If you have ever built a model-powered agent, you know the development loop. Write some code, fire it at the endpoint, check the response, tweak the parsing, fire it again. Repeat until the output looks right. It is a perfectly normal workflow—and it quietly drains your token budget with every single iteration.

The new Progress Telerik Fiddler Everywhere Agent Cache feature is designed to break that cycle. Once you capture a response from a model-provider endpoint, you can flip a single switch and have Fiddler software replay that response for every subsequent matching call—without the request ever leaving your machine. Same output, zero additional tokens consumed on the provider side.

This post walks through exactly how that works, using a small open-source demo project to make everything concrete.

The Hidden Cost of Agent Development

Building an agent that calls a completion endpoint involves a lot of repetition that has nothing to do with the model itself. You are iterating on:

• How you construct the prompt
• How you parse and validate the structured response
• How you surface the result to the rest of your system
• How your error handling behaves when the response is malformed

None of those iterations require a new, unique response from the model. You already have a good one from the first call. But unless you manually save the raw response and mock it yourself, every invocation sends a fresh request, and the provider charges for it.

Once agents move beyond demos, three pressures show up together and stay for the duration of development:

• Cost – Repeated runs during development burn budget. For a simple agent that exchanges a few hundred tokens per call, this might feel negligible. But development sessions involve dozens of sequential runs, teams have multiple developers iterating in parallel, and the costs compound quickly.
• Latency – Every round trip to the provider stretches the feedback loop. When you are tweaking prompt construction or adjusting response parsing, waiting on a live call each time slows everything down.
• Determinism – The same input does not always produce the same output. That variability makes it harder to isolate whether a difference in behavior came from your code change or from the model.

This is especially visible in teams that build many small, task-specific agents rather than one large agent. Even small per-run costs compound when iteration is constant—and none of that spend actually improves the agent.

What Teams Already Do

Most teams already compensate for this manually. Common patterns include separating development runs from real execution, validating agent wiring before triggering model calls, reusing mocked or previously captured responses, and avoiding live execution early to keep iteration fast.

These approaches work, but they are fragmented. Provider-level caching helps in some cases but is limited. Custom mocks and fixtures are costly to maintain. Replay logic often lives outside the main development flow, and different teams end up solving the same problem with different local tooling.

The problem is not a lack of solutions. It is the lack of a low-friction one that fits naturally into everyday iteration.

What Agent Cache Does

Fiddler Everywhere acts as a proxy that sits between your agent and the remote endpoint. When your agent makes an HTTPS call to, say, api.anthropic.com, Fiddler software intercepts it, forwards it and logs the full request-response pair in the Traffic pane.

The new Agent Calls tab is a focused view inside that pane. It automatically filters and displays HTTPS sessions that target supported model-provider endpoints—such as OpenAI, Anthropic and Gemini—so you are not wading through noise from other traffic. Every captured call gets a Caching toggle.

Enable the toggle, and Fiddler software starts intercepting any outbound call that matches that session’s request. Instead of forwarding the request, it immediately returns the cached response. The endpoint never receives the duplicate call. Your agent sees the exact same payload it would have received from a live call. Token count: zero.

Disable the toggle at any time and live traffic resumes, no restarts required.

How Agent Calls and Caching Behave

A few details that matter when you start using it:

• Deterministic filtering: Sessions appear in Agent Calls automatically when Fiddler software detects traffic to a supported agentic endpoint. You do not need to configure which endpoints to watch.
• First-match caching: If two or more sessions target the same endpoint (for example, https://api.anthropic.com/v1/messages) and both are cached, Fiddler software returns the response from the first cached session.
• No rule interference: Fiddler rules are executed only for non-cached sessions. Cached responses are returned as-is, without rule evaluation.
• Visibility split: After a session is cached, subsequent matching requests appear only in Live Traffic. The Agent Calls tab continues to show the original non-cached captures.

Why It Matters During Development

Agent Cache is built around three practical benefits that matter most during active development.

1. Faster iterations: Replaying a cached response is instant. Instead of waiting on a round trip to the provider on every run, you get a result back immediately—shortening the feedback loop so you can move through prompt and code changes without unnecessary delays.
2. Lower execution costs: Each cached run consumes zero tokens on the provider side. During active development, where the same request may be triggered dozens of times, this directly reduces the token spend that accumulates before a feature is even complete.
3. More predictable behavior: A cached response is fixed and repeatable. Running the same agent logic against the same response on every iteration makes it straightforward to verify that a code change had the intended effect, without having to account for variability in live model output.

Demo: Bug Report Analyzer

To make this tangible, walk through the agent-cache-demo—a minimal Python agent that takes a fixed bug report and returns a structured analysis (severity, category, a plain-English summary and a suggested next step).

