The latest articles on DEV Community by alinabi19 (@alinabi19). https://dev.to/alinabi19 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F830106%2F68ef085c-3d41-4a7c-abc4-fbf6ecd35f59.jpeg https://dev.to/alinabi19 en alinabi19 Fri, 13 Mar 2026 15:59:27 +0000 https://dev.to/alinabi19/running-local-ai-models-in-net-with-ollama-step-by-step-guide-4die https://dev.to/alinabi19/running-local-ai-models-in-net-with-ollama-step-by-step-guide-4die <p>Most developers who start experimenting with AI tend to follow the same path.</p> <p>You integrate a cloud AI API into your application. The prototype works beautifully. Responses are fast, integration is simple, and everything feels almost magical.</p> <p>Then the production questions start appearing.</p> <p>How much will this cost at scale?</p> <p>Do we really want sensitive data leaving our infrastructure?</p> <p>What happens if the API rate limits us?</p> <p>And the big one many developers eventually ask:</p> <p><strong>Can we run AI models locally instead?</strong></p> <p>The answer is yes. And tools like <strong>Ollama</strong> make it much easier than most developers expect.</p> <p>Ollama allows you to run powerful language models directly on your machine and access them through a simple HTTP API. This means you can integrate local AI into <strong>ASP.NET Core APIs, background services, or internal tools</strong> without relying on external providers.</p> <p>In this guide we will walk through:</p> <ul> <li>why local AI models are becoming popular</li> <li>how Ollama works</li> <li>how to run models locally</li> <li>how to call Ollama from a .NET application</li> <li>how to build a simple AI-powered ASP.NET Core endpoint</li> </ul> <p>If you are a .NET developer curious about integrating AI without depending entirely on cloud APIs, this is a great place to start.</p> <h2> Why Run AI Models Locally? </h2> <p>Cloud AI APIs are extremely powerful, but they are not always the best solution for every scenario.</p> <p>Running models locally offers a few advantages that become very attractive in production environments.</p> <h3> No API Usage Costs </h3> <p>Most cloud AI providers charge based on <strong>tokens or requests</strong>.</p> <p>That works well for prototypes. But once usage grows, costs can scale quickly.</p> <p>Running models locally removes the <strong>per-request cost entirely</strong>, which makes a big difference for internal tools or heavy workloads.</p> <h3> Full Data Privacy </h3> <p>Many enterprise systems process sensitive information such as:</p> <ul> <li>internal documentation</li> <li>support tickets</li> <li>logs</li> <li>customer records</li> </ul> <p>Sending this data to external AI APIs can raise <strong>security and compliance concerns</strong>.</p> <p>Local models keep everything <strong>inside your infrastructure</strong>.</p> <h3> Lower Latency </h3> <p>Cloud inference requires a network round trip.</p> <p>Local inference removes that dependency completely.</p> <p>For internal assistants, dashboards, or developer tooling, this often results in noticeably faster responses.</p> <h3> Offline AI Capabilities </h3> <p>Local models can run without internet access.</p> <p>This is useful in environments like:</p> <ul> <li>secure enterprise networks</li> <li>air-gapped systems</li> <li>developer tools running locally</li> </ul> <h3> Ideal for Internal Tools </h3> <p>Local AI is especially useful for building tools such as:</p> <ul> <li>internal chat assistants</li> <li>log summarization tools</li> <li>documentation search</li> <li>developer copilots</li> <li>AI-powered dashboards</li> </ul> <p>This is exactly the kind of scenario where <strong>Ollama shines</strong>.</p> <h2> What is Ollama? </h2> <p>Ollama is a tool that allows developers to run <strong>LLMs (large language models) locally</strong> with minimal setup.</p> <p>Instead of manually managing model weights, runtime environments, and inference servers, Ollama handles the heavy lifting.</p> <p>It manages:</p> <ul> <li>model downloads</li> <li>model execution</li> <li>memory handling</li> <li>inference APIs</li> </ul> <p>Once installed, Ollama exposes a <strong>local HTTP API</strong>.</p> <p>That means any language capable of making HTTP requests can interact with it, including:</p> <ul> <li>C#</li> <li>Python</li> <li>JavaScript</li> <li>Go</li> <li>Java</li> </ul> <p>For backend developers, this makes integration extremely straightforward.</p> <h2> Supported Models </h2> <p>Ollama supports many popular open-source models, including:</p> <ul> <li>Llama 3</li> <li>Mistral</li> <li>Gemma</li> <li>Code Llama</li> <li>various other community models</li> </ul> <p>Different models are optimized for different tasks.</p> <p>For example:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Model</th> <th>Best Use Case</th> </tr> </thead> <tbody> <tr> <td>llama3</td> <td>General AI tasks</td> </tr> <tr> <td>mistral</td> <td>Fast responses</td> </tr> <tr> <td>codellama</td> <td>Code generation</td> </tr> <tr> <td>gemma</td> <td>Lightweight inference</td> </tr> </tbody> </table></div> <p>One of the biggest advantages of Ollama is how easy it is to <strong>switch between models</strong>.<br> Before choosing a model, it's worth understanding the hardware requirements involved in running these models locally.</p> <h2> Resource Considerations </h2> <p>Before running models locally, it is important to understand that LLMs still require system resources.</p> <p>One thing you'll quickly notice when running local models is that inference latency can vary significantly depending on hardware.</p> <p>During development, it’s common for responses to take several seconds when running on CPU-only machines.</p> <p>For internal tools this is usually acceptable, but it’s worth keeping in mind when designing user-facing APIs.</p> <p>For example:</p> <p>Llama 3 8B models typically require <strong>8–16GB RAM</strong></p> <p>CPU inference works but may be slower</p> <p>GPUs significantly improve performance</p> <p>For many internal tools, smaller or quantized models provide the best balance between performance and resource usage.</p> <h2> Architecture of a .NET Application Using Ollama </h2> <p>Before writing code, it helps to understand where Ollama fits into the architecture.</p> <p>A typical integration looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client ↓ ASP.NET Core API ↓ AI Service Layer ↓ Ollama Local API ↓ Local LLM Model </code></pre> </div> <p>Request flow:</p> <ol> <li>Client sends a request to the ASP.NET Core API</li> <li>The API calls an AI service layer</li> <li>The service sends a prompt to Ollama</li> <li>Ollama runs the model locally</li> <li>The generated response returns to the client</li> </ol> <p>This separation keeps the architecture clean and maintainable.</p> <h2> Step 1: Installing Ollama </h2> <p>First, install Ollama on your machine.</p> <p>Go to the official website:</p> <p><a href="https://ollama.com" rel="noopener noreferrer">https://ollama.com</a></p> <p>Download the installer for your operating system. Ollama currently supports:</p> <ul> <li>macOS</li> <li>Linux</li> <li>Windows</li> </ul> <p>Run the installer and complete the setup.</p> <p>After installation, <strong>open a terminal or command prompt</strong> and verify that Ollama is installed correctly by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ollama <span class="nt">--version</span> </code></pre> </div> <p>If Ollama is installed properly, you should see the installed version printed in the terminal.</p> <h3> Download a Model </h3> <p>Next, download a language model that Ollama will run locally.</p> <p>For this guide, we will use <strong>Llama 3</strong>.</p> <p>Run the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ollama pull llama3 </code></pre> </div> <p>This command downloads the model weights and prepares them for local inference.</p> <p>Depending on your internet speed, the download may take a few minutes because LLM models are several gigabytes in size.</p> <h3> Run the Model </h3> <p>Once the model is downloaded, you can start it using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ollama run llama3 </code></pre> </div> <p>Ollama will load the model and open an interactive prompt.</p> <p>Try entering a simple question:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Explain what REST APIs are </code></pre> </div> <p>If the model responds with an answer, your local AI environment is working correctly.</p> <h3> Local API Endpoint </h3> <p>Behind the scenes, Ollama also exposes an HTTP API that applications can call.</p> <p>By default, the API runs at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>http://localhost:11434 </code></pre> </div> <p>This is the endpoint your <strong>ASP.NET Core application will communicate with</strong>.</p> <h2> Step 2: Creating a .NET 8 Web API </h2> <p>Next create a new ASP.NET Core API project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dotnet new webapi <span class="nt">-n</span> LocalAIApi </code></pre> </div> <p>A simple project structure might look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Controllers Services Models Program.cs </code></pre> </div> <p>Keeping AI logic separated into services helps maintain clean architecture.</p> <h2> Step 3: Calling the Ollama API from .NET </h2> <p>Ollama exposes a simple endpoint for generating responses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>POST http://localhost:11434/api/generate </code></pre> </div> <p>Example request payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"model"</span>: <span class="s2">"llama3"</span>, <span class="s2">"prompt"</span>: <span class="s2">"Explain dependency injection in ASP.NET Core"</span>, <span class="s2">"stream"</span>: <span class="nb">false</span> <span class="o">}</span> </code></pre> </div> <h3> Example .NET Call </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;</span> <span class="nf">GenerateAsync</span><span class="p">(</span> <span class="kt">string</span> <span class="n">prompt</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">cancellationToken</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">request</span> <span class="p">=</span> <span class="k">new</span> <span class="p">{</span> <span class="n">model</span> <span class="p">=</span> <span class="s">"llama3"</span><span class="p">,</span> <span class="n">prompt</span><span class="p">,</span> <span class="n">stream</span> <span class="p">=</span> <span class="k">false</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_httpClient</span><span class="p">.</span><span class="nf">PostAsJsonAsync</span><span class="p">(</span> <span class="s">"api/generate"</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">cancellationToken</span><span class="p">);</span> <span class="n">response</span><span class="p">.</span><span class="nf">EnsureSuccessStatusCode</span><span class="p">();</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="k">await</span> <span class="n">response</span><span class="p">.</span><span class="n">Content</span> <span class="p">.</span><span class="n">ReadFromJsonAsync</span><span class="p">&lt;</span><span class="n">OllamaResponse</span><span class="p">&gt;(</span><span class="n">cancellationToken</span><span class="p">:</span> <span class="n">cancellationToken</span><span class="p">);</span> <span class="k">return</span> <span class="n">result</span><span class="p">?.</span><span class="n">Response</span> <span class="p">??</span> <span class="kt">string</span><span class="p">.</span><span class="n">Empty</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Response model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">OllamaResponse</span> <span class="p">{</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Response</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Using a typed model instead of <code>dynamic</code> makes the code safer and easier to maintain.</p> <h2> Step 4: Creating an AI Service Layer </h2> <p>One design rule worth following:</p> <p><strong>Avoid putting AI logic directly inside controllers.</strong></p> <p>Instead, isolate it inside a service layer.</p> <h3> Service Interface </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">interface</span> <span class="nc">IAiService</span> <span class="p">{</span> <span class="n">Task</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;</span> <span class="nf">GenerateAsync</span><span class="p">(</span><span class="kt">string</span> <span class="n">prompt</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">cancellationToken</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">OllamaService</span> <span class="p">:</span> <span class="n">IAiService</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">HttpClient</span> <span class="n">_httpClient</span><span class="p">;</span> <span class="k">public</span> <span class="nf">OllamaService</span><span class="p">(</span><span class="n">HttpClient</span> <span class="n">httpClient</span><span class="p">)</span> <span class="p">{</span> <span class="n">_httpClient</span> <span class="p">=</span> <span class="n">httpClient</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;</span> <span class="nf">GenerateAsync</span><span class="p">(</span> <span class="kt">string</span> <span class="n">prompt</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">cancellationToken</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">request</span> <span class="p">=</span> <span class="k">new</span> <span class="p">{</span> <span class="n">model</span> <span class="p">=</span> <span class="s">"llama3"</span><span class="p">,</span> <span class="n">prompt</span><span class="p">,</span> <span class="n">stream</span> <span class="p">=</span> <span class="k">false</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_httpClient</span><span class="p">.