Creating a Web API is as simple as creating a website. In fact, well written websites are already APIs serving to clients of type browser. Just keep in mind that websites are meant to be used in browsers only, but Web APIs are supposed to be consumed by different clients (other than browser too).
In simple, what is Web API ?
It is a framework provided by Microsoft for writing HTTP services. There are many frameworks available to build HTTP based services. They follow a common guideline of international standardization but with different flavors.
For example, all framework must adhere to these status codes-
1xx - Informational Message
2xx - Successful
3xx - Redirection
4xx - Client Error
5xx - Server Error
Is it easier to understand or learn Web API ?
Yes, it is.
It is all around HTTP and only HTTP methods (GET, POST, PUT and DELETE). If you come from MVC background then nothing is left to learn :) You can just start writing APIs.
What features its contains ?
- It is light weight and thus good for small devices also like tablets, smart phones.
- No tedious & extensive configuration like WCF REST is required.
- MediaTypeFormatter makes easy to configure your APIs response type in single line (JSON, XML and so on).
- IIS Hosting dependency is no more and it can be hosted in application too.
- Easy and simple control with HTTP features such as Caching, Versioning, request/response headers and its various content formats.
- It support content-negotiation (deciding the best response data format that client can accept).
How to write Web API ?
In Microsoft stack, ASP.NET Web API writing is as easy as writing an application using MVC. Yes, ASP.NET Web API follows MVC styles such as Controllers, Action Results, Action Filters, Routing, Model binders and so on. We can easily use IOC or dependency injection, etc as we do in any MVC application.
MVC Routing, Filters & Model binders (System.Web.MVC) are bit different than Web API (System.Web.Http). Both can be mixed to make a selfhost-able service (in this case 2 authentication filter will require, one for MVC & another for Web API).
Security and Authentication ?
HMAC 256 hash authentication is used to secure Web APIs. It uses a secret key for each consumer/client. This secret key is known to both consume & server. In most of cases, this secret key is nothing but the hashed password of each consumer/client.
Other popular techniques for implementing authentication in Web API are the following:
In HMAC, the authentication idea is simple, tally the coming signature on the request with creating a signature on the basis of request-data. It can be simplified in the following steps-
- Build a signature on the server based on the data provided with HTTP request.
An authentication action-filter is written to parse incoming requests to get - HTTP verb, time-stamp, URI, and Form data & query-string. After the parsing and based on these inputs, HMAC hash is used to build signature with hashed password (secret key).
The secret-key is usually fetch from database for users against username.
For creating Base64 hashes, you may refer this article.
- Compare this built signature with the signature on the request.
- If both are equal then authentication is passed, otherwise failed
Refer this resource to explore where to implement security in Web API'.
So should I start using Web API instead of WCF ?
Yes & No both. Both has their own scope & limitations.
WCF provides you more options to choose any transport channel such as TCP, named pipes, UDP, etc along with HTTP. It is best fit for complex services like duplex communications, message queue, etc with much more extensible.
Web APIs are best fitted for HTTP based services that are resource oriented, and prospectively serve broad range of clients from web-browser to tablets, smartphones and so on.
For more sample code & references, refer ASP.NET Web API.