambiguous timezone
conversions, and serializes to ISO 8601 with offset information in JSON — which
is what API consumers expect.
Reference:
https://learn.microsoft.com/en-us/dotnet/api/system.datetimeoffset
JSON serialization options — preserve existing behavior by default: For
existing APIs, do
not introduce stricter serialization/deserialization settings
unless the project already uses them or the user explicitly asks for them. Settings
such as case-sensitive property matching and strict number handling can break
existing clients. For
new projects, or when strict JSON handling is explicitly
requested, configure options like the following to minimize the potential of
processing malicious requests:
csharp
// Apply these settings only for new projects, when the existing project already
// uses them, or when the user explicitly requests stricter JSON behavior.
builder.Services.ConfigureHttpJsonOptions(options =>
{
// disallow reading numbers from JSON strings
options.SerializerOptions.NumberHandling = JsonNumberHandling.Strict;
// match properties with exact casing during deserialization
options.SerializerOptions.PropertyNameCaseInsensitive = false;
// reject duplicate JSON property names during deserialization
options.SerializerOptions.AllowDuplicateProperties = false;
// omit null properties from serialized output
options.SerializerOptions.DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull;
});
Enum properties — serialize as strings by default: Unless the user
explicitly requests integer serialization, all enum properties should be
serialized as strings. String-serialized enums are human-readable, less fragile
when values are reordered, and produce better OpenAPI documentation. See Step 4
for the
configuration.
Response DTOs — use positional sealed records for concise, immutable output:
csharp
public sealed record ProductResponse(
int Id,
string Name,
decimal Price,
Category Category,
bool IsAvailable,
DateTimeOffset CreatedAt);
Request DTOs — use sealed records with
properties so data annotations
work naturally:
csharp
public sealed record CreateProductRequest
{
[Required, MaxLength(200)]
public required string Name { get; init; }
[Range(0.01, 999999.99)]
public required decimal Price { get; init; }
public required Category Category { get; init; }
}
Follow the same pattern for
records, adding any
additional properties the update requires (e.g.,
).
Minimal API validation — register explicitly: Data-annotation validation
(
,
,
, etc.) is automatic in MVC controllers,
but minimal APIs require explicit opt-in. For
.NET 10+ projects using minimal
APIs, add the validation services in
:
csharp
builder.Services.AddValidation();
This wires up an endpoint filter that validates parameters decorated with data
annotations before the handler executes, returning a
with a
validation problem details response on failure.
Do not use mutable classes (
) for DTOs. Mutable DTOs allow
accidental modification after construction and lose the self-documenting
immutability that records provide.
Step 3: Implement the endpoints
Whether using controllers or minimal APIs, follow these HTTP conventions
consistently.
Organizing minimal API endpoints: For projects using minimal APIs, organize
endpoints by resource using static classes with a static
method.
This pattern keeps endpoint definitions grouped by resource type, making the
code more maintainable and easier to navigate as the API grows.
Pattern structure:
- Create one static class per resource (e.g., , ).
- Define a static
Map<Resource>(this WebApplication app)
- Inside the method, call , , , , etc. for
that resource's endpoints.
- In , call each resource's method in order.
Minimal API return types — prefer :
Always prefer
over the
factory.
embeds
response type information in the method signature, giving the OpenAPI generator
richer metadata automatically.
When a handler returns
multiple result types (e.g.,
or
),
annotate the lambda with an explicit
return type. This
lets you use
while still giving the compiler a common type:
csharp
async Task<Results<Ok<ProductResponse>, NotFound>> (int id, ...) => ...
Do not use
and
in a bare
ternary without an explicit return type annotation.
and
are
different types with no common base the compiler can infer, which causes
CS1593: Delegate 'RequestDelegate' does not take N arguments
because the
compiler falls back to matching
RequestDelegate(HttpContext)
.
Fallback — factory: If a handler has many conditional branches
(7+ result types), you may use the
factory (
,
) which returns
, sacrificing compile-time OpenAPI
inference for simpler signatures.
Status codes:
| Operation | Success | Common errors |
|---|
| GET (single) | | |
| GET (list) | | — |
| POST (create) | with header | , |
| PUT (full update) | | , |
| PATCH (partial/action) | | , |
| DELETE | | , |
POST 201 responses: Always return a
header pointing to the
newly created resource.
