A One-Click Solution to Build ASP.NET Core Web / HTTP / REST API Services

Interoperability Powered by OData & Swagger / OpenAPI

The Solution Wizard scaffolds a Web API Service with integrated authorization & CRUD operations powered by EF Core and our XPO ORM library. You can use OAuth2, JWT or custom strategies for authentication alongside tools like Postman or Swagger for API testing. The built-in security system also filters out secured server data based on permissions granted to users. Basic functions of our Web API Service are available for free.

Additional services/benefits of our Web API Service ship as part of the DevExpress Universal Subscription and include:

  • Technical support and full source code
  • XAF's administrative UI to manage users and roles at runtime using WinForms, WebForms, and Blazor apps
  • Localization functions (endpoints to obtain localized captions for classes, members, and custom UI elements)
  • Advanced/enterprise functions such as audit trail, endpoints to download reports, file attachments, check validation, etc.


WEB API Service - XAF | DevExpress

Mario Blatarić

Logon Ltd.

I have new, rather big, project and I decided to give Web API services a serious go (for a mobile app with GIS functionality). It turned to be serious time saver with ability to reuse entire data model and security. Before, I would have to write new project, replicate and constantly maintain data structure, deal with security and so on. Web API Services are just natural fit for XAF Blazor, I really like it.

Demo Apps

Minimal dependencies. Your existing ORM knowledge. Secured apps in 3 steps.

Step 1

Reference a few XAF core assemblies from DevExpress NuGet or .NET Installers.

Step 2

Setup the authentication type, create users and roles using examples for target .NET platforms.

Step 3

Execute secured CRUD operations using your ORM database context or its XAF wrapper.

A WinForms CRUD app with Ribbon, Data Grid. The app includes list and detail forms within a Tabbed-MDI shell. Download Demo
DevExtreme + ASP.NET Web API OData
A client-side HTML/JavaScript CRUD app that uses the DevExtreme Data Grid and connects to an OData v4 web service (using the ASP.NET Core Web API). Download Demo
ASP.NET Web Forms
A server-side Web Forms CRUD app that uses our high-performance ASP.NET Data Grid. The demo supports inline data editing. Download Demo
A simple console app that connects to a database and outputs data records based on user rights. Download Demo
This demo demonstrates how to create a Web API service backend and a mobile .NET MAUI application frontend. Download Demo
JS (Svelte)
A CRUD client-side / JavaScript app (powered by Svelte) that connects to the ASP.NET Core Web API service. Example
Blazor Server
A server-side ASP.NET Core Blazor CRUD app that uses our high-performance Data Grid component. The demo supports inline data editing. Download Demo
Blazor WebAssembly
A client-side ASP.NET Core Blazor WebAssembly CRUD app that uses our high-performance Data Grid component. The demo supports inline data editing. Download Demo
A server-side ASP.NET MVC Core CRUD app that uses our high-performance DevExtreme-based Data Grid. The demo supports inline data editing. Download Demo

David Desiderà

More than one year ago I explained to my collaborators that - in my opinion - it was possible to integrate XAF's security layer with UI interface into an existing WinForms enterprise application that was 10 years old. We successfully implemented it! It took 40 man-days of job in total instead of at least 400 if I had decided to start from scratch. You guys saved my life!

Target Audience & Common Usage Scenarios

XAF developers who need to create non-XAF .NET apps.

If you want to reuse data models and security settings/configurations (users, roles and permissions) stored within an existing XAF application database, look no further than XAF's .NET App Security & Web API for .NET.

Based on feedback, we know that many XAF developers create custom web and mobile UI clients to service various internal administrative tasks (data modifications, report generation, scheduled workflows). XAF's Security System is perfect for such usage scenarios.

Non-XAF developers who create standard line-of-business (LOB) apps.

If your .NET app includes login/logout forms and requires security related functionality, XAF's .NET App Security & Web API is an easy-to-use alternative to custom app-security logic.

From WinForms, WPF and ASP.NET, to .NET server technologies like ASP.NET Web API/OData, WCF – XAF's Security System is the perfect choice for the enterprise. And yes, XAF's .NET App Security & Web API for .NET also supports Blazor Server & Xamarin Forms (Android & iOS) (support for Blazor WebAssembly and .NET MAUI apps coming soon).

Enterprise-Ready Role-based Access Control (RBAC) & Permission Management

While certain platforms (like ASP.NET) simplify authentication and basic authorization with built-in design time APIs, it's difficult to construct a flexible/customizable app security system (with the ability to customize the system once the app is deployed). Our Role-based Access Control (RBAC) & Permission Management API for .NET allows you to incorporate a highly flexible/customizable security system in your next .NET app.

LOB app developers want to save time and do not want to implement complex security memberships and authentication/authorization algorithms from scratch (such as apps that can filter protected data against a user's access rights or check whether the current user is allowed to delete records). Our Role-based Access Control & Permission Management API for .NET allows you to incorporate advanced security-related capabilities with minimal effort.

