A comprehensive guide covering REST API design, JWT auth, rate limiting, caching, and deploying to Azure with a production-ready .NET 8 setup.

Overview

Building production-ready REST APIs with ASP.NET Core 8 requires a solid foundation in several key areas: clean architecture, security, caching, and automated deployment.

1. Clean Architecture

Start with a layered solution:

  • API — HTTP layer: controllers, middleware, filters
  • Application — use cases, DTOs, validators (FluentValidation)
  • Domain — entities, value objects, domain events
  • Infrastructure — EF Core repositories, external services

    • 2. JWT Authentication

    Use the built-in bearer middleware with Microsoft.AspNetCore.Authentication.JwtBearer. Key settings:

  • ValidateIssuerSigningKey = true
  • Use asymmetric RS256 keys in production, not HMAC
  • Keep access tokens short-lived (15 min); use Redis-backed refresh tokens

    • 3. Rate Limiting (.NET 8 Built-in)

    csharp
    builder.Services.AddRateLimiter(opts => {
    opts.AddFixedWindowLimiter("api", o => {
        o.PermitLimit = 100;
        o.Window = TimeSpan.FromMinutes(1);
    });
});

    Enable per-user rate limiting by extracting the user claim in a custom policy.

    4. Response Caching with Redis

    Cache expensive GET responses with OutputCache + a Redis provider:

    csharp
    [OutputCache(PolicyName = "products", Duration = 60)]
[HttpGet("products")]
public async Task<IActionResult> GetProducts() { ... }

    5. Production Deployment on Azure Container Apps

    GitHub Actions workflow builds a multi-stage Docker image, pushes it to ACR, and triggers a rolling deployment with zero downtime. Use Azure Key Vault references for secrets rather than environment variables.

    Key Takeaways

    1. Separate concerns with Clean Architecture from day one

    2. Never store secrets in appsettings.json

    3. Rate-limit all public endpoints

    4. Cache reads aggressively, invalidate on write

    5. Automate everything — a deployment should be a git push