The input never changes between runs, which makes it a perfect showcase for Agent Cache: the model’s answer to an identical prompt is always reusable, so there is genuinely no reason to pay for it more than once.

What the Agent Does

The core of agent.py is straightforward:

message = client.messages.create(  
model=MODEL,  
max_tokens=256,  
system=SYSTEM_PROMPT,  
messages=[  
{"role": "user", "content": f"Analyze this bug report:\n\n{report}"}  
],  
)  

It sends the bug report to the Claude API and expects a JSON response like this:

{  
"severity": "high",  
"category": "crash",  
"summary": "App crashes with a NullPointerException when attempting to log in under no network connectivity.",  
"suggested_next_step": "Add a null or connectivity check in NetworkManager.checkConnectivity() before network calls."  
}  

That response is then formatted and printed to the terminal:

── Bug Report Analysis ─────────────────────────────────────  
Severity  : HIGH  
Category  : crash  
Summary  : App crashes with a NullPointerException when attempting to  
log in under no network connectivity.  
Next step : Add a null or connectivity check in  
NetworkManager.checkConnectivity() before network calls.  
─────────────────────────────────────  

Setup

Clone the repository and install dependencies:

git clone [https://github.com/NickIliev/agent-cache-demo](https://github.com/NickIliev/agent-cache-demo)  
cd agent-cache-demo  
  
python -m venv .venv  
source .venv/bin/activate  # macOS / Linux  
.venv\Scripts\activate  # Windows  
  
pip install -r requirements.txt  
export ANTHROPIC_API_KEY=sk-ant-... # macOS / Linux (Git Bash)  
set ANTHROPIC_API_KEY=sk-ant-... # Windows (CMD)  

The demo supports routing traffic through the Fiddler proxy or running directly against the provider. It also covers SSL/TLS trust configuration for HTTPS interception. See the repository README for full details on proxy setup, environment variables and certificate options.

Step 1: The First Live Call

Start Fiddler Everywhere and run the agent:

python agent.py  

The terminal shows the result and, crucially, the token consumption:

[tokens] Input: 312  |  Output: 68  |  Total: 380  

Switch to Fiddler Everywhere and open Traffic > Agent Calls. You will see the captured call to api.anthropic.com with the full request and response visible.

This is your baseline. You paid for 380 tokens. That is fair—you needed the live call to validate the end-to-end flow.

Step 2: Enable the Cache

In the Agent Calls grid, find the captured session and flip its Caching switch to on. That is the entire configuration step.

Step 3: All Subsequent Runs Are Free

Run the agent again:

python agent.py  

The output in the terminal is byte-for-byte identical to the first run, including the token count display. Because the Caching switch was on, Fiddler software served the stored response immediately and never forwarded the request to the provider. The endpoint never saw the call.

You can now iterate on agent.py as many times as you need—refactor the display logic, adjust the JSON parsing, add logging—and none of those runs cost a single token.

When to Use Agent Cache

Agent Cache is a development-stage tool. It is particularly valuable when:

• Iterating on response handling: Your agent already returns a correct response from the model. You are now working on how your code handles that response—formatting, validation, error recovery. None of that work requires fresh model calls.
• Sharing a working state with teammates: Cache a known-good response and share the Fiddler session. Everyone on the team can iterate against the same replay without burning tokens or depending on network access to the provider.
• Working offline or in restricted environments: Once the cache is populated, your agent keeps working even without connectivity to the provider.

Things to Keep in Mind

• Cache matching is request-based. If your agent changes the prompt, the model or any request headers, the cached session will no longer match. Capture and cache the updated variant separately.
• The cache lives in the current Fiddler session. Closing and reopening Fiddler clears the cache state, so the next run after a restart will make a live call. Review cached sessions periodically to keep stored responses aligned with your current workflow.
• Cache is for development, not production. Agent Cache is designed for development workflows where deterministic, repeatable responses are the goal. When you are ready to validate against a live endpoint, disable the cache and resume live calls.

Availability

Agent Cache is available on Fiddler Everywhere Trial, Pro and Enterprise tiers. The feature is not included in Lite licenses.

Try It Yourself

The full demo is on GitHub: github.com/NickIliev/agent-cache-demo. Clone it, set your Anthropic API key, and you can see the before-and-after token counts yourself in under five minutes.

The point is not really the 380 tokens saved in a single run. It is the dozens of runs you make in a typical development session, the parallel runs across a team—all of which can stop paying for answers they already have.

Agent Cache does not change how you build agents. It just removes the tax on iterating.

If you aren’t already using Fiddler Everywhere, it does come with a free trial:

Try Fiddler Everywhere

Leave Feedback

Agent development workflows are still evolving quickly, and your feedback shapes what comes next. If you try Agent Cache during development—or if there is something you wish it did differently—we want to hear about it.