</span><span class="nf">PostAsJsonAsync</span><span class="p">(</span> <span class="s">"api/generate"</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">cancellationToken</span><span class="p">);</span> <span class="n">response</span><span class="p">.</span><span class="nf">EnsureSuccessStatusCode</span><span class="p">();</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="k">await</span> <span class="n">response</span><span class="p">.</span><span class="n">Content</span> <span class="p">.</span><span class="n">ReadFromJsonAsync</span><span class="p">&lt;</span><span class="n">OllamaResponse</span><span class="p">&gt;(</span><span class="n">cancellationToken</span><span class="p">:</span> <span class="n">cancellationToken</span><span class="p">);</span> <span class="k">return</span> <span class="n">result</span><span class="p">?.</span><span class="n">Response</span> <span class="p">??</span> <span class="kt">string</span><span class="p">.</span><span class="n">Empty</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 5: Registering the Service </h2> <p>In <code>Program.cs</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddHttpClient</span><span class="p">&lt;</span><span class="n">IAiService</span><span class="p">,</span> <span class="n">OllamaService</span><span class="p">&gt;(</span><span class="n">client</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">client</span><span class="p">.</span><span class="n">BaseAddress</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Uri</span><span class="p">(</span><span class="s">"http://localhost:11434"</span><span class="p">);</span> <span class="n">client</span><span class="p">.</span><span class="n">Timeout</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">2</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Using <code>HttpClientFactory</code> ensures efficient connection management.</p> <h2> Step 6: Building an AI Endpoint </h2> <p>Now expose the AI functionality through a controller.</p> <p>Request model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">AiRequest</span> <span class="p">{</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Prompt</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Controller:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="n">ApiController</span><span class="p">]</span> <span class="p">[</span><span class="nf">Route</span><span class="p">(</span><span class="s">"api/ai"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">AiController</span> <span class="p">:</span> <span class="n">ControllerBase</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IAiService</span> <span class="n">_aiService</span><span class="p">;</span> <span class="k">public</span> <span class="nf">AiController</span><span class="p">(</span><span class="n">IAiService</span> <span class="n">aiService</span><span class="p">)</span> <span class="p">{</span> <span class="n">_aiService</span> <span class="p">=</span> <span class="n">aiService</span><span class="p">;</span> <span class="p">}</span> <span class="p">[</span><span class="nf">HttpPost</span><span class="p">(</span><span class="s">"generate"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">Generate</span><span class="p">(</span> <span class="n">AiRequest</span> <span class="n">request</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">cancellationToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="nf">IsNullOrWhiteSpace</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">Prompt</span><span class="p">))</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="s">"Prompt is required."</span><span class="p">);</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_aiService</span><span class="p">.</span><span class="nf">GenerateAsync</span><span class="p">(</span> <span class="n">request</span><span class="p">.</span><span class="n">Prompt</span><span class="p">,</span> <span class="n">cancellationToken</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">response</span> <span class="p">=</span> <span class="n">result</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Your ASP.NET Core API now exposes a <strong>local AI-powered endpoint</strong>.</p> <h2> Step 7: Switching Models </h2> <p>One of the nicest things about Ollama is how easy it is to switch between models.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ollama pull mistral ollama pull codellama </code></pre> </div> <p>Then update the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"model"</span>: <span class="s2">"mistral"</span> <span class="o">}</span> </code></pre> </div> <p>In practice, testing a few models usually produces better results than simply choosing the largest one.</p> <h2> Step 8: Improving Performance </h2> <p>Local models can still be resource intensive.</p> <p>A few practical optimizations can help significantly.</p> <p><strong>Use Streaming</strong><br> Streaming responses improves perceived latency for longer outputs.</p> <p><strong>Reduce Prompt Size</strong><br> Large prompts increase inference time.<br> Send only the context that the model truly needs.</p> <p><strong>Cache Repeated Requests</strong><br> If prompts repeat frequently, caching responses can reduce compute usage.</p> <p><strong>Keep Calls Asynchronous</strong><br> Always use async APIs when calling models to keep your backend scalable.</p> <h2> When Local Models Are Not the Best Choice </h2> <p>Local models are powerful, but they are not always the right solution.</p> <p>For example, cloud AI services may still be better when:</p> <ul> <li>you need extremely large models</li> <li>you require massive scaling</li> <li>GPU infrastructure is unavailable</li> <li>inference workloads are very high</li> </ul> <p>In practice, many teams use a <strong>hybrid approach</strong>, combining cloud models and local models depending on the use case.</p> <h2> Final Thoughts </h2> <p>The local AI ecosystem is moving incredibly fast right now.</p> <p>Just a few years ago, running large language models required specialized machine learning environments. Today tools like Ollama make it possible for everyday backend developers to experiment with local LLMs using familiar technologies.</p> <p>From a .NET perspective, integrating Ollama is actually much simpler than it looks at first.</p> <p>Instead of relying entirely on external APIs, you can build AI-powered systems that are:</p> <ul> <li>private</li> <li>cost-efficient</li> <li>low latency</li> <li>fully controlled by your infrastructure</li> </ul> <p>For internal tools, developer assistants, and AI-powered APIs, local models are quickly becoming a practical and powerful alternative to cloud AI services.</p> <h2> A Few Things Worth Remembering </h2> <ul> <li>Ollama makes running local LLMs simple</li> <li>.NET applications can interact with Ollama using HTTP APIs</li> <li>Use a dedicated AI service layer to keep architecture clean</li> <li>Choose models based on your use case, not just size</li> <li>Optimize prompts and responses for better performance</li> </ul> dotnet ai ollama backend alinabi19 Thu, 12 Mar 2026 11:38:04 +0000 https://dev.to/alinabi19/fixing-cors-errors-in-aspnet-core-apis-the-real-reasons-583c https://dev.to/alinabi19/fixing-cors-errors-in-aspnet-core-apis-the-real-reasons-583c <p>If you've worked on APIs for a while, you've probably run into this situation.</p> <p>Your frontend calls your ASP.NET Core API.</p> <p>Everything looks correct.</p> <p>But the browser console suddenly throws this error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Access to fetch at <span class="s1">'https://api.example.com'</span> from origin <span class="s1">'http://localhost:3000'</span> has been blocked by CORS policy </code></pre> </div> <p>So you try the exact same request in Postman.</p> <p>It works perfectly.</p> <p>Now you're confused.</p> <p>You check the API.<br> You check the frontend.<br> Eventually you start adding random CORS settings hoping something finally works.</p> <p>Before long, your <code>Program.cs</code> starts looking like a CORS experiment lab.</p> <p>Almost every backend developer hits this problem at some point.</p> <p>What makes CORS errors frustrating is that:</p> <ul> <li>They only appear in browsers</li> <li>API testing tools like Postman work fine</li> <li>Small configuration mistakes can break everything</li> <li>Middleware order matters in ASP.NET Core</li> </ul> <p>After debugging this issue across multiple APIs, the same root causes show up again and again. Let’s walk through what’s actually happening and how to fix it properly.</p> <h2> What CORS Actually Is (In Simple Terms) </h2> <p>CORS stands for <strong>Cross-Origin Resource Sharing</strong>.</p> <p>Browsers enforce a security rule called the Same-Origin Policy.</p> <p>It means a web page can normally only call APIs from the same origin.</p> <p>An origin is defined as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Protocol + Domain + Port </code></pre> </div> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:3000 https://api.myapp.com https://app.myapp.com </code></pre> </div> <p>Even small differences create a different origin.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:3000 http://localhost:5000 </code></pre> </div> <p>Same machine, different port - still considered <strong>cross-origin</strong>.</p> <p>When a frontend application calls an API on another origin, the browser checks whether the API explicitly allows it.</p> <p>If the response doesn't include the correct CORS headers, <strong>the browser blocks the request</strong>.</p> <p>Important point many developers miss:</p> <p>Your API is usually <strong>not rejecting the request</strong>.<br> The <strong>browser is refusing to expose the response</strong>.</p> <p>This is also why the request works in Postman - Postman doesn't enforce browser security rules.</p> <h2> Why CORS Errors Happen in ASP.NET Core APIs </h2> <p>After debugging CORS issues in several projects, these are the most common causes.</p> <p><strong>Missing CORS middleware</strong><br> CORS support was never enabled in the API.</p> <p><strong>Wrong middleware order</strong><br> CORS middleware must run before endpoints execute.</p> <p><strong>Incorrect origin configuration</strong><br> The frontend origin isn't included in allowed origins.</p> <p><strong>Preflight request failure</strong><br> Browsers sometimes send an <code>OPTIONS</code> request before the real request.</p> <p>If this fails, the real request never happens.</p> <p><strong>Credential configuration mistakes</strong><br> Using cookies or authorization headers incorrectly.</p> <p><strong>Using <code>AllowAnyOrigin()</code> with credentials</strong><br> Browsers block this combination for security reasons.</p> <h2> Step 1: The Correct Way to Enable CORS in ASP.NET Core </h2> <p>CORS configuration starts in <code>Program.cs</code>.</p> <p><strong>Register the CORS policy</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddCors</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="nf">AddPolicy</span><span class="p">(</span><span class="s">"FrontendPolicy"</span><span class="p">,</span> <span class="n">policy</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">policy</span><span class="p">.</span><span class="nf">WithOrigins</span><span class="p">(</span><span class="s">"http://localhost:3000"</span><span class="p">)</span> <span class="p">.</span><span class="nf">AllowAnyHeader</span><span class="p">()</span> <span class="p">.</span><span class="nf">AllowAnyMethod</span><span class="p">();</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>This creates a <strong>named CORS policy</strong>.</p> <p><strong>Enable the middleware</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseCors</span><span class="p">(</span><span class="s">"FrontendPolicy"</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapControllers</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <p>Now requests from <code>http://localhost:3000</code> will be allowed.</p> <p>A common mistake is <strong>registering CORS but forgetting to enable the middleware.</strong></p> <h2> Step 2: Understanding Preflight Requests (OPTIONS) </h2> <p>Sometimes browsers send a <strong>preflight request</strong> before the real request.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>OPTIONS /api/orders </code></pre> </div> <p>This usually happens when:</p> <p>The request uses custom headers</p> <p>The request method is <code>PUT</code>, <code>PATCH</code>, or <code>DELETE</code></p> <p>Credentials or authorization headers are used</p> <p>The browser is essentially asking:</p> <p>"Is it okay if I send this request?"