Skip to main content
All docs

Add and Protect CRUD Web API Endpoints

  • 3 minutes to read

This topic describes how to create endpoints in a Web API Service application. See the following topics for information on how to create a project with the Web API:

Create Endpoints for Business Objects

In the Startup.cs file, add or find the services.AddXafWebApi method call and use the BusinessObject method to create endpoints for business objects. The following code creates endpoints for the ApplicationUser and Contact business objects:

File: MySolution.WebApi\Startup.cs (MySolution.Blazor.Server\Startup.cs)

using MySolution.Module.BusinessObjects;
// ...
namespace MySolution.WebApi {
    public class Startup {
        // ...
        public void ConfigureServices(IServiceCollection services) {
            // ...
            services.AddXafWebApi(Configuration, options => {
            // In XPO applications, uncomment the following line:
            // .AddXpoServices(); 
            // ...
        // ...    

Configure Authorization for Endpoints or Protect Business Object Data

You must define Security System permissions for business objects and properties you want to expose through a Web API Service (both built-in and custom endpoints). We do not recommend that you expose business object data to all users without security protection.

You can configure permissions using one of the following methods:

  • In the code of the ModuleUpdater class (look for the Updater.cs file, because there may be different locations depending on your project configuration).
  • In the administrative UI powered by XAF Blazor/WinForms (this feature requires the Universal license).

For more information, refer to the following concepts and examples:

Expose or Hide Business Object Properties

Expose Properties

ASP.NET Core Web API/OData exposes public business class properties of simple/value types with a setter (writable) in a Web API response. Our Web API Service additionally exposes read-only calculated XPO properties of simple/value types without a setter (readonly) marked with PersistentAliasAttribute.

ASP.NET Core Web API/OData does not initially include complex type, reference, and collection business class properties in a Web API response. To include complex type, reference, and collection business class properties in a Web API response, use OData query options:


If you apply the AutoExpand attribute to a referenced property, you do not need to explicitly specify the $expand parameter in an OData query because it is automatically loaded and its data is included in the API response.

Hide Properties

To hide business class properties from the Web API Service’s responses, decorate them with the IgnoreDataMemberAttribute.

To specifically remove a property from the Web API Service’s OData interface, use the EntityTypeConfigurator.IgnoreProperty method. In this instance, the specified property may belong to the class itself or to its ancestor:

File: MySolution.WebApi\Startup.cs (MySolution.Blazor.Server\Startup.cs)

services.AddXafWebApi(Configuration, options => { 
    options.BusinessObject<Contact>().ConfigureEntityType(b => {
        // Ignore this class's property.
        b.IgnoreProperty(o => o.Email);
        // Ignore a property of the parent `Person` class.
        b.IgnoreProperty(o => o.Company);

The image below demonstrates the difference in the GET endpoint’s response when the above code is used:

Ignore Properties

For advanced OData entity model structure customization, refer to Change an EDM Model Structure using ODataModelBuilder.

See Also