• Email: fiddler-support@progress.com
• GitHub issues: github.com/telerik/fiddler-everywhere/issues
• Demo repository: github.com/NickIliev/agent-cache-demo

Rate limiting is a technique that verifies clients consume the server’s resources responsibly. It is essential for preventing malicious actors from abusing resources. This technique monitors each client’s requests to API endpoints. If their requests exceed a particular limit—that is, breach a particular constraint within a time frame—the client is either blocked or their request is delayed, slowed down or silently ignored.

NestJS is a popular framework that makes it easy for developers to build enterprise-grade server-side applications and provides them with a suite of tools to solve common problems.

In this article, we will be exploring the package for rate limiting. We will first explore rate limiting and some of its core concepts and see how this tool can be used to solve common rate limiting problems in our NestJS applications. We will explore some interesting challenges when implementing rate limiting in real-world applications and examine configurations that this package provides to help us counter those problems.

Prerequisites

This guide assumes the reader is familiar with TypeScript, backend development using Node.js, and HTTP and RESTful APIs.

Project Setup

Assuming you have the Nest CLI installed, let’s now set up a NestJS project by running the following command:

nest new rate-limiting

The application is created in a folder called rate-limiting. Feel free to pick a folder name of your choice.

Next, let’s install @nestjs/throttler, which is the rate limiting package for NestJS.

cd rate-limiting
npm install @nestjs/throttler

How Rate Limiting Works

Now, let’s briefly describe how rate limiting works and highlight some of the core concepts powering it. Understanding this section will be important when we start using the @nestjs/throttler package.

• The resource owner defines the constraint on what is allowed—that is, the limit. Limits are time-bound. The time frame a limit is applied to is called a window, and limits are expressed as “limit per window” (e.g., five requests per second, one job per hour, etc.).
• The resource owner then tracks the client’s requests to access their resources. Tracking can be done based on some identifier (e.g., an ID of some database entity, the client’s IP address, etc.). Tracking is a stateful operation, so the resource owner implements some storage mechanism to hold tracking information for clients. The storage containers to hold this information could be databases or in-memory storage.
• If the client exceeds the defined limit, the resource owner responds either by blocking the request for some duration and returning a 429 response code or by throttling the request (i.e., ignoring or slowing down the response to the user’s request).
• The resource owner implements a rate limiting algorithm to make everything work. Common rate limiting algorithms include token bucket, leaky bucket, fixed window and sliding window algorithms.

Examples of rate limiting in real-world applications include the following:

• A payment gateway may limit requests from clients trying to get the status of a transaction to, for example, one request per minute.
• A cloud service like EAS limits users with free tier accounts to only create 30 builds for their mobile applications per month, with a concurrency limit of one.
• A media manipulation service like Cloudinary constrains API consumers on a free account to upload a limited number of files in each request, with each file not exceeding a particular size.

The @nestjs/throttler Module

Let’s now explore the contents of the rate limiting module we will be using:

• It provides an abstraction over all the complexity involved in rate limiting and provides us with a simple interface to set up only the rate limiting options we need, while it handles the rest.
• It provides a wide range of options that allow us to configure limits, handle client tracking, storage, etc.
• It is storage agnostic, so it allows us to optionally configure different storage mechanisms for tracking. By default, tracking is done using an in-memory store using the JS Map data structure. It also supports regular databases—the most popular option here is Redis, as we will see later.
• If the client exceeds the defined limit, this module responds by blocking the client.
• Although this guide will explore how it can be used in a RESTful API, it is also compatible with GraphQL and WebSockets.

Setting up Some Routes

Normally, a web server will contain one or more endpoints. Let us define a few. Update your app.controller.ts file with the following:

import { Controller, Get } from "@nestjs/common";
@Controller("app")
export class AppController {
  @Get("/a")
  getA(): string {
    return "this is A";
  }
  @Get("/b")
  getB(): string {
    return "this is B";
  }
  @Get("/b")
  getC(): string {
    return "this is C";
  }
}

We defined three routes: /app/a, /app/b and /app/c. Verify that AppController is mounted in the app.module.ts file as shown below:

import { Module } from "@nestjs/common";
import { AppController } from "./app.controller";
@Module({
  imports: [],
  controllers: [AppController],
  providers: [],
})
export class AppModule {}