</p> <p>If the server doesn't respond with the correct CORS headers, the browser blocks the request before the real API call even happens.</p> <p>The good news is that <strong>ASP.NET Core handles preflight requests automatically</strong> when the CORS middleware is configured correctly.</p> <p>You normally don't need to manually implement <code>OPTIONS</code> endpoints.</p> <h2> Step 3: The Most Common CORS Configuration Mistakes </h2> <h3> Mistake 1: Using <code>AllowAnyOrigin()</code> With Credentials </h3> <p>This is extremely common.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">policy</span><span class="p">.</span><span class="nf">AllowAnyOrigin</span><span class="p">()</span> <span class="p">.</span><span class="nf">AllowCredentials</span><span class="p">();</span> </code></pre> </div> <p>This will not work.</p> <p>Browsers block this configuration because allowing credentials from any origin is a security risk.</p> <p>Correct approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">policy</span><span class="p">.</span><span class="nf">WithOrigins</span><span class="p">(</span><span class="s">"https://app.example.com"</span><span class="p">)</span> <span class="p">.</span><span class="nf">AllowCredentials</span><span class="p">()</span> <span class="p">.</span><span class="nf">AllowAnyHeader</span><span class="p">()</span> <span class="p">.</span><span class="nf">AllowAnyMethod</span><span class="p">();</span> </code></pre> </div> <p>Always specify explicit origins when credentials are involved.</p> <h3> Mistake 2: Forgetting to Call <code>UseCors()</code> </h3> <p>Developers often configure CORS but forget to enable the middleware.</p> <p>Wrong:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddCors</span><span class="p">();</span> </code></pre> </div> <p>Correct:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseCors</span><span class="p">(</span><span class="s">"FrontendPolicy"</span><span class="p">);</span> </code></pre> </div> <p>Without the middleware, the policy never runs.</p> <h3> Mistake 3: Wrong Middleware Order </h3> <p>Middleware order matters in ASP.NET Core.</p> <p>Correct order:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseRouting</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseCors</span><span class="p">(</span><span class="s">"FrontendPolicy"</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapControllers</span><span class="p">();</span> </code></pre> </div> <p>If CORS runs after endpoints, it won't apply to the response.</p> <h2> Step 4: Handling CORS for Frontend Frameworks </h2> <p>During development, frontend frameworks usually run on different ports.</p> <p>Examples:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>React → http://localhost:3000 Vite → http://localhost:5173 Angular → http://localhost:4200 </code></pre> </div> <p>Your CORS policy must allow these origins.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">policy</span><span class="p">.</span><span class="nf">WithOrigins</span><span class="p">(</span> <span class="s">"http://localhost:3000"</span><span class="p">,</span> <span class="s">"http://localhost:5173"</span><span class="p">,</span> <span class="s">"http://localhost:4200"</span> <span class="p">)</span> <span class="p">.</span><span class="nf">AllowAnyHeader</span><span class="p">()</span> <span class="p">.</span><span class="nf">AllowAnyMethod</span><span class="p">();</span> </code></pre> </div> <p>For production environments, you should only allow trusted domains.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://app.mycompany.com </code></pre> </div> <p>Avoid using <code>AllowAnyOrigin()</code> in production APIs.</p> <h2> Step 5: Debugging CORS Errors Like a Pro </h2> <p>When a CORS error appears, guessing usually wastes time. It's better to check a few things first.</p> <p><strong>1. Check the Browser Console</strong><br> Look for errors like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No 'Access-Control-Allow-Origin' header present </code></pre> </div> <p>This means the response didn't include the required CORS headers.</p> <p><strong>2. Inspect the Network Tab</strong><br> Open DevTools and inspect the <code>OPTIONS</code> request.</p> <p>If the preflight request fails, the real request will never be sent.</p> <p><strong>3. Compare Browser vs Postman</strong><br> If Postman works but the browser fails, it's almost always a CORS issue.</p> <p><strong>4. Check Response Headers</strong><br> You can also test the API response headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-I</span> https://api.example.com </code></pre> </div> <p>Look for:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Access-Control-Allow-Origin </code></pre> </div> <p>If it's missing, the browser will block the request.</p> <h2> Step 6: Production Best Practices </h2> <p>A few simple practices make CORS configuration easier to manage in real systems.</p> <p><strong>Avoid Hardcoding Origins</strong></p> <p>Instead, load them from configuration.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">allowedOrigins</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span> <span class="p">.</span><span class="nf">GetSection</span><span class="p">(</span><span class="s">"Cors:AllowedOrigins"</span><span class="p">)</span> <span class="p">.</span><span class="n">Get</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">[</span><span class="k">]&gt;</span><span class="p">()</span> <span class="p">??</span> <span class="n">Array</span><span class="p">.</span><span class="n">Empty</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;();</span> <span class="n">policy</span><span class="p">.</span><span class="nf">WithOrigins</span><span class="p">(</span><span class="n">allowedOrigins</span><span class="p">)</span> <span class="p">.</span><span class="nf">AllowAnyHeader</span><span class="p">()</span> <span class="p">.</span><span class="nf">AllowAnyMethod</span><span class="p">();</span> </code></pre> </div> <p>Configuration example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="s">"Cors"</span><span class="p">:</span> <span class="p">{</span> <span class="s">"AllowedOrigins"</span><span class="p">:</span> <span class="p">[</span> <span class="s">"http://localhost:3000"</span><span class="p">,</span> <span class="s">"https://app.mycompany.com"</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>This keeps deployments clean across development, staging, and production.</p> <p><strong>Be Aware of Reverse Proxies</strong></p> <p>In production environments your API may sit behind:</p> <ul> <li>Nginx</li> <li>Cloudflare</li> <li>Azure Application Gateway</li> <li>Kubernetes ingress</li> </ul> <p>Sometimes these proxies <strong>strip or override headers</strong>, which can make CORS appear broken even when the API is configured correctly.</p> <p>If CORS works locally but fails in production, checking the proxy configuration is often the next step.</p> <h2> Common Pitfall </h2> <p>One subtle issue happens when the frontend port changes.</p> <p>Example:</p> <p>Frontend running on:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>localhost:5173 </code></pre> </div> <p>But the API only allows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>localhost:3000 </code></pre> </div> <p>Different port = different origin.</p> <p>Even though it's the same machine, the browser treats it as cross-origin.</p> <h2> Quick CORS Debugging Checklist </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Cause</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>Browser CORS error</td> <td>Missing middleware</td> <td>Add <code>AddCors()</code> and <code>UseCors()</code> </td> </tr> <tr> <td>Preflight request fails</td> <td>OPTIONS blocked</td> <td>Enable CORS policy</td> </tr> <tr> <td>Credentials error</td> <td>Using <code>AllowAnyOrigin()</code> </td> <td>Specify allowed origins</td> </tr> <tr> <td>Works in Postman only</td> <td>Browser enforcing CORS</td> <td>Configure proper headers</td> </tr> <tr> <td>Production requests blocked</td> <td>Missing frontend domain</td> <td>Add production origin</td> </tr> </tbody> </table></div> <h2> Final Thoughts </h2> <p>CORS errors can feel confusing at first because the problem usually shows up far away from the real cause.</p> <p>The key thing to remember is this:</p> <p><strong>Browsers enforce CORS. Your API usually doesn't.</strong></p> <p>Most issues come down to a few predictable causes:</p> <ul> <li>Missing CORS middleware</li> <li>Wrong middleware order</li> <li>Incorrect origin configuration</li> <li>Preflight request failures</li> </ul> <p>Once you understand how browsers handle cross-origin requests and how ASP.NET Core middleware works, debugging CORS becomes much more straightforward.</p> <p>And if you've ever spent hours chasing a CORS error before a deployment, you're definitely not alone.</p> dotnet webdev backend api alinabi19 Thu, 12 Mar 2026 07:43:16 +0000 https://dev.to/alinabi19/building-ai-powered-apis-with-aspnet-core-and-openai-net-8-guide-2nam https://dev.to/alinabi19/building-ai-powered-apis-with-aspnet-core-and-openai-net-8-guide-2nam <p>AI features are slowly becoming part of normal backend work.</p> <p>A few years ago, most APIs were simple CRUD endpoints. They fetched data, updated records, and returned JSON. Today it is common to see requests like:</p> <ul> <li>“Can we add a chatbot endpoint?”</li> <li>“Can the API summarize user feedback?”</li> <li>“Can we classify support tickets automatically?”</li> </ul> <p>At that point your backend suddenly needs to talk to an AI model.</p> <p>If you're already comfortable building APIs with ASP.NET Core, the first instinct is usually simple: just call the OpenAI API from an endpoint and return the result.</p> <p>That works for a quick prototype. But once the system starts growing, a few questions appear pretty quickly:</p> <ul> <li>Where should the AI logic live?</li> <li>Should controllers call OpenAI directly?</li> <li>How do we protect API keys?</li> <li>What happens if the AI call takes several seconds?</li> <li>How do we deal with rate limits or retries?</li> </ul> <p>AI integrations behave like any other <strong>external service dependency</strong> in your backend architecture. Treat them that way and the system stays clean and maintainable.</p> <p>In this article we’ll build a simple <strong>AI-powered API using ASP.NET Core and OpenAI</strong>, while following patterns that hold up well in real applications.</p> <h2> Why Expose AI Through an API </h2> <p>Most production systems expose AI features through backend APIs rather than directly from the frontend.</p> <p>A typical setup might look like this:</p> <ul> <li>A web app calls an endpoint to generate content</li> <li>A mobile app sends text to be summarized</li> <li>An internal tool calls an API for classification</li> </ul> <p>Centralizing AI logic inside your API gives you a few advantages.</p> <p><strong>Security</strong><br> Your OpenAI key stays in the backend. The client never sees it.</p> <p><strong>Reuse</strong><br> Multiple clients (web, mobile, internal tools) can use the same AI capability.</p> <p><strong>Cost control</strong><br> Since AI calls cost money, the API layer can enforce limits and validation.</p> <p><strong>Consistency</strong><br> Prompts, models, and safety rules live in one place.</p> <p>Think of the API as the <strong>gateway between your application and AI services</strong>.</p> <h2> A Simple Architecture That Works Well </h2> <p>When adding AI to a backend, separating responsibilities helps a lot.</p> <p>A typical flow looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client ↓ API Endpoint ↓ AI Service ↓ OpenAI API </code></pre> </div> <p>Each layer does a specific job.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td>API</td> <td>Handles HTTP requests</td> </tr> <tr> <td>Service Layer</td> <td>Contains AI logic</td> </tr> <tr> <td>HTTP Client</td> <td>Calls OpenAI</td> </tr> <tr> <td>Configuration</td> <td>Stores API keys</td> </tr> </tbody> </table></div> <p>A mistake I’ve seen more than once is calling OpenAI <strong>directly inside controllers</strong>.</p> <p>That approach usually leads to:</p> <ul> <li>duplicated logic</li> <li>hard-to-test endpoints</li> <li>messy controllers</li> </ul> <p>Moving AI logic into a service keeps things cleaner and easier to maintain.</p> <h2> Step 1: Create the ASP.NET Core API </h2> <p>Start by creating a standard .NET 8 Web API project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">dotnet</span> <span class="k">new</span> <span class="n">webapi</span> <span class="p">-</span><span class="n">n</span> <span class="n">AiApiDemo</span> </code></pre> </div> <p>ASP.NET Core supports both controllers and Minimal APIs.</p> <p>For simple AI endpoints, <strong>Minimal APIs work nicely</strong> because the code stays compact.