- Controllers: use
CreatedAtAction(nameof(GetById), new { id = ... }, response)
- Minimal APIs: use
TypedResults.Created($"/api/products/{id}", response)
CancellationToken: Accept
in every endpoint signature
and forward it through to all async calls (service methods, EF Core queries,
calls). This allows the server to stop work when a client
disconnects.
csharp
// Controller example
[HttpGet("{id}")]
public async Task<ActionResult<ProductResponse>> GetById(
int id, CancellationToken cancellationToken)
{
var product = await _productService.GetByIdAsync(id, cancellationToken);
return product is null ? NotFound() : Ok(product);
}
// Minimal API example — TypedResults with explicit return type (recommended)
app.MapGet("/api/products/{id}", async Task<Results<Ok<ProductResponse>, NotFound>> (
int id, IProductService service, CancellationToken cancellationToken) =>
{
var product = await service.GetByIdAsync(id, cancellationToken);
return product is null ? TypedResults.NotFound() : TypedResults.Ok(product);
});
Step 4: Wire up OpenAPI
Every ASP.NET Core Web API should have OpenAPI documentation. Check whether
the project already has OpenAPI configured before adding it.
For .NET 9+ projects, use the built-in ASP.NET Core OpenAPI support
(
builder.Services.AddOpenApi()
+
in development).
This is all that is needed — no additional packages required.
Do NOT add any NuGet package (
,
Swashbuckle.AspNetCore.SwaggerUI
,
Swashbuckle.AspNetCore.SwaggerGen
,
etc.) to .NET 9+ projects. Swashbuckle has known compatibility issues with
.NET 9+ and .NET 10 OpenAPI types. For projects targeting .NET 8 or earlier,
Swashbuckle is acceptable. If the project already has Swashbuckle installed,
keep it unless the user asks to remove it.
OpenAPI metadata on endpoints: Add descriptive metadata so the generated
documentation is useful, not just a list of routes. For minimal APIs, chain
the metadata methods:
csharp
app.MapGet("/api/products/{id}", handler)
.WithName("GetProductById")
.WithSummary("Get a product by ID")
.WithDescription("Returns the full product details including category.")
.Produces<ProductResponse>(StatusCodes.Status200OK)
.Produces(StatusCodes.Status404NotFound);
Enum serialization (strings by default): Configure JSON serialization so
enums appear as readable strings in both API responses and OpenAPI schemas.
Always add this configuration unless the user explicitly requests integer
enum serialization. Configure it for both minimal APIs and controllers, as
they use different option types:
csharp
// Minimal APIs
builder.Services.ConfigureHttpJsonOptions(options =>
options.SerializerOptions.Converters.Add(new JsonStringEnumConverter()));
// Controllers / MVC
builder.Services.AddControllers()
.AddJsonOptions(options =>
{
options.JsonSerializerOptions.Converters.Add(new JsonStringEnumConverter());
});
Step 5: Set up error handling
Use a global exception handler so that individual endpoints do not need
try-catch blocks. Return RFC 7807 Problem Details for all error responses.
For .NET 8+ projects, prefer the built-in exception handler middleware:
csharp
builder.Services.AddProblemDetails();
app.UseExceptionHandler();
app.UseStatusCodePages();
If the project needs custom exception-to-status-code mapping (e.g., a
should return 404), implement
:
csharp
internal sealed class ApiExceptionHandler(ILogger<ApiExceptionHandler> logger)
: IExceptionHandler
{
public async ValueTask<bool> TryHandleAsync(
HttpContext httpContext,
Exception exception,
CancellationToken cancellationToken)
{
var (statusCode, title) = exception switch
{
KeyNotFoundException => (StatusCodes.Status404NotFound, "Not Found"),
ArgumentException => (StatusCodes.Status400BadRequest, "Bad Request"),
InvalidOperationException => (StatusCodes.Status409Conflict, "Conflict"),
_ => (0, (string?)null)
};
if (statusCode == 0)
return false; // Let the default handler deal with it
// Important: returning true below suppresses the exception diagnostics middleware
// for this exception, so ensure it is logged/telemetrized before returning.
logger.LogWarning(exception, "Handled API exception: {Title}", title);
httpContext.Response.StatusCode = statusCode;
await httpContext.Response.WriteAsJsonAsync(new ProblemDetails
{
Status = statusCode,
Title = title,
// Do not use exception.Message here — it may leak sensitive internal details.
