ASP.NET Core Web API
1. Fundamentals & HTTP
Introduction to ASP.NET Core Web API REST Principles and HTTP Methods Controllers & ControllerBase Routing (Attribute vs Conventional) Action Return Types (IActionResult)
2. Request Handling
Model Binding (FromQuery, FromBody, FromRoute) Dependency Injection (DI) Deep Dive App Settings & The Options Pattern
3. Data Access & Architecture
EF Core Setup in Web API DbContext & Migrations Repository & Unit of Work Pattern Asynchronous Programming (async/await)
4. Data Transfer & Validation
Data Transfer Objects (DTOs) & AutoMapper Model Validation (DataAnnotations) FluentValidation Integration
5. Advanced Concepts
Global Exception Handling Middleware Content Negotiation (JSON vs XML) Pagination & Filtering Advanced Searching & Sorting HATEOAS (Hypermedia) Implementation Output Caching & Response Caching
6. Security & Authorization
Cross-Origin Resource Sharing (CORS) JWT Authentication Setup Access Tokens & Refresh Tokens Workflow Role-Based & Policy-Based Authorization API Key Authentication Rate Limiting & Throttling
7. Documentation & Testing
Swagger & OpenAPI Configuration Customizing API Documentation Unit Testing Controllers (xUnit & Moq) Integration Testing (WebApplicationFactory)
8. Microservices & Deployment
Consuming External APIs (IHttpClientFactory) Health Checks & Diagnostics API Versioning Strategies Deploying APIs (Docker & Azure)
ASP.NET Core Web API

Model Binding (FromQuery, FromBody, FromRoute)

1 Views Updated 5/4/2026

Model Binding ([FromQuery], [FromBody], [FromRoute])

Model Binding is the mapping system in ASP.NET Core that extracts data from HTTP requests (the URL, the JSON body, or the Headers) and converts them into strongly-typed C# variables or objects that your Controller actions can use.

1. Implicit Binding vs Explicit Binding

When you use the [ApiController] attribute, the framework makes intelligent assumptions about where data is supposed to come from based on the complexity of the data type.

  • Simple Types (int, string, GUID): Assumed to come from the URL [FromRoute] or the Query String [FromQuery].
  • Complex Types (Classes, DTOs): Assumed to come from the HTTP Request JSON body [FromBody].

2. Explicit Binding Attributes

Relying on implicit binding can create brittle APIs. Enterprise developers use explicit attributes to dictate exactly where data must originate from. This enforces security and prevents URL parameter pollution.

[FromRoute]

Pulls data directly from the URL path variables.

// Request: GET /api/users/99
[HttpGet("{id}")]
public IActionResult GetUser([FromRoute] int id) 
{
    // id == 99
}

[FromQuery]

Pulls data from the URL query string (everything after the ? mark). Used primarily for Pagination, Searching, and Filtering.

// Request: GET /api/products?category=shoes&sortBy=price&page=2
[HttpGet]
public IActionResult SearchProducts([FromQuery] string category, [FromQuery] string sortBy, [FromQuery] int page) 
{
    // Alternatively, bind the query string to an entire class!
    // public IActionResult SearchProducts([FromQuery] SearchParameters queryParams)
}

[FromBody]

Instructs the JSON deserializer to parse the raw HTTP Request Payload. You can only have ONE [FromBody] parameter per action method because the HTTP Body stream can only be read once natively.

// Request: POST /api/orders
// Body: { "amount": 500, "itemId": 12 }
[HttpPost]
public IActionResult CreateOrder([FromBody] OrderCreateDto dto)
{
    _db.Orders.Add(dto);
}

[FromHeader]

Pulls custom header values (like Authorization tokens, API Keys, or custom tenant IDs).

[HttpGet("secure-data")]
public IActionResult GetSecureData([FromHeader(Name = "X-Api-Key")] string apiKey)
{
    if (apiKey != "SUPER_SECRET") return Unauthorized();
}

3. Interview Mastery

Q: "Can I use [FromBody] on a GET request?"

Architect Answer: "Technically yes, the HTTP specification does not outright ban GET requests from having a body. However, ASP.NET Core's Kestrel server and nearly all modern web proxies (like Nginx, AWS API Gateway) and caching layers will aggressively strip the body from a GET request, rendering the payload null. If you need to send a complex object requiring a body for a search query, you should either flatten it into a [FromQuery] string, or use the POST method for the search (e.g., POST /api/search/execute) if the payload is massive."

Previous Part Next Part
ASP.NET Core Web API
1. Fundamentals & HTTP
Introduction to ASP.NET Core Web API REST Principles and HTTP Methods Controllers & ControllerBase Routing (Attribute vs Conventional) Action Return Types (IActionResult)
2. Request Handling
Model Binding (FromQuery, FromBody, FromRoute) Dependency Injection (DI) Deep Dive App Settings & The Options Pattern
3. Data Access & Architecture
EF Core Setup in Web API DbContext & Migrations Repository & Unit of Work Pattern Asynchronous Programming (async/await)
4. Data Transfer & Validation
Data Transfer Objects (DTOs) & AutoMapper Model Validation (DataAnnotations) FluentValidation Integration
5. Advanced Concepts
Global Exception Handling Middleware Content Negotiation (JSON vs XML) Pagination & Filtering Advanced Searching & Sorting HATEOAS (Hypermedia) Implementation Output Caching & Response Caching
6. Security & Authorization
Cross-Origin Resource Sharing (CORS) JWT Authentication Setup Access Tokens & Refresh Tokens Workflow Role-Based & Policy-Based Authorization API Key Authentication Rate Limiting & Throttling
7. Documentation & Testing
Swagger & OpenAPI Configuration Customizing API Documentation Unit Testing Controllers (xUnit & Moq) Integration Testing (WebApplicationFactory)
8. Microservices & Deployment
Consuming External APIs (IHttpClientFactory) Health Checks & Diagnostics API Versioning Strategies Deploying APIs (Docker & Azure)