</p> <p>Example setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddEndpointsApiExplorer</span><span class="p">();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddSwaggerGen</span><span class="p">();</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSwagger</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSwaggerUI</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <p>Now we have a basic API ready to host endpoints.</p> <h2> Step 2: Store the OpenAI API Key </h2> <p>Never hardcode API keys directly in code.</p> <p>A simple approach is to store it in configuration.</p> <p><strong>appsettings.json</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">{</span> <span class="s">"OpenAI"</span><span class="p">:</span> <span class="p">{</span> <span class="s">"ApiKey"</span><span class="p">:</span> <span class="s">"YOUR_API_KEY"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>In production environments you would usually use something like:</p> <ul> <li>environment variables</li> <li>Azure Key Vault</li> <li>AWS Secrets Manager</li> </ul> <p>The goal is simple: <strong>keep secrets outside source control</strong>.</p> <h2> Step 3: Register an HTTP Client </h2> <p>ASP.NET Core includes <strong>HttpClientFactory</strong>, which is the recommended way to make HTTP calls.</p> <p>It helps avoid common issues like socket exhaustion and centralizes configuration.</p> <p>Register a typed client in <code>Program.cs</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddHttpClient</span><span class="p">&lt;</span><span class="n">IAiService</span><span class="p">,</span> <span class="n">OpenAiService</span><span class="p">&gt;(</span><span class="n">client</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">client</span><span class="p">.</span><span class="n">BaseAddress</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Uri</span><span class="p">(</span><span class="s">"https://api.openai.com/"</span><span class="p">);</span> <span class="n">client</span><span class="p">.</span><span class="n">Timeout</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromSeconds</span><span class="p">(</span><span class="m">30</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Typed clients also work well with dependency injection.</p> <h2> Step 4: Create the AI Service </h2> <p>Instead of calling OpenAI from endpoints, create a dedicated service.</p> <p>This keeps the API layer thin and makes the integration easier to test.</p> <p><strong>Service Interface</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">interface</span> <span class="nc">IAiService</span> <span class="p">{</span> <span class="n">Task</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;</span> <span class="nf">GenerateResponseAsync</span><span class="p">(</span> <span class="kt">string</span> <span class="n">prompt</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">cancellationToken</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Service Implementation</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">OpenAiService</span> <span class="p">:</span> <span class="n">IAiService</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">HttpClient</span> <span class="n">_httpClient</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IConfiguration</span> <span class="n">_config</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">ILogger</span><span class="p">&lt;</span><span class="n">OpenAiService</span><span class="p">&gt;</span> <span class="n">_logger</span><span class="p">;</span> <span class="k">public</span> <span class="nf">OpenAiService</span><span class="p">(</span> <span class="n">HttpClient</span> <span class="n">httpClient</span><span class="p">,</span> <span class="n">IConfiguration</span> <span class="n">config</span><span class="p">,</span> <span class="n">ILogger</span><span class="p">&lt;</span><span class="n">OpenAiService</span><span class="p">&gt;</span> <span class="n">logger</span><span class="p">)</span> <span class="p">{</span> <span class="n">_httpClient</span> <span class="p">=</span> <span class="n">httpClient</span><span class="p">;</span> <span class="n">_config</span> <span class="p">=</span> <span class="n">config</span><span class="p">;</span> <span class="n">_logger</span> <span class="p">=</span> <span class="n">logger</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;</span> <span class="nf">GenerateResponseAsync</span><span class="p">(</span> <span class="kt">string</span> <span class="n">prompt</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">cancellationToken</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">apiKey</span> <span class="p">=</span> <span class="n">_config</span><span class="p">[</span><span class="s">"OpenAI:ApiKey"</span><span class="p">];</span> <span class="n">_httpClient</span><span class="p">.</span><span class="n">DefaultRequestHeaders</span><span class="p">.</span><span class="n">Authorization</span> <span class="p">=</span> <span class="k">new</span> <span class="n">System</span><span class="p">.</span><span class="n">Net</span><span class="p">.</span><span class="n">Http</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">AuthenticationHeaderValue</span><span class="p">(</span><span class="s">"Bearer"</span><span class="p">,</span> <span class="n">apiKey</span><span class="p">);</span> <span class="kt">var</span> <span class="n">request</span> <span class="p">=</span> <span class="k">new</span> <span class="p">{</span> <span class="n">model</span> <span class="p">=</span> <span class="s">"gpt-4o-mini"</span><span class="p">,</span> <span class="n">input</span> <span class="p">=</span> <span class="n">prompt</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_httpClient</span><span class="p">.</span><span class="nf">PostAsJsonAsync</span><span class="p">(</span> <span class="s">"v1/responses"</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">cancellationToken</span><span class="p">);</span> <span class="k">if</span> <span class="p">(!</span><span class="n">response</span><span class="p">.</span><span class="n">IsSuccessStatusCode</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">error</span> <span class="p">=</span> <span class="k">await</span> <span class="n">response</span><span class="p">.</span><span class="n">Content</span><span class="p">.</span><span class="nf">ReadAsStringAsync</span><span class="p">();</span> <span class="n">_logger</span><span class="p">.</span><span class="nf">LogError</span><span class="p">(</span><span class="s">"OpenAI request failed: {Error}"</span><span class="p">,</span> <span class="n">error</span><span class="p">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">ApplicationException</span><span class="p">(</span><span class="s">$"OpenAI request failed: </span><span class="p">{</span><span class="n">error</span><span class="p">}</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="k">await</span> <span class="n">response</span><span class="p">.</span><span class="n">Content</span><span class="p">.</span><span class="n">ReadFromJsonAsync</span><span class="p">&lt;</span><span class="n">OpenAiResponse</span><span class="p">&gt;(</span><span class="n">cancellationToken</span><span class="p">);</span> <span class="k">return</span> <span class="n">result</span><span class="p">?.</span><span class="n">Output</span><span class="p">[</span><span class="m">0</span><span class="p">].</span><span class="n">Content</span><span class="p">[</span><span class="m">0</span><span class="p">].</span><span class="n">Text</span> <span class="p">??</span> <span class="s">""</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Response Model</strong></p> <p>Using strongly typed models is safer than parsing dynamic JSON.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">OpenAiResponse</span> <span class="p">{</span> <span class="k">public</span> <span class="n">List</span><span class="p">&lt;</span><span class="n">Output</span><span class="p">&gt;</span> <span class="n">Output</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">Output</span> <span class="p">{</span> <span class="k">public</span> <span class="n">List</span><span class="p">&lt;</span><span class="n">Content</span><span class="p">&gt;</span> <span class="n">Content</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">Content</span> <span class="p">{</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Text</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 5: Create an AI Endpoint </h2> <p>Now we expose an endpoint that clients can call.</p> <p>Request model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">ChatRequest</span> <span class="p">{</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Prompt</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Minimal API endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapPost</span><span class="p">(</span><span class="s">"/api/ai/chat"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span> <span class="n">ChatRequest</span> <span class="n">request</span><span class="p">,</span> <span class="n">IAiService</span> <span class="n">aiService</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">cancellationToken</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="nf">IsNullOrWhiteSpace</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">Prompt</span><span class="p">))</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">BadRequest</span><span class="p">(</span><span class="s">"Prompt cannot be empty."</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">Prompt</span><span class="p">.</span><span class="n">Length</span> <span class="p">&gt;</span> <span class="m">2000</span><span class="p">)</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">BadRequest</span><span class="p">(</span><span class="s">"Prompt too large."</span><span class="p">);</span> <span class="kt">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">aiService</span><span class="p">.</span><span class="nf">GenerateResponseAsync</span><span class="p">(</span> <span class="n">request</span><span class="p">.</span><span class="n">Prompt</span><span class="p">,</span> <span class="n">cancellationToken</span><span class="p">);</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">result</span> <span class="p">=</span> <span class="n">response</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Clients can now send prompts and receive AI-generated responses.</p> <h2> Handling Failures and Rate Limits </h2> <p>AI services are external dependencies, so failures are normal.</p> <p>Some common issues include:</p> <ul> <li>network timeouts</li> <li>rate limits (429 responses)</li> <li>temporary service errors</li> </ul> <p>In production systems it’s usually worth adding retry policies.</p> <p>Libraries like <strong>Polly</strong> integrate well with <code>HttpClientFactory</code>.</p> <p>Example retry setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddHttpClient</span><span class="p">&lt;</span><span class="n">IAiService</span><span class="p">,</span> <span class="n">OpenAiService</span><span class="p">&gt;()</span> <span class="p">.</span><span class="nf">AddTransientHttpErrorPolicy</span><span class="p">(</span><span class="n">policy</span> <span class="p">=&gt;</span> <span class="n">policy</span><span class="p">.</span><span class="nf">WaitAndRetryAsync</span><span class="p">(</span><span class="m">3</span><span class="p">,</span> <span class="n">retry</span> <span class="p">=&gt;</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromSeconds</span><span class="p">(</span><span class="n">Math</span><span class="p">.</span><span class="nf">Pow</span><span class="p">(</span><span class="m">2</span><span class="p">,</span> <span class="n">retry</span><span class="p">))));</span> </code></pre> </div> <p>This helps smooth over temporary failures.</p> <h2> A Few Performance Considerations </h2> <p>AI requests are typically slower than database queries.</p> <p>A few small changes can improve responsiveness.</p> <p><strong>Use async calls</strong><br> Blocking threads during AI calls will hurt scalability.</p> <p><strong>Validate prompt size</strong><br> Large prompts increase both latency and cost.</p> <p><strong>Cache repeated responses</strong><br> If users frequently ask the same question, caching results can reduce API calls.</p> <p><strong>Consider streaming responses</strong><br> Streaming works well for chat-style applications where users expect gradual output.</p> <h2> Securing AI Endpoints </h2> <p>AI endpoints can easily become expensive if left unprotected.</p> <p>A few safeguards help prevent abuse.</p> <p><strong>Authentication</strong><br> Use JWT or API keys to restrict access.</p> <p><strong>Rate limiting</strong><br> Limit how frequently a client can call the AI endpoint.</p> <p><strong>Prompt validation</strong><br> Always validate user input before sending it to a model.</p> <h2> One Small Tip That Reduces AI Costs </h2> <p>AI pricing usually depends on the number of tokens processed.</p> <p>Better prompts often produce <strong>better responses with fewer tokens</strong>.</p> <p>Instead of sending large context blocks, try using structured prompts with clear instructions.</p> <p>It improves both response quality and cost efficiency.