Add Rate Limiting to the Entire App

Update the app.module.ts file to look like this:

import { Module } from "@nestjs/common";
import { AppService } from "./app.service";
import {
  minutes,
  seconds,
  ThrottlerGuard,
  ThrottlerModule,
} from "@nestjs/throttler";
import { APP_GUARD } from "@nestjs/core";
import { AppController } from "./app.controller";
@Module({
  imports: [
    ThrottlerModule.forRoot({
      throttlers: [
        {
          name: "first",
          ttl: 1000,
          limit: 1,
          blockDuration: 1000,
        },
        {
          name: "second",
          ttl: seconds(10), // 10000
          limit: 5,
          blockDuration: seconds(5),
        },
        {
          name: "third",
          ttl: minutes(1), // 60000
          limit: 25,
        },
      ],
      errorMessage: "too many requests!",
    }),
  ],
  controllers: [AppController],
  providers: [
    AppService,
    {
      provide: APP_GUARD,
      useClass: ThrottlerGuard,
    },
  ],
})
export class AppModule {}

The ThrottleModule enables us to define the rate limiting options in our app. Using either its forRoot() or forRootAsync() overloaded methods, we pass an object defining the options we want. The most important property is one called throttlers—it holds an array of objects, each representing the rate limiting options we want. We can declare as many as required. In our case, we specified three of them.

Each throttle option has properties, but the only mandatory ones are limit and ttl (time to live). However, we added some other interesting ones, which we will look at in a bit.

We can read the first entry in the options array like so: The client is limited to 1 (limit) request per 1000ms (TTL), and if they exceed that, they will be blocked for 1000ms (blockDuration) during which the server responds with a 429. You can apply this model to read the remaining options.

While there are many other optional options (six others at the point of writing), we only used two: blockDuration and name. The former is quite intuitive; if not specified, it defaults to the TTL value. Note that time is always specified in milliseconds when using this module.

The name property defines a name for the group. If not specified, it resolves to the string default. This property helps during tracking to distinguish how tracking information will be stored across options.

We can also add options to define how we want to generate identifiers to track clients or whether, for some option groups, we may want to skip some routes in our app.

Now, for the root object, we also included another optional property called errorMessage, which accepts a string or a function that resolves to the message that will be sent when the user exceeds any of the defined limits.

Finally, we need to verify our entire application is guarded using the rate limiting options, so we used the special APP_GUARD injection token to provision the ThrottlerGuard class. The ThrottlerGuard class is where all the magic happens. It is responsible for tracking and maintaining the state for clients and blocking them when necessary.

To test our running application, open the terminal and start the server by running the following command:

npm run start:dev

Using a browser’s address bar or any API testing platform, let’s proceed to test our API. In this article, we will be using Progress Telerik Fiddler Everywhere. Notice that whenever we exceed any of the limits, we get a 429 response as shown below.

How Tracking Works

Tracking information is stored in a map using key-value pairs. A hyphen (-) separates the pieces that make up the tracking keys. The tracking key is derived from the name of the controller, the handling function, the name of the throttle option and a custom client identifier. By default, this is the client’s IP address.

The diagram above shows the key in plain text, but internally they are hashed (SHA256) before they are used as keys.

The tracking data is derived from the throttle options. It maintains relevant information such as:

• How many requests the client made
• The time for each limit
• The block duration and status

Notice that there are three instances of the tracking keys and their corresponding tracking information maintained for each endpoint for each client, since we defined three different options.

Overriding Rate Limiting Options for Certain Routes

Update your app.controller.ts file to match the following:

import { Controller, Get } from "@nestjs/common";
import { Throttle } from "@nestjs/throttler";
@Controller("app")
export class AppController {
  @Throttle({
    first: {
      ttl: 3000,
      limit: 1,
      blockDuration: 10000,
    },
  })
  @Get("/a")
  getA(): string {
    return "this is A";
  }
  @Get("/b")
  getB(): string {
    return "this is B";
  }
  @Get("/b")
  getC(): string {
    return "this is C";
  }
}

Depending on what your application needs, it is often better to change the rate-limiting options either on one endpoint (i.e., at the route level) or a group of endpoints (i.e., at the controller level). Regardless of which, the @nestjs/throttler module provides us with the handy Throttle decorator to do so.

This function expects an object whose keys are the throttle option name attributes configured earlier in the forRoot method of the ThrottlerModule. The values are just overrides of the previous options.

In our case, we reconfigured the option called first and we limited it to one request every three seconds, with a block duration of 10 seconds.

Now if we try to hit /app/a more than once in three seconds, we get an error. Also note that second and third settings will still apply to this endpoint.

Partly or Completely Disabling Rate Limiting for One or More Routes

Not all parts of an application will need rate limiting. Update your app.controller.ts file with the following:

import { Controller, Get } from "@nestjs/common";
import { SkipThrottle, Throttle } from "@nestjs/throttler";
@Controller("app")
export class AppController {
  //...
  @SkipThrottle({
    first: true,
    second: true,
  })
  @Get("/b")
  getB(): string {
    return "this is B";
  }
  //...
}

The SkipThrottle decorator allows us to disable rate limiting again, either on the controller or route level. It expects an object whose keys are the names of throttle options and whose values are booleans. For example, in our case we disabled first and second throttle options on the /app/b endpoint. This means only the rate limiting option named third will apply to this route.