// Use a safe, user-facing message instead.
Detail = title,
Instance = httpContext.Request.Path
}, cancellationToken);
return true;
}
}
Register it:
csharp
builder.Services.AddExceptionHandler<ApiExceptionHandler>();
builder.Services.AddProblemDetails();
app.UseExceptionHandler();
File placement: Always place exception handler classes in a
folder to maintain consistent project organization. Do not place them at the
project root.
Step 6: Use a service layer
Do not inject data stores directly into controllers or endpoint handlers.
Create a service interface and a sealed implementation class that owns the
data access logic and mapping between entities and request/response types.
Always define an interface for every service — this enables unit testing with
mocks and follows the Dependency Inversion Principle:
csharp
// Services/IProductService.cs
public interface IProductService
{
Task<IReadOnlyList<ProductResponse>> GetAllAsync(CancellationToken ct);
Task<ProductResponse?> GetByIdAsync(int id, CancellationToken ct);
Task<ProductResponse> CreateAsync(CreateProductRequest request, CancellationToken ct);
}
// Services/ProductService.cs
public sealed class ProductService(...) : IProductService
{
// Data access logic, entity-to-DTO mapping
}
Register with the interface, not the concrete type:
csharp
// In Program.cs
builder.Services.AddScoped<IProductService, ProductService>();
For EF Core data access patterns (migrations, Fluent API configuration,
, seed data), see the
optimizing-ef-core-queries
skill.
Step 7: Create a .http test file
After implementing endpoints, create a
file in the project root that
demonstrates how to call every new endpoint. This serves as living
documentation and a quick manual test harness.
http
@baseUrl = http://localhost:5000
### Get all products
GET {{baseUrl}}/api/products
### Get product by ID
GET {{baseUrl}}/api/products/1
### Create a product
POST {{baseUrl}}/api/products
{
"name": "Wireless Mouse",
"price": 29.99,
"category": "Electronics"
}
### Delete a product
DELETE {{baseUrl}}/api/products/1
Include at least one request per endpoint with realistic bodies. Show error
paths (e.g., non-existent IDs). Match the port to
.
Step 8: Build and verify
- Run — confirm zero errors and zero warnings.
- Start the app and verify the OpenAPI document loads (default: ).
- Run the requests in the file and confirm correct status codes.
Validation
Common Pitfalls
| Pitfall | Solution |
|---|
| Exposing domain entities as API responses | Create separate request/response types. Entities leak navigation properties and internal fields. |
| Forgetting | Add to every endpoint and forward through the entire async call chain. |
| Returning from POST create | Return with a header. |
| Missing OpenAPI metadata | Chain , , , on every endpoint. |
| Injecting data stores directly into endpoints | Use a service layer with an interface for separation and testability. |
| Mixing controller and minimal API styles | Pick one per project and be consistent. |
| in ternary without explicit return type | and have no common base — annotate with Task<Results<Ok<T>, NotFound>>
|
| Using mutable classes for DTOs | Use with positional syntax (responses) or properties (requests). |
| Registering services without interfaces | Define and register with AddScoped<IService, Service>()
|
| Adding any package to new .NET 9+ projects | Use built-in + . Do not add , Swashbuckle.AspNetCore.SwaggerUI
|
| Missing XML doc comments on DTOs | Add XML doc comments to every request and response type. These flow into the generated OpenAPI spec automatically. |
| Using for date/time properties | Use instead — it preserves UTC offset, avoids timezone ambiguity, and serializes correctly in JSON. |
| Serializing enums as integers | Configure so enums serialize as strings by default. Only use integer serialization if the user explicitly requests it. |
More Info
- ASP.NET Core Web API overview — fundamental concepts for building Web APIs
- OpenAPI in ASP.NET Core — built-in OpenAPI support in .NET 9+
- OpenAPI from XML comments — how XML doc comments flow into the OpenAPI spec
- Minimal APIs overview — routing, parameter binding, and response types
- Handle errors in ASP.NET Core APIs — Problem Details and exception handling
- DateTimeOffset — preferred type for date/time values in APIs