</p> <h2> Lessons from Building AI APIs </h2> <p>If you're planning to add AI features to your backend, a few patterns make life easier:</p> <ul> <li>Keep AI logic inside a dedicated service layer</li> <li>Treat AI like any other external dependency</li> <li>Add retries, validation, and logging early</li> <li>Protect API keys and enforce usage limits</li> <li>Monitor token usage to avoid unexpected costs</li> </ul> <p>Once the architecture is set up properly, adding new AI capabilities becomes much simpler.</p> <p>Chatbots, summarization, and classification all become just <strong>another API endpoint</strong>.</p> ai dotnet webdev openai alinabi19 Wed, 11 Mar 2026 18:49:24 +0000 https://dev.to/alinabi19/aspnet-core-request-pipeline-explained-what-happens-when-an-api-receives-a-request-7p1 https://dev.to/alinabi19/aspnet-core-request-pipeline-explained-what-happens-when-an-api-receives-a-request-7p1 <p>You send a request to an API endpoint.</p> <p>Milliseconds later, a response comes back.</p> <p>Most of the time, we don’t think much about what happens in between. We write controllers, configure middleware, run the application, and everything works.</p> <p>Until it doesn’t.</p> <p>Maybe authentication suddenly stops working.<br> Maybe a middleware behaves differently than expected.<br> Maybe performance drops under load.<br> Or routing starts sending requests to the wrong endpoint.</p> <p>When that happens, the question becomes unavoidable:</p> <p><strong>What actually happens inside ASP.NET Core when a request hits your API?</strong></p> <p>Understanding the request pipeline is what turns ASP.NET Core from a black box into something you can actually debug and optimize.</p> <p>In this article, we'll walk through the lifecycle of a request in ASP.NET Core—from the moment it reaches your server to the moment the response is sent back.</p> <h2> The Big Picture: The ASP.NET Core Request Flow </h2> <p>If you trace a request from the network all the way to your controller or endpoint, it roughly goes through this path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client ↓ Reverse Proxy (optional) ↓ Kestrel Web Server ↓ ASP.NET Core Hosting Layer ↓ Middleware Pipeline ↓ Endpoint Routing ↓ Endpoint Execution (Controller / Minimal API) ↓ Middleware (Response Flow) ↓ Kestrel ↓ Client Response </code></pre> </div> <p>Each stage gets a chance to process the request before it reaches your application logic.</p> <p>Once you understand this flow, debugging strange behavior becomes much easier.</p> <h2> Step 1: The Request Reaches Kestrel </h2> <p>The first component inside your application that receives the request is <strong>Kestrel</strong>.</p> <p>Kestrel is the default high-performance web server used by ASP.NET Core. Its job is to:</p> <ul> <li>Listen for incoming HTTP requests</li> <li>Parse HTTP messages</li> <li>Forward the request into the ASP.NET Core application pipeline</li> </ul> <p>Kestrel is designed for high throughput and low latency. It uses asynchronous I/O and efficient networking primitives to handle thousands of concurrent connections.</p> <p>In production environments, Kestrel usually sits behind a reverse proxy such as:</p> <ul> <li>Nginx</li> <li>Apache</li> <li>IIS</li> <li>Azure App Service infrastructure</li> </ul> <p>The reverse proxy handles things like TLS termination, load balancing, and security filtering, while <strong>Kestrel still processes the request inside the application.</strong></p> <p>Once Kestrel receives the request, it passes it into the ASP.NET Core pipeline.</p> <h2> Step 2: The ASP.NET Core Hosting Layer </h2> <p>Before the request reaches middleware, ASP.NET Core’s hosting layer has already done some important work.</p> <p>When the application starts, the hosting layer:</p> <ul> <li>Builds the <strong>dependency injection container</strong> </li> <li>Configures <strong>logging</strong> </li> <li>Loads <strong>configuration</strong> </li> <li>Constructs the <strong>middleware pipeline</strong> </li> </ul> <p>This setup happens during application startup in <code>Program.cs</code>.</p> <p>By the time a request arrives, the middleware pipeline has already been assembled and is ready to process incoming requests.</p> <h2> Step 3: The Request Enters the Middleware Pipeline </h2> <p>Most of the interesting work in ASP.NET Core happens inside the <strong>middleware pipeline</strong>.</p> <p>Middleware are small components that can:</p> <ul> <li>Inspect the request</li> <li>Modify the request</li> <li>Stop the request from continuing</li> <li>Pass the request to the next component</li> <li>Modify the response before it leaves</li> </ul> <p>Middleware are configured in <code>Program.cs</code>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">Use</span><span class="p">(</span><span class="k">async</span> <span class="p">(</span><span class="n">context</span><span class="p">,</span> <span class="n">next</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">logger</span> <span class="p">=</span> <span class="n">context</span><span class="p">.</span><span class="n">RequestServices</span> <span class="p">.</span><span class="n">GetRequiredService</span><span class="p">&lt;</span><span class="n">ILoggerFactory</span><span class="p">&gt;()</span> <span class="p">.</span><span class="nf">CreateLogger</span><span class="p">(</span><span class="s">"RequestLogger"</span><span class="p">);</span> <span class="n">logger</span><span class="p">.</span><span class="nf">LogInformation</span><span class="p">(</span><span class="s">"Request started: {Path}"</span><span class="p">,</span> <span class="n">context</span><span class="p">.</span><span class="n">Request</span><span class="p">.</span><span class="n">Path</span><span class="p">);</span> <span class="k">await</span> <span class="nf">next</span><span class="p">();</span> <span class="n">logger</span><span class="p">.</span><span class="nf">LogInformation</span><span class="p">(</span><span class="s">"Response finished with status {StatusCode}"</span><span class="p">,</span> <span class="n">context</span><span class="p">.</span><span class="n">Response</span><span class="p">.</span><span class="n">StatusCode</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Here’s what happens during execution:</p> <ol> <li>The request enters the middleware</li> <li>Code before <code>await next()</code> runs</li> <li>The request moves to the next middleware</li> <li>Eventually an endpoint executes</li> <li>The response travels back through middleware</li> <li>Code after <code>await next()</code> runs</li> </ol> <p>This creates a <strong>two-way pipeline</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request → Middleware → Endpoint Response ← Middleware ← Endpoint </code></pre> </div> <p>One thing that surprises many developers when debugging middleware is that responses travel back through the pipeline in reverse order.</p> <h2> Middleware Can Short-Circuit the Pipeline </h2> <p>Middleware can also <strong>stop the pipeline entirely.</strong></p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">Use</span><span class="p">(</span><span class="k">async</span> <span class="p">(</span><span class="n">context</span><span class="p">,</span> <span class="n">next</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(!</span><span class="n">context</span><span class="p">.</span><span class="n">User</span><span class="p">.</span><span class="n">Identity</span><span class="p">?.</span><span class="n">IsAuthenticated</span> <span class="p">??</span> <span class="k">true</span><span class="p">)</span> <span class="p">{</span> <span class="n">context</span><span class="p">.</span><span class="n">Response</span><span class="p">.</span><span class="n">StatusCode</span> <span class="p">=</span> <span class="n">StatusCodes</span><span class="p">.</span><span class="n">Status401Unauthorized</span><span class="p">;</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">await</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>In this case, the request never reaches later middleware or the endpoint.</p> <p>This behavior is commonly used for:</p> <ul> <li>authentication checks</li> <li>rate limiting</li> <li>request filtering</li> </ul> <h2> Step 4: Built-in Middleware Components </h2> <p>ASP.NET Core provides several built-in middleware components that most applications rely on.</p> <p>Common examples include:</p> <p><strong>Routing Middleware</strong><br> Determines which endpoint matches the request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseRouting</span><span class="p">();</span> </code></pre> </div> <p><strong>Authentication Middleware</strong><br> Validates the user identity.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> </code></pre> </div> <p><strong>Authorization Middleware</strong><br> Checks whether the authenticated user has permission.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> </code></pre> </div> <p><strong>Exception Handling Middleware</strong><br> Handles unhandled exceptions globally.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseExceptionHandler</span><span class="p">();</span> </code></pre> </div> <p>*<em>Other Common Production Middleware<br> *</em><br> Real-world APIs often include additional middleware such as:</p> <ul> <li>CORS (<code>UseCors</code>)</li> <li>Response compression (<code>UseResponseCompression</code>)</li> <li>HTTPS redirection (<code>UseHttpsRedirection</code>)</li> <li>Rate limiting (<code>UseRateLimiter</code>)</li> </ul> <p>Each middleware adds a delegate to the request pipeline. Individually they’re lightweight, but extremely long middleware chains can introduce small overhead in very high-throughput systems.</p> <h2> Middleware Order Matters </h2> <p>One of the most common sources of bugs in ASP.NET Core applications is <strong>incorrect middleware ordering</strong>.</p> <p>Consider this configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> </code></pre> </div> <p>This breaks authentication because authorization runs before the user identity is established.</p> <p>The correct order is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> </code></pre> </div> <p>When debugging strange authentication behavior, middleware order is often the first thing worth checking.</p> <h2> Step 5: Endpoint Routing </h2> <p>After middleware processing, ASP.NET Core needs to determine <strong>which endpoint should handle the request.</strong></p> <p>This is handled by <strong>endpoint routing.</strong></p> <p>Routing examines:</p> <ul> <li>HTTP method (GET, POST, etc.)</li> <li>request path</li> <li>route parameters</li> </ul> <p>Example Minimal API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/products/{id}"</span><span class="p">,</span> <span class="p">(</span><span class="kt">int</span> <span class="n">id</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Ok</span><span class="p">(</span><span class="s">$"Product </span><span class="p">{</span><span class="n">id</span><span class="p">}</span><span class="s">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>If the request is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">GET</span> <span class="p">/</span><span class="n">products</span><span class="p">/</span><span class="m">10</span> </code></pre> </div> <p>Routing selects this endpoint and prepares it for execution.</p> <p><code>UseRouting()</code> identifies the matching endpoint, while the endpoint delegate itself executes later in the pipeline.</p> <p>ASP.NET Core’s routing system is highly optimized and capable of efficiently matching large numbers of routes.</p> <h2> Step 6: Endpoint Execution </h2> <p>Once routing selects the correct endpoint, ASP.NET Core executes the endpoint logic.</p> <p>This could be:</p> <ul> <li>a controller action</li> <li>a minimal API handler</li> <li>a Razor page</li> <li>a gRPC service</li> </ul> <p>For controller-based APIs, ASP.NET Core performs several additional steps automatically.</p> <h2> Model Binding </h2> <p>ASP.NET Core maps incoming request data into method parameters.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">CreateOrder</span><span class="p">(</span><span class="n">OrderDto</span> <span class="n">order</span><span class="p">)</span> </code></pre> </div> <p>Data can be bound from multiple sources:</p> <ul> <li>request body</li> <li>route values</li> <li>query parameters</li> <li>headers</li> <li>form data</li> </ul> <h2> Validation </h2> <p>If validation attributes are used, ASP.NET Core validates the model automatically.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">OrderDto</span> <span class="p">{</span> <span class="p">[</span><span class="n">Required</span><span class="p">]</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">CustomerEmail</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Invalid models typically produce a <strong>400 Bad Request response</strong>.</p> <h2> Business Logic </h2> <p>This is where your application code runs.</p> <p>Typical tasks include:</p> <ul> <li>database queries</li> <li>calling services</li> <li>performing calculations</li> <li>invoking external APIs</li> </ul> <h2> Returning a Result </h2> <p>The endpoint returns a result such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">order</span><span class="p">);</span> </code></pre> </div> <p>ASP.NET Core then converts this result into an HTTP response.