Rate Limiting Problems in Real World Applications

In this section, we will look at some common rate limiting problems we encounter in real-world applications and how we can solve them. Our solutions will use the @nestjs/throttler module and some of the features provided by the Nest framework:

• Tracking clients by IP address when our web server is behind a reverse proxy
• Storing client tracking information across multiple instances

Tracking Clients by IP Address When Our Web Server Is Behind a Reverse Proxy

It has already been established that the @nestjs/throttler module allows us to track users based on different identifiers, but by default it does so using the client’s IP, which is the most common option.

There are some interesting things to note here: When we deploy our server-side applications, in most cases, we don’t allow direct client communication with them. Rather, we usually place our server behind another web server (e.g., Nginx, Apache, Caddy, Traefik, etc.) which serves as a load balancer and/or reverse proxy. Load balancers provide many benefits when paired with our web server, such as security from attackers, caching, compression, traffic distribution, etc.

Each time the client makes a request, it goes through the reverse proxy and then to our actual NestJS server. To verify our NestJS server knows about the client’s IP where the request originated from, we need to check that the load balancer sends this information to it. When using a load balancer like Nginx, by default this information is not sent. This means our NestJS server treats the request as if it originated from Nginx, and this is not what we want.

For our demo let’s create a docker-compose.yaml file in the project’s root and add the following to it:

services:
  backend1:
    build:
      context: .
      dockerfile: Dockerfile
      target: development
    expose:
      # used to expose port to other containers
      - 3000
    volumes:
      - ./src:/app/src
      - /app/node_modules
    command: npm run start:dev
    hostname: backend1
    container_name: backend1
  nginx:
    image: nginx
    depends_on:
      - backend1
    ports:
      - "8080:80"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf

We set up two services: the first being our NestJS web server called backend1, which has a hostname of backend1 and exposes port 3000 to other containers. The other is Nginx, the load balancer we will be using, that is exposed on our machine on localhost:8080. We created an nginx.conf file in our project root. We defined a bind mount to override the contents of the one that ships with the Nginx container.

This file looks like so:

worker_processes 1;

events {
    worker_connections 1024;
}
http {
    include mime.types;
    upstream backend_cluster {
        # round robin algorithm is used by default
        server backend1:3000;
    }
    server {
        listen 80;
        server_name localhost;
        location / {
            # Proxy requests to the upstream we called backend_cluster
            proxy_pass http://backend_cluster;
            # Pass the X-Forwarded-For header
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Client-Ip $remote_addr;

            proxy_set_header Host $host;
        }
    }
}

We will focus on the more important blocks in this file:

The proxy_pass directive proxies requests from the load balancer to our backend cluster named backend_cluster in the upstream block. The upstream block for now has one entry that points to our NestJS server (i.e., “backend1:3000”).

To forward the client IP address, we used two custom headers to show two different ways we can do this. The first is a random header we called X-Client-IP and the other is the more popular X-Forwarded-For header, which we are more interested in. Both of them will set the client’s IP, which is stored in the $remote_addr variable. $proxy_add_x_forwarded_for uses this internally and appends the client’s IP to whatever was set in the X-Forwarded-For that came with the original request.

The Host header verifies that the upstream (i.e., our NestJS server) receives the right URL so that the right controller attends to the request.

Using a Custom Header

If you prefer using the custom header, we can just directly extend the ThrottlerGuard and override its getTracker() method as shown below.

Let’s update our app.module.ts file with the following:

// Add this
@Injectable()
export class ThrottlerBehindProxyGuard extends ThrottlerGuard {
  protected async getTracker(req: Record<string, any>): Promise<string> {
    return req.headers["x-client-ip"];
  }
}

@Module({
  imports: [
    ThrottlerModule.forRoot({
      throttlers: [
        //...throttlers
      ],
      errorMessage: "too many requests!",
    }),
  ],
  controllers: [AppController],
  providers: [
    AppService,
    {
      provide: APP_GUARD,
      useClass: ThrottlerBehindProxyGuard,
    },
  ],
})
export class AppModule {}

In the code above, we retrieved the client’s IP from the custom header set.

Using the X-Forwarded-For Custom Header

We can directly read the contents of the X-Forwarded-For header from the request object, like we did previously with our random X-Client-IP header. However, this header is a somewhat de facto header used by most proxy servers (e.g., Nginx in our case) to forward the client’s IP to the web server behind it.