Getting security right (safe, fast, up-to-date, flexible, and database agnostic) is complicated. Pre-built middleware libraries like ASP.NET Core Identity or Identity Server can be difficult to configure or offer unnecessary functionality. Our Role-based Access Control & Permission Management API for .NET allows you to integrate a proven, database agnostic security sub-system in the shortest possible time.

User Authentication and Group Authorization - XAF | DevExpress

Need additional use-cases? Review our advanced user-role management UX for both WinForms and ASP.NET Apps.

Multi-Database Permission Storage

Configure and Persist Settings for Role-Based Access Control (RBAC) Tasks

1. Access control permissions (linked to roles and users) that can be stored in more than a dozen popular data stores (including popular database servers like SQL Server, Oracle, PostgreSQL, MySql, Firebird, XML and "in-memory" stores).

  • Type permissions grant Read, Write, Create, and Delete access to all objects.
  • Object Permissions work in conjunction with Type Permissions and grant access to object instances that fit a specified criterion.
  • Member Permissions grant access to specific members unconditionally or based on a criterion.

2. Powerful and easy-to-use APIs to configure users, roles and permissions in code or visually within XAF apps.

3. Support for extensions or replacement with custom user, role, and permission objects.

Role-Based Access Control with Multi-Database Permission Storage - XAF, DevExpress

Type, Record & Field Level Authorization Support

Filter Sensitive Data Automatically & Authorize CRUD Operations Manually

1. Two code lines to filter records against a logged user. With a secured object space provider, your ORM data query and modification API will remain unchanged.

2. Fine-grain access control for object relationships, individual objects or columns with or without criteria (example: can read the Full Name field, but cannot modify Salary).

3. Straightforward APIs to check CRUD or custom access rights for UI customizations (example: mask protected editors or disable menu commands).

4. Proven in production environments. Security permission caching for the best possible performance.

5. Easy troubleshooting with comprehensive documentation, diagnostic tools and DevExpress Support.

Authorization - XAF Security System, DevExpress

Joche Ojeda

One of the things I ask my customers is 'do you really want to develop a security system from scratch?' Experience tells me that when someone really wants to build a security system from scratch, it is because they have never had to build one before. Fact is that if you have built a security system from scratch, you'll definitely want to avoid it.

Field Tested Solutions that Work

Proven to save development time

Building and testing a robust security system is not an easy task, especially if your goal is to deliver a fully configurable system and introduce important features such as runtime permission control via an integrated UI.


See Performance Test

App Testing - XAF Security System, DevExpress

Bahalddin Elsayed

Regarding XAF's Security - I want to compare what XAF offers to what we built in our company. We initially sought to create the same structure and the same security system layout as XAF. To complete our custom security system and replicate the feature set available in XAF, required 5 months of development for 2 individuals. Obviously, XAF's built-in security system saves a lot of time, but what I really like about XAF's Security System is that you can hide or protect tables and associated records both horizontally and vertically. XAF's Security System also allows you to limit access to individual record columns unconditionally or by criteria. The beauty of XAF's access control rules is that they can be applied to user groups or roles.

Basic & Advanced Authentication Options

Authenticate Users with Standard Methods or Implement Custom Strategies

1. Built-in authentication types include: Forms (user name/password), Active Directory (Windows user) and Mixed (several authentication providers).

2. Includes a robust password generation/validation algorithm.

3. Allows you to extend standard authentication methods or replace our implementation with custom authentication strategies and logon parameters. For instance, our popular Blazor example supports OAuth2 with Google or Microsoft cloud authentication providers. Our Web API/OData example protects a backend service using a JWT bearer authentication schema with Azure AD.

Authentication - XAF Security System, DevExpress

Frequently Asked Questions

Is the .NET App Security & Web API free for commercial use?

Absolutely. .NET App Security & Web API is available free-of-charge. To download your copy, visit: https://www.devexpress.com/security-api-free.

When you register for a free DevExpress product, you can use your registered product for as long as your needs dictate. Should an update be made available free-of-charge, you will be notified via email or this website. Updates that are issued free-of-charge can also be used indefinitely. Please refer to the DevExpress End User License Agreement for detailed licensing information.

Is technical support included with the free .NET App Security & Web API?

No, this free .NET App Security & Web API does not include technical support from DevExpress. Technical support is only available if you own the DevExpress Universal Subscription.

How can I report bugs or share suggestions on .NET App Security & Web API development?

If you encounter a bug, please submit a bug report via our online support system: https://www.devexpress.com/ask. For suggestions to our development team, please complete our survey.

Is the source code included in this free .NET App Security & Web API?

No. Component source code is not included in this offer.

Do I have to include XAF UI dependencies in my project?

Our Web API Service relies on Visual Studio 2022 and a few non-visual cross-platform .NET 6 packages (example). These are like DevExpress.Data, DevExpress.Xpo, DevExpress.Document.Processor, and other core libraries. Though these packages have "XAF" or "ExpressApp" in their names, you do not need to pull XAF WinForms, WebForms and Blazor dependencies in your projects.