</p> <p>For example:</p> <ul> <li>objects → JSON</li> <li>status codes → HTTP response codes</li> <li>headers → HTTP headers</li> </ul> <h2> Step 7: The Response Travels Back Through Middleware </h2> <p>Once the endpoint finishes execution, the response begins its return journey.</p> <p>The response flows <strong>back through the middleware pipeline in reverse order.</strong></p> <p>This allows middleware to:</p> <ul> <li>modify response headers</li> <li>compress responses</li> <li>log execution time</li> <li>transform output</li> </ul> <p>Finally, the response reaches <strong>Kestrel</strong>, which sends it back to the client.</p> <h2> A Simple Performance Debugging Trick </h2> <p>When diagnosing slow requests, a small timing middleware can quickly identify bottlenecks.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">Use</span><span class="p">(</span><span class="k">async</span> <span class="p">(</span><span class="n">context</span><span class="p">,</span> <span class="n">next</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">stopwatch</span> <span class="p">=</span> <span class="n">Stopwatch</span><span class="p">.</span><span class="nf">StartNew</span><span class="p">();</span> <span class="k">await</span> <span class="nf">next</span><span class="p">();</span> <span class="n">stopwatch</span><span class="p">.</span><span class="nf">Stop</span><span class="p">();</span> <span class="kt">var</span> <span class="n">logger</span> <span class="p">=</span> <span class="n">context</span><span class="p">.</span><span class="n">RequestServices</span> <span class="p">.</span><span class="n">GetRequiredService</span><span class="p">&lt;</span><span class="n">ILoggerFactory</span><span class="p">&gt;()</span> <span class="p">.</span><span class="nf">CreateLogger</span><span class="p">(</span><span class="s">"Performance"</span><span class="p">);</span> <span class="n">logger</span><span class="p">.</span><span class="nf">LogInformation</span><span class="p">(</span><span class="s">"Request completed in {Elapsed} ms"</span><span class="p">,</span> <span class="n">stopwatch</span><span class="p">.</span><span class="n">ElapsedMilliseconds</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>This simple middleware can reveal slow endpoints or middleware components almost instantly.</p> <h2> Visual Summary of the Request Flow </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request Flow Summary Client ↓ Kestrel ↓ Middleware Pipeline ↓ Routing ↓ Endpoint Execution ↓ Middleware (response) ↓ Client </code></pre> </div> <h2> Key Takeaways </h2> <p>ASP.NET Core processes requests through a <strong>middleware pipeline</strong></p> <p>Kestrel is the <strong>web server that receives HTTP requests</strong></p> <p>Middleware can <strong>inspect, modify, or terminate requests</strong></p> <p>Middleware order <strong>directly affects application behavior</strong></p> <p>Endpoint routing determines <strong>which API logic executes</strong></p> <p>Responses travel back through the <strong>same middleware pipeline</strong></p> <p>Once you understand this flow, ASP.NET Core stops feeling like a black box. Debugging becomes easier, middleware behavior makes more sense, and performance issues are much easier to track down.</p> <p><strong>Have you ever spent hours debugging an ASP.NET Core API only to realize the issue was caused by middleware order?</strong></p> api architecture backend dotnet alinabi19 Wed, 11 Mar 2026 09:53:21 +0000 https://dev.to/alinabi19/10-aspnet-core-api-performance-mistakes-that-hurt-scalability-5h04 https://dev.to/alinabi19/10-aspnet-core-api-performance-mistakes-that-hurt-scalability-5h04 <p>ASP.NET Core is one of the fastest web frameworks available today.</p> <p>Benchmarks regularly show it outperforming many other platforms. Yet in real production systems, I’ve seen ASP.NET Core APIs struggle under load — even when the infrastructure was solid.</p> <p>Response times that were <strong>50–100ms during development suddenly climb to 800ms or more</strong> in production. CPU usage spikes, database calls slow down, and suddenly everyone is asking the same question:</p> <p><strong>“Why is our API so slow?”</strong><br> In most cases, the problem isn’t ASP.NET Core.</p> <p>It’s small design decisions made during development that quietly add overhead over time.</p> <p>Things like:</p> <ul> <li>Returning too much data</li> <li>Inefficient database queries</li> <li>Blocking threads</li> <li>Missing caching</li> <li>Large payloads</li> </ul> <p>Individually these issues may seem harmless. Combined, they can dramatically reduce API performance and scalability.</p> <p>After working on several production APIs, I’ve noticed the same performance issues appear again and again.</p> <p>Let’s walk through <strong>10 of the most common mistakes developers make when building ASP.NET Core APIs - and how to fix them.</strong></p> <h2> Why API Performance Matters </h2> <p>API performance affects far more than just response time.</p> <p>Slow APIs lead to:</p> <ul> <li>Higher CPU and memory consumption</li> <li>Increased cloud infrastructure costs</li> <li>Poor scalability under load</li> <li>Frustrated users waiting for responses</li> </ul> <p>A well-designed ASP.NET Core API can handle thousands of requests per second with minimal infrastructure.</p> <p>But that only happens when performance is considered early in the design.</p> <h2> 1. Returning Too Much Data </h2> <p>One of the most common API performance issues is <strong>returning entire database entities instead of only the fields needed by the client.</strong></p> <p>Large payloads increase:</p> <ul> <li>serialization time</li> <li>network transfer time</li> <li>client parsing time</li> </ul> <p><strong>Bad Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/users"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="n">AppDbContext</span> <span class="n">db</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="n">Users</span><span class="p">.</span><span class="nf">ToListAsync</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>If your <code>User</code> table has 20 columns but the frontend only needs four, you're wasting bandwidth and compute.</p> <h2> Better Approach: Use DTO Projection </h2> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/users"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="n">AppDbContext</span> <span class="n">db</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">ct</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="n">Users</span> <span class="p">.</span><span class="nf">AsNoTracking</span><span class="p">()</span> <span class="p">.</span><span class="nf">Select</span><span class="p">(</span><span class="n">u</span> <span class="p">=&gt;</span> <span class="k">new</span> <span class="n">UserDto</span> <span class="p">{</span> <span class="n">Id</span> <span class="p">=</span> <span class="n">u</span><span class="p">.</span><span class="n">Id</span><span class="p">,</span> <span class="n">Name</span> <span class="p">=</span> <span class="n">u</span><span class="p">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">Email</span> <span class="p">=</span> <span class="n">u</span><span class="p">.</span><span class="n">Email</span> <span class="p">})</span> <span class="p">.</span><span class="nf">ToListAsync</span><span class="p">(</span><span class="n">ct</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Benefits:</p> <ul> <li>smaller SQL queries</li> <li>less memory usage</li> <li>faster serialization</li> <li>smaller responses</li> </ul> <p>This simple change can reduce payload sizes dramatically.</p> <h2> 2. Blocking Threads Instead of Using Async </h2> <p>ASP.NET Core is designed for <strong>asynchronous I/O.</strong></p> <p>When database calls or external requests are made synchronously, threads become blocked while waiting for results.</p> <p><strong>Blocking Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">users</span> <span class="p">=</span> <span class="n">db</span><span class="p">.</span><span class="n">Users</span><span class="p">.</span><span class="nf">ToList</span><span class="p">();</span> </code></pre> </div> <p>Under load, blocked threads reduce throughput and can cause <strong>thread pool starvation.</strong></p> <p><strong>Correct Approach</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">users</span> <span class="p">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="n">Users</span><span class="p">.</span><span class="nf">ToListAsync</span><span class="p">(</span><span class="n">ct</span><span class="p">);</span> </code></pre> </div> <p>Async operations allow ASP.NET Core to:</p> <ul> <li>free threads while waiting for I/O</li> <li>handle more concurrent requests</li> <li>scale efficiently</li> </ul> <p>A common mistake I still see in production code is calling <code>.Result</code> or <code>.Wait()</code>. These should almost always be avoided in ASP.NET Core APIs.</p> <h2> 3. Inefficient Database Queries </h2> <p>In most real-world APIs, <strong>the database is the primary performance bottleneck.</strong></p> <p>Common issues include:</p> <ul> <li>N+1 queries</li> <li>missing indexes</li> <li>unnecessary joins</li> <li>over-fetching data</li> </ul> <p><strong>N+1 Query Problem</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">orders</span> <span class="p">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="n">Orders</span><span class="p">.</span><span class="nf">ToListAsync</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="kt">var</span> <span class="n">order</span> <span class="k">in</span> <span class="n">orders</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">items</span> <span class="p">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="n">OrderItems</span> <span class="p">.</span><span class="nf">Where</span><span class="p">(</span><span class="n">i</span> <span class="p">=&gt;</span> <span class="n">i</span><span class="p">.</span><span class="n">OrderId</span> <span class="p">==</span> <span class="n">order</span><span class="p">.</span><span class="n">Id</span><span class="p">)</span> <span class="p">.</span><span class="nf">ToListAsync</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>If there are 100 orders, this produces <strong>101 database queries.</strong></p> <p><strong>Better Approach</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">orders</span> <span class="p">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="n">Orders</span> <span class="p">.</span><span class="nf">Include</span><span class="p">(</span><span class="n">o</span> <span class="p">=&gt;</span> <span class="n">o</span><span class="p">.</span><span class="n">Items</span><span class="p">)</span> <span class="p">.</span><span class="nf">AsNoTracking</span><span class="p">()</span> <span class="p">.</span><span class="nf">ToListAsync</span><span class="p">(</span><span class="n">ct</span><span class="p">);</span> </code></pre> </div> <p>Always review your generated SQL queries. Small EF query mistakes can cause massive database load.</p> <h2> 4. Ignoring Caching </h2> <p>If the same data is requested repeatedly, hitting the database every time is wasteful.</p> <p>Caching can reduce response times dramatically.</p> <p><strong>In-Memory Cache Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/products"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span> <span class="n">AppDbContext</span> <span class="n">db</span><span class="p">,</span> <span class="n">IMemoryCache</span> <span class="n">cache</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">ct</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(!</span><span class="n">cache</span><span class="p">.</span><span class="nf">TryGetValue</span><span class="p">(</span><span class="s">"products"</span><span class="p">,</span> <span class="k">out</span> <span class="n">List</span><span class="p">&lt;</span><span class="n">Product</span><span class="p">&gt;</span> <span class="n">products</span><span class="p">))</span> <span class="p">{</span> <span class="n">products</span> <span class="p">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="n">Products</span> <span class="p">.</span><span class="nf">AsNoTracking</span><span class="p">()</span> <span class="p">.</span><span class="nf">ToListAsync</span><span class="p">(</span><span class="n">ct</span><span class="p">);</span> <span class="n">cache</span><span class="p">.</span><span class="nf">Set</span><span class="p">(</span><span class="s">"products"</span><span class="p">,</span> <span class="n">products</span><span class="p">,</span> <span class="k">new</span> <span class="n">MemoryCacheEntryOptions</span> <span class="p">{</span> <span class="n">AbsoluteExpirationRelativeToNow</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">5</span><span class="p">),</span> <span class="n">SlidingExpiration</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">2</span><span class="p">)</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="n">products</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p>Caching is particularly effective for:</p> <ul> <li>configuration data</li> <li>product catalogs</li> <li>reference tables</li> </ul> <p>For multi-instance deployments, a <strong>distributed cache like Redis</strong> is usually a better choice.