Self Descriptive HTTP API in ASP.NET Core: Object as Resource

In my opening post I went over some of the issues I encountered when initially developing an HTTP API.  In this post I’m going to cover some of those pain points and what I think the solution was.


The first pain point revolves around the idea of your HTTP API returning objects.  Meaning you serialize an object to JSON and return to the client.

This seems pretty typical.   Almost every example you find in regards to Web API describes this behavior.

Here’s an example of what this looks like:

We’re doing nothing more than fetching a record out of our repository/database and serializing it down the to the client.

On the flip side, all of our endpoints for mutating state of our system take the same object back.

Object as Resource

There was a great and short blog post by Alex Moore last year.

You’ve doubtless seen the OAR pattern out in the wild. I’d define its constraints this way: 1. a resource maps 1:1(-ish) to an object in your server’s application logic, 2. uris and http methods are given conventions mapping to CRUD operations

These are what most examples I find describe.  If you ever used OData with Entity Framework, it’s another great example of OAR.

Model Changes

The first obvious issue with this is your exposing your internal data structure to your consuming clients.

If you do not have ownership over the clients, then making any breaking change to the structure TodoItem is going to be pretty difficult.

This is really problematic when your internal models are still evolving.


The obvious answer is to create DTO (Data Transfer Objects) as the essentially a contract to your consuming clients.  Meaning you will create a separate object that will be serialized and return to clients rather than your database entity.

This is generally a recommended approach that I use.  This is where a library like AutoMapper shines.


But we need to take this a step further.  The idea of returning serialized DTO that still are in a 1:1-ish with some underlying data entity only provides our clients a single piece of information.

Often times in order for the client to perform a given action, they generally need related data.

An example, maybe our Todo application had the ability to create different categories so we could break up and categorize our items.  If we wanted to edit our TodoItem to specify a Category, we would need to pass it the CategoryId.

How exactly do we get the list of categories from the client?  Would the client be required to call another endpoint to them?

Why not return them in our DTO?

We would be doing this already if you were creating an MVC application returning a rendered HTML to the client/browser.

Your edit screen would contain a <select> list of all the categories in your edit <form>.


If you start thinking about sending down messages to the client rather than objects, you can open up to the idea of your messages being a much more rich representation.  This representation could contain referential data, actions the client could preform or other places the client could navigate your HTTP API.

Last year, I wrote a blog post about your Resource Model not being your Data Model after I seen a great tweet by Mike Amundsen.


In my next post I’m going to look at how we build HTML web applications and what we can learn and use to develop our HTTP APIs.  If anyone has any other suggestions or recommendations about this series, or the sample project to convert, please leave comment or let me know on twitter.

Building a Self Descriptive HTTP API in ASP.NET Core

Self Descriptive HTTP APIWe have all been doing “web services” forever.  My first introduction was in the late 90’s with XML-RPC and WDDX.  Followed up soon after with SOAP.  Good times.  Oh and remember WS-*.  Don’t remind me.


Over the last couple years, I’ve really taken an interest in HTTP APIs.

I’ve been meaning to post about my experiences developing an HTTP APIs.  It’s been an interesting last couple of years and I think there is quiet a bit to share.


I can only speak from my experiences and give some of the context about my situations.  Hopefully you can relate and translate it to your own projects and make a determination if what I struggled with is beneficial in your context.

There were four major pain points that I ran into developing our HTTP API and Clients.

  • Unable to change internal data structures that got exposed/serialized to Clients
  • Unable to change endpoint paths/routes
  • Endpoint documentation (incoming and outgoing payloads)
  • Workflow logic living on the client


Sometimes all you need is to do CRUD.  Sometimes that’s the last thing you should be doing.

Most examples and getting started tutorials usually demonstrate exposing your database structure and provide GET/POST/PUT/DELETE as away of performing CRUD.

You basically end up with HTTP endpoints that are a 1:1 mapping with a database entities.

This also makes it incredibly hard to change your API.

Go beyond serializing a database row into JSON

I’ve realized that developing an HTTP API is not much different than developing a regular HTML Website.

I started developing my HTTP APIs like I would if I were creating a static HTML or server side rendered HTML web application.  This means bringing the concepts we’ve been using for ages with HTTP and HTML such as links and forms.

(Un)Surprisingly, this lead to several benefits.  First, our API clients could consume our API with ease.  Second, they became dumb.  Workflow or business logic stayed on the server and didn’t leak to the client.


This series of posts is going to cover some misconceptions I had in regards to HTTP APIs and REST.

Producing an HTTP API using Hypermedia and various media types.

Consuming an HTTP API that uses Hypermedia.

How you can use CQRS and Hypermedia together.

Similar to my Fat Controller CQRS Diet series, I’m going to convert an existing web application.   Currently I’m thinking of using the MVC Music Store again.  If anyone has any other suggestions or recommendations about this series, or the sample project to convert, please leave comment or let me know on twitter.

Sensitive Configuration Data in ASP.NET Core

While working on my new side-project in ASP.NET Core, I was at the point where I needed to start storing sensitive configuration data.

Things like my DocumentDB Auth Key, Google OAuth ClientId & Secret, Twilio Auth Token, etc.

Depending on your context you may not want to be storing these types of application settings in configuration files that are committed to source control.

As you would expect, my local environment for development and once I deploy to Azure have completely different configurations.

So how do you change the configuration from local to production?

If you are used to using appSettings from the app.config and web.config, you may have been going down the road of transforming and replacing values with tools like SlowCheetah or through Octopus Deploy.

With ASP.NET Configurations, there’s a new way to do this.


ASP.NET Core has a ConfigurationBuilder that enables you to load application settings from various places.  If you’ve loaded up a brand new ASP.NET Core app, you’re Startup looks something like this.

You have a new appsettings.json file you can use as well as an optional appsettings for each different environment.

I could use the appsettings.Development.json for local development, however as mentioned i want to keep sensitive data out of this file.

For this, I’ve now been using User Secrets.

User Secrets

ASP.NET Core adds a new way to store your sensitive data with User Secrets.

User Secrets are simply a plain text json file that are stored in your systems user profile directory.  Meaning the file is stored outside of your project directory.

There are a couple ways to manage your user secrets, first you need to add Microsoft.Extensions.SecretManager.Tools in the tools section of your project.json.

I’m unaware of how this translates to the new .csproj format.

If you are using the dotnet CLI, then you should now be able to run dotnet user-secrets --version

Next in your project.json you want to add a “userSecretsId” property in the root.  The value can be anything you want but should probably keep it unique so it doesn’t collide with another user secrets you create for any other project.

In order to load the secrets file, you need to first add Microsoft.Extensions.Configuration.UserSecrets package in your project.json

As mentioned, since I only use user secrets for local development, we can now load the secrets using the ConfigurationBuilder in our Startup

Visual Studio

If you are using Visual Studio, you can edit your user secrets file by accessing it in the context menu of your project in the solution explorer.


If you are using the dotnet CLI then you can call dotnet user-secrets [options] [command] to clear, list, remove and set secrets.


Simple example would be wanting to store the connection string to a database.

 dotnet user-secrets set ConnStr "User ID=Derek;Password=CodeOpinion;"

Now within our code we can access the connection string after we built our configuration from the ConfigurationBuilder.


Next post I’ll take a look at how you can use Environment Variables and specifically how to set them when deploying as an App Service within Azure.

Always enjoy hear your feedback.  Please let me know on twitter or in the comments.