In other words, if you do not require XAF, you are not forced to use it. Optionally, you can tell the Solution Wizard to create the Web API Service inside a XAF Blazor UI app. This could be helpful to those who wish to incorporate a web Admin Panel (watch the video) and an embedded API server within the same package (for easier hosting and maintenance). Again, this is entirely up to you. You can always use the Web API Service on a standalone basis.

Will I benefit from the Web API Service if I’m not developing XAF UI apps?

Our Web API Service can be used outside of XAF-powered UI apps. Numerous developers have successfully used our Web API Service as a backend for their Angular, Vue, React, Blazor WebAssembly, Xamarin, and other .NET/JavaScript UI clients.

For more information in this regard, check out our DevExtreme example on GitHub. This example uses our client-side dxDataGrid with DevExpress.Data.ODataStore (just like many other CRUD apps powered by DevExtreme). We've also published a video series where we built a .NET MAUI mobile app that consumes our Web API Service (see also .NET MAUI example sources).

Do I have to learn a lot of XAF terminology to consume the Web API?

As far as clients or consumers are concerned, our Web API Service is a standard ASP.NET Core OData 8.0 service - use the standard OData v4 query options to consume our API. You can also use Swagger UI, Postman, developer tools within your favorite web browser, or standard .NET/JavaScript API.

We have published dozens of .NET code examples with the standard HttpClient: Make HTTP Requests to the Web API from .NET Applications. You can find other examples in public community resources for your favorite client UI technology.

Will it take hours to get started?

We ship a 1-Click solution to build CRUD REST API for popular usage scenarios - from zero to a running Swagger UI.

To use the free Solution Wizard in Visual Studio 2022, which creates Web API Service, simply run the Universal Component Installer from the Download Manager and enter the credentials for your DevExpress account (free or paid/Universal). Once installed, you can do "File | New Project > Next > Next > Finish > F5" using our project template in your Visual Studio 2022, and that is it.

The Solution Wizard adds all required dependencies, Entity Framework DbContext, default access control rights, connection string, etc. For more information on our Solution Wizard, refer to the following help topic: How to Create a New Application with the Web API.

Will the free Web API Service expire? I know it's free now but will it display a 'trial' window sometime later?

When you register for a free DevExpress product, you can use your free registered product for as long as your needs dictate. Should an update be made available free-of-charge, you will be notified via email or this website. Updates issued free-of-charge can also be used indefinitely.

The DevExpress Universal Subscription is required only if you need our technical support and additional paid services/benefits such as XAF's Admin Panel, audit trail, reports, localization, media files, validation, etc. (see our roadmap).

Can I customize the API (add custom endpoints, remove data from response, etc)?

You can do everything that you can do with ASP.NET Core OData - Microsoft published lots of information in this regard here: https://learn.microsoft.com/en-us/aspnet/core/web-api/.

To save time for our Web API Service users, we documented highly popular OData customizations on our website:

You can customize your own EF Core* or XPO data model and fine-tune things at the XAF layer (security permissions, CRUD behavior, etc).

  * XAF supports EF Core 5 in v22.1, and EF Core 6+ in v22.2, and EF Core 6/7 in v23.1+.
Where can I find more technical information and an API reference?

Our Technical FAQ and Online Documentation answers popular questions about this API. You can also search our extensive support database or watch short overview videos.

If you encounter a bug, please submit a bug report via our online support system: https://www.devexpress.com/ask.

For suggestions to our development team, please complete our survey.

JavaScript — Consume the DevExpress Backend Web API with Svelte

Highlighted Blog Posts


Part 1. Set Up a New Project

For a while now, DevExpress has delivered a Web API Service component out of the box. This service supports some of the existing XAF framework functionality, but it is meant to be used as a stand-alone element of an application system.

Read the post

Part 2. Manage Localization and UI Settings

For this second part, I decided to improve my simple data visualization by making an important step: I want to integrate information from the type and setting metadata behind the Web API service for dynamic UI localization of the JavaScript client.

Read the post

Part 3. Sort and Filter

I will take on the two features of sorting and filtering data, as examples to demonstrate how a JavaScript application can interface with the Web API service.

Read the post

Part 4. Edit and Validate Data

In this post you will learn how to add editing functionality to the demo app, including validation.

Read the post

Part 5. Authenticate Users and Protect Data

This post describes how to add authentication to the application.

Read the post

Part 6. Preview and Download Reports

This post describes how to create, preview, and download reports.

Read the post

Part 7. Mail Merge

This post describes how to add mail-merge to the Web API Service and Svelte Kit JavaScript frontend application. The mail-merge feature relies on the DevExpress Office File API.

Read the post

Register Your Free Copy Today

DevExpress .NET App Security & Web API is available free-of-charge.


Get It FreeEULA