</p> <h2> 5. Missing Pagination on Large Endpoints </h2> <p>Returning thousands of rows in a single API response can create serious performance issues.</p> <p>Problems include:</p> <ul> <li>large payload sizes</li> <li>high memory consumption</li> <li>slow serialization</li> </ul> <p><strong>Proper Pagination</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/orders"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span> <span class="n">AppDbContext</span> <span class="n">db</span><span class="p">,</span> <span class="kt">int</span> <span class="n">page</span> <span class="p">=</span> <span class="m">1</span><span class="p">,</span> <span class="kt">int</span> <span class="n">pageSize</span> <span class="p">=</span> <span class="m">20</span><span class="p">,</span> <span class="n">CancellationToken</span> <span class="n">ct</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">pageSize</span> <span class="p">=</span> <span class="n">Math</span><span class="p">.</span><span class="nf">Min</span><span class="p">(</span><span class="n">pageSize</span><span class="p">,</span> <span class="m">100</span><span class="p">);</span> <span class="k">return</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="n">Orders</span> <span class="p">.</span><span class="nf">AsNoTracking</span><span class="p">()</span> <span class="p">.</span><span class="nf">Skip</span><span class="p">((</span><span class="n">page</span> <span class="p">-</span> <span class="m">1</span><span class="p">)</span> <span class="p">*</span> <span class="n">pageSize</span><span class="p">)</span> <span class="p">.</span><span class="nf">Take</span><span class="p">(</span><span class="n">pageSize</span><span class="p">)</span> <span class="p">.</span><span class="nf">ToListAsync</span><span class="p">(</span><span class="n">ct</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Always enforce a <strong>maximum page size</strong> to prevent abuse.</p> <h2> 6. Overloading the Middleware Pipeline </h2> <p>Middleware runs on <strong>every request</strong>, so unnecessary middleware can add latency.</p> <p>Common mistakes include:</p> <ul> <li>heavy logging middleware</li> <li>redundant request parsing</li> <li>complex logic inside middleware</li> </ul> <p>A clean pipeline might look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseRouting</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> </code></pre> </div> <p>Each additional middleware adds overhead, so keep the pipeline intentional and minimal.</p> <h2> 7. Not Using Response Compression </h2> <p>Large JSON responses can significantly increase network latency.</p> <p>ASP.NET Core provides built-in response compression.</p> <p><strong>Enable Compression</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddResponseCompression</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseResponseCompression</span><span class="p">();</span> </code></pre> </div> <p>Compression is especially helpful for:</p> <ul> <li>large JSON responses</li> <li>mobile networks</li> <li>APIs returning lists or datasets</li> </ul> <h2> 8. Excessive Logging in Production </h2> <p>Logging is essential, but logging too much can hurt performance.</p> <p>Common mistakes include:</p> <ul> <li>logging entire request bodies</li> <li>debug-level logs in production</li> <li>logging inside loops</li> </ul> <p><strong>Better Logging Approach</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">logger</span><span class="p">.</span><span class="nf">LogInformation</span><span class="p">(</span> <span class="s">"Order created for user {UserId}"</span><span class="p">,</span> <span class="n">userId</span> <span class="p">);</span> </code></pre> </div> <p>Structured logging keeps logs useful while minimizing overhead.</p> <h2> 9. Mismanaging Database Connections </h2> <p>Creating database connections is expensive, which is why <strong>connection pooling exists.</strong></p> <p>However, performance issues still occur when:</p> <p>DbContext lifetimes are misconfigured</p> <p>long-running queries hold connections</p> <p>transactions stay open too long</p> <p>Best practices:</p> <p>use <code>DbContext</code> with <strong>scoped lifetime</strong></p> <p>avoid long transactions</p> <p>keep queries efficient</p> <h2> 10. Skipping Load Testing </h2> <p>Many APIs perform well during development but fail under real traffic.</p> <p>Performance problems often appear only when:</p> <ul> <li>hundreds of requests run concurrently</li> <li>database contention increases</li> <li>thread pools become saturated</li> </ul> <p>Good load testing tools include:</p> <ul> <li>k6</li> <li>Apache JMeter</li> <li>NBomber</li> <li>Azure Load Testing</li> </ul> <p>Testing under realistic traffic conditions helps reveal bottlenecks before production users experience them.</p> <h2> Pro Tip: Measure Before Optimizing </h2> <p>Optimization without measurement is mostly guesswork.</p> <p>Useful performance tools include:</p> <ul> <li>MiniProfiler</li> <li>Application Insights</li> <li>OpenTelemetry</li> </ul> <p>These tools help identify the <strong>real bottleneck</strong> instead of optimizing blindly.</p> <h2> A Common Performance Trap </h2> <p>One mistake I frequently see is developers trying to optimize application code first while ignoring the database.</p> <p>In many real systems, <strong>database queries account for 70–90% of total API response time.</strong></p> <p>Start your investigation there.</p> <h2> Key Takeaways </h2> <p>To keep ASP.NET Core APIs fast and scalable:</p> <ul> <li>Return only the data clients actually need</li> <li>Use asynchronous I/O consistently</li> <li>Optimize database queries early</li> <li>Cache frequently requested data</li> <li>Implement pagination on large endpoints</li> <li>Keep middleware pipelines lean</li> <li>Enable response compression</li> <li>Avoid excessive logging in production</li> <li>Use proper DbContext lifetimes</li> <li>Load test before production traffic</li> </ul> <p>Performance rarely comes from one big optimization.</p> <p>It usually comes from <strong>avoiding dozens of small mistakes that accumulate over time.</strong></p> <p>If you're building high-traffic APIs, these small decisions can make the difference between an API that struggles under load and one that scales effortlessly.</p> dotnet aspnetcore webapi performance alinabi19 Wed, 04 Mar 2026 08:24:57 +0000 https://dev.to/alinabi19/aspnet-core-caching-explained-in-memory-redis-and-response-caching-for-high-performance-apis-hm3 https://dev.to/alinabi19/aspnet-core-caching-explained-in-memory-redis-and-response-caching-for-high-performance-apis-hm3 <p>Modern APIs rarely fail because of logic.<br> They fail because of <strong>performance</strong>.</p> <p>Picture this.</p> <p>You deploy a clean ASP.NET Core API. Everything works perfectly during testing. But once real traffic arrives, things start getting ugly:</p> <ul> <li>Database CPU spikes</li> <li>Queries that took <strong>30 ms</strong> now take <strong>600 ms</strong> </li> <li>Your API latency slowly creeps past <strong>1 second</strong> </li> </ul> <p>The problem usually isn’t the database itself.</p> <p>It’s that your API is <strong>doing the same expensive work repeatedly.</strong></p> <p>The same product list.<br> The same configuration settings.<br> The same reference data.</p> <p>Over and over again.</p> <p>This is where <strong>caching</strong> becomes one of the most powerful tools in backend engineering.</p> <p>Yet many developers either:</p> <ul> <li>Avoid caching because it feels complicated</li> <li>Or implement it incorrectly and create stale data bugs</li> </ul> <p>In this guide, you'll learn <strong>how caching actually works in ASP.NET Core,</strong> when to use each type, and how to implement it properly in production APIs.</p> <p>By the end, you'll know how to:</p> <ul> <li>Improve API performance dramatically</li> <li>Reduce database load</li> <li>Build APIs that scale without infrastructure explosions</li> </ul> <p>Let’s start with the fundamentals.</p> <h2> Why API Performance Matters </h2> <p>API performance directly impacts:</p> <p><strong>- User experience</strong><br> <strong>- Infrastructure cost</strong><br> <strong>- Scalability</strong><br> <strong>- System stability</strong></p> <p>Consider this example:</p> <p>Without caching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10,000 requests/min → Each request hits the database → 10,000 database queries/min </code></pre> </div> <p>With caching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10,000 requests/min → Only 200 database queries → Remaining requests served from cache </code></pre> </div> <p>The result:</p> <ul> <li>Faster responses</li> <li>Lower DB load</li> <li>Better scalability</li> </ul> <p>Caching is often the <strong>highest ROI optimization</strong> you can implement.</p> <h2> What Is Caching </h2> <p>Caching means <strong>storing expensive data temporarily so it can be reused.</strong></p> <p>Instead of recomputing or querying the database repeatedly, the API retrieves the result from a <strong>fast storage layer.</strong></p> <p>Typical cache flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request arrives ↓ Check Cache ↓ Cache Hit → return data immediately Cache Miss → fetch from DB → store in cache → return </code></pre> </div> <p>The key idea:</p> <blockquote> <p>Cache the <strong>result of expensive operations</strong>, not everything.</p> </blockquote> <h2> Types of Caching in ASP.NET Core </h2> <p>ASP.NET Core provides several caching mechanisms:</p> <p><strong>1. In-Memory Caching</strong><br> <strong>2. Distributed Caching</strong><br> <strong>3. Response Caching</strong></p> <p>Each solves a different problem.</p> <p><strong>In-Memory Caching</strong></p> <p>In-memory caching stores data <strong>inside the application server's memory.</strong></p> <p>It is:</p> <ul> <li>Extremely fast</li> <li>Easy to implement</li> <li>Best for <strong>single-instance APIs</strong> </li> </ul> <p>However, it has a limitation.</p> <p>If you run multiple API instances (load balancing), each instance has its <strong>own separate cache.</strong></p> <p>Use cases:</p> <ul> <li>Product catalogs</li> <li>Configuration values</li> <li>Reference data</li> </ul> <p><strong>Distributed Caching (Redis / SQL Server)</strong></p> <p>Distributed caching stores data in <strong>external cache systems</strong> like:</p> <ul> <li>Redis</li> <li>SQL Server</li> <li>NCache</li> </ul> <p>All application instances share the same cache.</p> <p>Benefits:</p> <ul> <li>Works with <strong>multiple API instances</strong> </li> <li>Ideal for <strong>cloud and microservices architectures</strong> </li> <li>Handles large-scale traffic</li> </ul> <p>This is the <strong>standard choice for production systems.</strong></p> <p><strong>Response Caching</strong></p> <p>Response caching stores <strong>entire HTTP responses.</strong></p> <p>Instead of executing the controller again, ASP.NET Core returns the <strong>cached HTTP response.</strong></p> <p>This is useful for:</p> <ul> <li>Public APIs</li> <li>GET endpoints</li> <li>Static data endpoints</li> </ul> <p>However, it only works when responses are <strong>safe to cache.</strong></p> <h2> When to Use Each Type </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th><strong>Cache Type</strong></th> <th><strong>Best Use Case</strong></th> <th><strong>Speed</strong></th> <th><strong>Scalability</strong></th> </tr> </thead> <tbody> <tr> <td>In-Memory Cache</td> <td>Single instance apps</td> <td>Very fast</td> <td>Low</td> </tr> <tr> <td>Distributed Cache</td> <td>Multi-server production APIs</td> <td>Fast</td> <td>High</td> </tr> <tr> <td>Response Cache</td> <td>Cache entire HTTP responses</td> <td>Very fast</td> <td>Medium</td> </tr> </tbody> </table></div> <p>Rule of thumb:</p> <ul> <li>Small apps → <strong>In-Memory</strong> </li> <li>Scalable APIs → <strong>Redis Distributed Cache</strong> </li> <li>Static GET responses → <strong>Response Caching</strong> </li> </ul> <h2> Step-by-Step Implementation </h2> <p>Let's implement each caching strategy.</p> <h2> In-Memory Cache Example </h2> <p>First, register the memory cache service.</p> <p><strong>Program.cs (.NET 8)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddMemoryCache</span><span class="p">();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddControllers</span><span class="p">();</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapControllers</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <p><strong>Using IMemoryCache</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="n">ApiController</span><span class="p">]</span> <span class="p">[</span><span class="nf">Route</span><span class="p">(</span><span class="s">"api/products"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">ProductsController</span> <span class="p">:</span> <span class="n">ControllerBase</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IMemoryCache</span> <span class="n">_cache</span><span class="p">;</span> <span class="k">public</span> <span class="nf">ProductsController</span><span class="p">(</span><span class="n">IMemoryCache</span> <span class="n">cache</span><span class="p">)</span> <span class="p">{</span> <span class="n">_cache</span> <span class="p">=</span> <span class="n">cache</span><span class="p">;</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">GetProducts</span><span class="p">()</span> <span class="p">{</span> <span class="k">const</span> <span class="kt">string</span> <span class="n">cacheKey</span> <span class="p">=</span> <span class="s">"product_list"</span><span class="p">;</span> <span class="k">if</span> <span class="p">(!