This header is already known to ExpressJS, so we just need to do a few things to enable the Express APIs to parse it for us automatically.

Let’s now tweak our backend code to parse this value. Update your main.ts file with the following:

import { NestFactory } from "@nestjs/core";
import { AppModule } from "./app.module";
import { NestExpressApplication } from "@nestjs/platform-express";
import { Injectable, ExecutionContext, CallHandler } from "@nestjs/common";

async function bootstrap() {
  const app = await NestFactory.create<NestExpressApplication>(AppModule);
  app.set("trust proxy", true);
  await app.listen(3000);
}
bootstrap();

NestJS allows us to choose between Express or Fastify, and we are going to use the former.

By setting the trust proxy setting on the Express API, it automatically tells Express to trust the X-Forwarded-For header and parse it to an array, storing it in the request object in its ips array (i.e., req.ips).

It then picks the leftmost entry in this array and stores it in req.ip. To put it in more context: assuming the X-Forwarded-For holds “a b c” (assuming there were two hops before the request reached our web server, where a, b and c are IP addresses), req.ips will hold [a, b, c] and req.ip holds a, where a is the client’s IP address.

By default, since the @nestjs/throttler module relies on the req.ip property for tracking, everything works automatically just by using the trust proxy setting without having to extend the ThrottlerGuard class like we did to manually extract the contents of our X-Client-IP header for @nestjs/throttler.

Storing Client Tracking Information Across Multiple Instances

Another great thing about having our web server behind a load balancer is that it allows us to run multiple instances of the web server while the load balancer distributes incoming traffic across all instances. This is important for throughput, availability and proper resource utilization.

In the context of rate limiting, this also presents some storage concerns. First, by default, since the @nestjs/throttler module uses an in-memory store (a JavaScript Map data structure, to be specific), to remember tracking information for rate limiting, this means when we have multiple instances of our app, each instance maintains its own in-memory store, as shown below.

This storage decentralization presents a problem (i.e., assuming we have three instances, a, b and c, it is possible for a client to be blocked on one of the servers, e.g., a, and still be able to access b and c).

So we need to centralize the storage location for the tracking information and move to a structure that looks like the one below.

The @nestjs/throttler module allows us to provide our storage option if we want, provided it implements the ThrottlerStorage interface. We won’t be creating ours; instead, we will use a community-provided package that allows us to use Redis as the persistence layer.

Let’s install this module in our app. Run the following command in your terminal:

npm install --save @nest-lab/throttler-storage-redis ioredis

Next, let us update our docker-compose.yaml file to set up Redis, and then make three instances of our web server in our file:

services:
  backend1:
    build:
      context: .
      dockerfile: Dockerfile
      target: development
    ports:
      - "3002:3000"
    expose:
      - 3000
    environment:
      INSTANCE_NAME: BACKEND_1
    volumes:
      - ./src:/app/src
      - /app/node_modules
    command: npm run start:dev
    hostname: backend1
    container_name: backend1
  backend2:
    build:
      context: .
      dockerfile: Dockerfile
      target: development
    ports:
      - "3003:3000"
    expose:
      - 3000
    environment:
      INSTANCE_NAME: BACKEND_2
    volumes:
      - ./src:/app/src
      - /app/node_modules
    command: npm run start:dev
    hostname: backend2
    container_name: backend2
  backend3:
    build:
      context: .
      dockerfile: Dockerfile
      target: development
    ports:
      - "3004:3004"
    expose:
      - 3000
    environment:
      INSTANCE_NAME: BACKEND_3
    volumes:
      - ./src:/app/src
      - /app/node_modules
    command: npm run start:dev
    hostname: backend3
    container_name: backend3
  nginx:
    #... nginx service
  redis:
    image: redis/redis-stack
    environment:
      REDIS_ARGS: "--requirepass 1234"
      REDISSEARCH_ARGS: "--requirepass 1234"
      REDIS_HOST: redis
      REDIS_USERNAME: default
      REDIS_PASSWORD: 1234
      REDIS_DATABASE_NAME: 0
      REDIS_PORT: 8001
    volumes:
      - ./local-data/:/data
    ports:
      - "6379:6379"
      - "8001:8001"

Notice we included an environment variable for each instance called INSTANCE_NAME. This will be used later so we know which instance of our web server is handling the proxied request.

Let’s update our upstream block in our nginx.conf file to include the two other server instances, making them 3:

worker_processes 1;

events {
    worker_connections 1024;
    #
}
http {
    # ensures that the server includes the proper mimetypes when the response is sent back to the client
    include mime.types;
    upstream backend_cluster {
        # Define the backend servers using round-robin
        server backend1:3000;
        server backend2:3000;
        server backend3:3000;
    }
    server {
        # server block
        }
    }
}

Before we start our fleet of services, we need to do a few things. Let’s start by updating the app.module.ts file to use the Redis storage module:

import { Module } from "@nestjs/common";
import { AppService } from "./app.service";
import {
  minutes,
  seconds,
  ThrottlerGuard,
  ThrottlerModule,
} from "@nestjs/throttler";
import { APP_GUARD } from "@nestjs/core";
import { AppController } from "./app.controller";
// throttler-behind-proxy.guard.ts
import { Injectable } from "@nestjs/common";
import { ThrottlerStorageRedisService } from "@nest-lab/throttler-storage-redis";

@Module({
  imports: [
    ThrottlerModule.forRoot({
      throttlers: [
        // {
        //   name: 'first',
        //   ttl: 1000,
        //   limit: 1,
        //   blockDuration: 1000,
        // },
        {
          name: "second",
          ttl: seconds(10), // 10000
          limit: 4,
        },
        // {
        //   name: 'third',
        //   ttl: minutes(1), // 60000
        //   limit: 25,
        // },
      ],
      errorMessage: "too many requests! on " + process.env.INSTANCE_NAME,
      storage: new ThrottlerStorageRedisService(
        `redis://default:1234@host.docker.internal:6379/0`
      ),
    }),
  ],
  controllers: [AppController],
  providers: [
    AppService,
    {
      provide: APP_GUARD,
      useClass: ThrottlerGuard,
    },
  ],
})
export class AppModule {}

We included a connection string to connect to Redis. The username and password fields are hardcoded here; they match those specified in the REDIS_ARGS: --requirepass 1234 and the REDIS_USERNAME default in our docker-compose.yaml file.

Also, we temporarily disabled all the other throttle options except the one named second. For now, the user is limited to four requests every 10 seconds and will be blocked for 10 seconds if they exceed the limit.

We also modified the error message to include the INSTANCE_NAME environment variable to know which instance the client is blocked on.

So that we know which server responds when we hit each endpoint, let’s now update our app.controller.ts file:

import { Controller, Get } from "@nestjs/common";
import { SkipThrottle, Throttle } from "@nestjs/throttler";
@Controller("app")
export class AppController {
  // @Throttle({
  //   first: {
  //     ttl: 3000,
  //     limit: 1,
  //     blockDuration: 10000,
  //   },
  // })
  @Get("/a")
  getA(): string {
    return "this is A on " + process.env.INSTANCE_NAME;
  }
  // @SkipThrottle({
  //   first: true,
  //   second: true,
  // })
  @Get("/b")
  getB(): string {
    return "this is B on " + process.env.INSTANCE_NAME;
  }
  @Get("/b")
  getC(): string {
    return "this is C on " + process.env.INSTANCE_NAME;
  }
}

We appended the INSTANCE_NAME environment variable to each endpoint response string to know which of our backend instances is responding to our request.

Let’s rebuild our images and restart our fleet of services again by running:

docker compose up -d --build

Now, when we hit our reverse proxy at localhost:8080/app/a:

Based on our throttle options definition, we defined limits that restrict the client to four requests every 10 seconds, and will be blocked for 10 seconds if they exceed the limit. Notice in the image above that when the limit is exceeded, the client is blocked across all instances.

Conclusion

Rate limiting helps force clients to consume resources responsibly. This guide shows us how we can use this technique to secure our web server and its resources from abuse.

Creating web APIs is part of most developers’ routines these days. In this sense, it is worth reflecting on how this process can be accelerated to increase productivity and improve performance without sacrificing organization and maintainability. It was with this in mind that the concept of “fast endpoints” emerged.

In this post, we will understand what fast endpoints are, how to implement them in practice and see what advantages they can offer compared to the traditional use of Controllers in ASP.NET Core and the modern minimal APIs.

⚡️Understanding Fast Endpoints

The concept of fast endpoints is related to approaches that seek to simplify and accelerate the development of APIs, with a focus on performance, low coupling between components and better code organization.

Fast endpoints emerged as an alternative to the traditional approaches for handling requests in web APIs, such as ASP.NET MVC Controllers and Minimal APIs, seeking to combine performance, organization and simplicity in a single model.

Fast Endpoints in ASP.NET Core

In ASP.NET Core, we have access to fast endpoints through the library of the same name, available at https://fast-endpoints.com. It operates under the MIT license, which means it is open source and can be used in private and commercial projects.

In addition, it follows the Request-Endpoint-Response (REPR) design pattern, which advocates the clear organization of an API’s components, separation of responsibilities, and ease of maintenance and reading.