</span><span class="n">_cache</span><span class="p">.</span><span class="nf">TryGetValue</span><span class="p">(</span><span class="n">cacheKey</span><span class="p">,</span> <span class="k">out</span> <span class="n">List</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;</span> <span class="n">products</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Simulate expensive DB call</span> <span class="k">await</span> <span class="n">Task</span><span class="p">.</span><span class="nf">Delay</span><span class="p">(</span><span class="m">500</span><span class="p">);</span> <span class="n">products</span> <span class="p">=</span> <span class="k">new</span> <span class="n">List</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;</span> <span class="p">{</span> <span class="s">"Laptop"</span><span class="p">,</span> <span class="s">"Keyboard"</span><span class="p">,</span> <span class="s">"Mouse"</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">cacheOptions</span> <span class="p">=</span> <span class="k">new</span> <span class="n">MemoryCacheEntryOptions</span> <span class="p">{</span> <span class="n">AbsoluteExpirationRelativeToNow</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">10</span><span class="p">),</span> <span class="n">SlidingExpiration</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">2</span><span class="p">)</span> <span class="p">};</span> <span class="n">_cache</span><span class="p">.</span><span class="nf">Set</span><span class="p">(</span><span class="n">cacheKey</span><span class="p">,</span> <span class="n">products</span><span class="p">,</span> <span class="n">cacheOptions</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">products</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Expiration Strategies</strong></p> <p><strong>Absolute Expiration</strong></p> <p>Cache expires after a fixed time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">AbsoluteExpirationRelativeToNow</span> <span class="p">=</span> <span class="m">10</span> <span class="n">minutes</span> </code></pre> </div> <p><strong>Sliding Expiration</strong></p> <p>Expiration resets every time the cache is accessed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">SlidingExpiration</span> <span class="p">=</span> <span class="m">2</span> <span class="n">minutes</span> </code></pre> </div> <p>Combining both prevents stale data.</p> <h2> Cache Invalidation Example </h2> <p>Cache invalidation is crucial when data changes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">AddProduct</span><span class="p">(</span><span class="kt">string</span> <span class="n">name</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Save to database</span> <span class="n">_cache</span><span class="p">.</span><span class="nf">Remove</span><span class="p">(</span><span class="s">"product_list"</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>This ensures fresh data is fetched on the next request.</p> <h2> Redis Distributed Cache Example </h2> <p>First install the package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">Microsoft</span><span class="p">.</span><span class="n">Extensions</span><span class="p">.</span><span class="n">Caching</span><span class="p">.</span><span class="n">StackExchangeRedis</span> </code></pre> </div> <p><strong>Configure Redis</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddStackExchangeRedisCache</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">Configuration</span> <span class="p">=</span> <span class="s">"localhost:6379"</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">InstanceName</span> <span class="p">=</span> <span class="s">"MyApiCache"</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p><strong>Using IDistributedCache</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">ProductsController</span> <span class="p">:</span> <span class="n">ControllerBase</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IDistributedCache</span> <span class="n">_cache</span><span class="p">;</span> <span class="k">public</span> <span class="nf">ProductsController</span><span class="p">(</span><span class="n">IDistributedCache</span> <span class="n">cache</span><span class="p">)</span> <span class="p">{</span> <span class="n">_cache</span> <span class="p">=</span> <span class="n">cache</span><span class="p">;</span> <span class="p">}</span> <span class="p">[</span><span class="nf">HttpGet</span><span class="p">(</span><span class="s">"redis"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">GetProductsRedis</span><span class="p">()</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">cacheKey</span> <span class="p">=</span> <span class="s">"products"</span><span class="p">;</span> <span class="kt">var</span> <span class="n">cachedData</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_cache</span><span class="p">.</span><span class="nf">GetStringAsync</span><span class="p">(</span><span class="n">cacheKey</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">cachedData</span> <span class="p">!=</span> <span class="k">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">JsonSerializer</span><span class="p">.</span><span class="n">Deserialize</span><span class="p">&lt;</span><span class="n">List</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;&gt;(</span><span class="n">cachedData</span><span class="p">));</span> <span class="p">}</span> <span class="kt">var</span> <span class="n">products</span> <span class="p">=</span> <span class="k">new</span> <span class="n">List</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;</span> <span class="p">{</span> <span class="s">"Laptop"</span><span class="p">,</span> <span class="s">"Keyboard"</span><span class="p">,</span> <span class="s">"Mouse"</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">options</span> <span class="p">=</span> <span class="k">new</span> <span class="n">DistributedCacheEntryOptions</span> <span class="p">{</span> <span class="n">AbsoluteExpirationRelativeToNow</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">15</span><span class="p">)</span> <span class="p">};</span> <span class="k">await</span> <span class="n">_cache</span><span class="p">.</span><span class="nf">SetStringAsync</span><span class="p">(</span> <span class="n">cacheKey</span><span class="p">,</span> <span class="n">JsonSerializer</span><span class="p">.</span><span class="nf">Serialize</span><span class="p">(</span><span class="n">products</span><span class="p">),</span> <span class="n">options</span> <span class="p">);</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">products</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now <strong>all API instances share the same cache.</strong></p> <h2> Response Caching Example </h2> <p>First enable response caching.</p> <p><strong>Program.cs</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddResponseCaching</span><span class="p">();</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseResponseCaching</span><span class="p">();</span> </code></pre> </div> <p><strong>Controller Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="nf">HttpGet</span><span class="p">(</span><span class="s">"catalog"</span><span class="p">)]</span> <span class="p">[</span><span class="nf">ResponseCache</span><span class="p">(</span><span class="n">Duration</span> <span class="p">=</span> <span class="m">60</span><span class="p">)]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">GetCatalog</span><span class="p">()</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">data</span> <span class="p">=</span> <span class="k">new</span> <span class="p">{</span> <span class="n">Message</span> <span class="p">=</span> <span class="s">"Cached Response"</span><span class="p">,</span> <span class="n">Time</span> <span class="p">=</span> <span class="n">DateTime</span><span class="p">.</span><span class="n">UtcNow</span> <span class="p">};</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">data</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Now responses are cached for <strong>60 seconds</strong>.</p> <h2> Production Insight: Cache Stampede </h2> <p>A common issue in high-traffic systems is <strong>cache stampede.</strong></p> <p>When a cache entry expires, many concurrent requests may attempt to recompute the same value simultaneously.</p> <p>This can overwhelm your database.</p> <p>Typical mitigation strategies include:</p> <ul> <li>Using <strong>SemaphoreSlim locking</strong> </li> <li>Using <code>Lazy&lt;T&gt;</code> caching</li> <li>Refreshing cache <strong>in the background</strong> </li> <li>Using <strong>stale-while-revalidate patterns</strong> </li> </ul> <p>Without protection, a popular endpoint can trigger thousands of database queries the moment a cache expires.</p> <h2> Real-World Use Cases </h2> <p>Caching shines in scenarios like:</p> <p><strong>Product catalog APIs</strong></p> <p>Product data changes rarely but is requested constantly.</p> <p><strong>Configuration endpoints</strong></p> <p>Feature flags, settings, metadata.</p> <p><strong>Dashboard APIs</strong></p> <p>Expensive aggregations or analytics queries.</p> <p><strong>Reference data</strong></p> <p>Countries, currencies, categories.</p> <h2> Common Mistakes Developers Make </h2> <p><strong>Caching everything</strong></p> <p>Not all data should be cached. Only cache expensive operations.</p> <p><strong>Forgetting cache invalidation</strong></p> <p>Stale data bugs happen when cache isn't cleared after updates.</p> <p><strong>Using in-memory cache in scaled systems</strong></p> <p>Multiple servers = multiple caches = inconsistent data.</p> <p><strong>Using very long expiration times</strong></p> <p>Leads to stale responses.</p> <h2> Performance &amp; Scalability Considerations </h2> <p>When designing caching strategies:</p> <p>Think about:</p> <p><strong>- Cache eviction policies</strong><br> <strong>- Memory consumption</strong><br> <strong>- Cache hit ratio</strong><br> <strong>- Invalidation strategy</strong></p> <p>Monitor:</p> <ul> <li>Cache hits vs misses</li> <li>Redis latency</li> <li>Database query reductions</li> </ul> <p>A good cache system should <strong>dramatically reduce database load.</strong></p> <h2> Best Practices for Production APIs </h2> <p>Follow these principles:</p> <ul> <li>Cache <strong>read-heavy endpoints</strong> </li> <li>Use <strong>Redis for distributed systems</strong> </li> <li>Always define <strong>expiration policies</strong> </li> <li>Implement <strong>cache invalidation</strong> </li> <li>Monitor cache performance</li> </ul> <h2> Pro Tip </h2> <p>Cache <strong>DTO results</strong>, not raw entities.</p> <p>This avoids serialization overhead and prevents accidental cache mutation.</p> <h2> Common Pitfall </h2> <p>Never cache <strong>user-specific data globally</strong>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">GET</span> <span class="p">/</span><span class="n">api</span><span class="p">/</span><span class="n">orders</span> </code></pre> </div> <p>If cached improperly, users might receive <strong>other users’ data.</strong></p> <p>Always include <strong>user context in cache keys</strong> when needed.</p> <h2> Why Caching Is a Game Changer for APIs </h2> <p>Caching is one of the <strong>simplest ways to improve API performance.</strong></p> <p>A well-designed caching layer can:</p> <ul> <li>Reduce database load dramatically</li> <li>Improve API latency</li> <li>Increase scalability</li> </ul> <p>And the best part?</p> <p>You often get <strong>10x performance improvements with minimal code changes.</strong></p> <p>Start simple:</p> <ul> <li>Add <strong>in-memory caching</strong> </li> <li>Move to <strong>Redis when scaling</strong> </li> <li>Use <strong>response caching for public endpoints</strong> </li> </ul> <p>Small optimizations like these are what separate <strong>average APIs from high-performance systems.</strong></p> <h2> Quick Recap </h2> <ul> <li>Caching reduces repeated expensive operations</li> <li>ASP.NET Core supports <strong>multiple caching strategies</strong> </li> <li>Redis enables <strong>scalable distributed caching</strong> </li> <li>Cache invalidation is critical</li> <li>Always implement <strong>expiration policies</strong> </li> </ul> <h2> One Question for You </h2> <p>What caching strategy are you currently using<br> in your ASP.NET Core APIs?</p> <p>In-memory? Redis? Something else?</p> <p>I'd love to hear your experience.</p> dotnet webdev backend performance