Before the arrival of fast endpoints, the main ways to create web APIs were through traditional Controllers and modern Minimal APIs. Although both are excellent approaches, they have some gaps:

Controllers: Although they are robust, organized and ready for practically any type of configuration, they can be excessively verbose for simple scenarios. The way of implementing a Controller using classes and attributes often generates unnecessary overhead for lean APIs, and in some cases, it can make it difficult to have a more resource-oriented approach and a clear separation of responsibilities.

Minimal APIs: On the other hand, Minimal APIs offer a much simpler way to create endpoints, ideal for small and fast services. However, as they grow, they can compromise the organization and maintainability of the code. The lack of clear conventions and the mixture of business logic with route definition can make the code difficult to scale and test.

It is precisely in these limitations that fast endpoints stand out as a middle ground between these two approaches. They combine the best of both worlds:

• Performance and simplicity of Minimal APIs, with direct routing and a lean structure (the documentation indicates that the performance is on par with Minimal APIs and is noticeably better than MVC controllers)
• ️Organization, testability and separation of responsibilities of Controllers, allowing the use of validation, filters, dependency injection and clean encapsulation through specialized classes per endpoint

The great advantage of fast endpoints is that they allow you to write clean, modular and performant code without sacrificing clarity and scalability. This makes them an excellent choice for modern applications that require both agility and a solid foundation for long-term maintenance.

️Fast Endpoints in Practice

Now that we have seen what fast endpoints are and what their advantages are compared to traditional approaches, let’s create an ASP.NET Core application to implement them in practice.

As a scenario, let’s imagine that you need to create an activity logging system for the development team. This system must be simple, performant and at the same time support validations without being complex. In this case, we can use fast endpoints to create an API that fits these requirements.

To keep the focus on the main topic, some implementation details will not be shown in this post, but you can check the complete code in this GitHub repository: Work Log - source code.

To create the base application, you can use the command below. This post uses version 9 of .NET, which is currently the latest stable version.

dotnet new web -o WorkLog

Then, to install the NuGet packages used in this example, you can use the following commands:

dotnet add package FastEndpoints
dotnet add package FluentValidation
dotnet add package FastEndpoints.Validation

dotnet add package Microsoft.EntityFrameworkCore
dotnet add package Microsoft.EntityFrameworkCore.Sqlite
dotnet add package Microsoft.EntityFrameworkCore.Tools

The next step is to create the model class, so create a new folder called “Models” and, inside it, add the class below:

namespace WorkLog.Models;
public class TimeEntry
{
    public Guid Id { get; set; }
    public string UserName { get; set; } = default!;
    public string? ProjectName { get; set; }
    public DateTime Date { get; set; }
    public decimal Hours { get; set; }
    public string? Description { get; set; }
    public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
}

The DbContext class will be used to set the database configurations, so create a new folder called “Data” and, inside it, add the following class:

using Microsoft.EntityFrameworkCore;
using WorkLog.Models;

namespace WorkLog.Data;
public class WorkLogDbContext : DbContext
{
    public DbSet<TimeEntry> TimeEntries { get; set; }
    public WorkLogDbContext(DbContextOptions<WorkLogDbContext> options) : base(options) { }
}

Creating the Endpoints

The endpoint classes will contain the fast endpoints functionalities. For this, they will implement the Endpoint class from the FastEndpoints NuGet package. The first endpoint will be used to create new records in the database and then retrieve it, for this we will create some auxiliary classes for request and response. So, create a new folder called “Request” and inside it add the class below:

namespace WorkLog.Requests;
public class CreateTimeEntryRequest
{
    public string? UserName { get; set; }
    public string? ProjectName { get; set; }
    public DateTime Date { get; set; }
    public decimal Hours { get; set; }
    public string? Description { get; set; }
}

Then, create a new folder called “Response” and add the following classes to it:

• CreateTimeEntryResponse

namespace WorkLog.Responses;
public class CreateTimeEntryResponse
{
    public Guid Id { get; set; }
    public string? UserName { get; set; }
    public string? ProjectName { get; set; }
    public DateTime Date { get; set; }
    public decimal Hours { get; set; }
    public string? Description { get; set; }
    public DateTime CreatedAt { get; set; }
}

• GetTimeEntryResponse

namespace WorkLog.Responses;
public class GetTimeEntryResponse
{
    public Guid Id { get; set; }
    public string? UserName { get; set; }
    public string? ProjectName { get; set; }
    public DateTime Date { get; set; }
    public decimal Hours { get; set; }
    public string Description { get; set; } = default!;
    public DateTime CreatedAt { get; set; }
}

Finally, let’s create the endpoint class. Create a folder called “Endpoints” and, inside it, add the following class:

using FastEndpoints;
using WorkLog.Data;
using WorkLog.Models;
using WorkLog.Requests;
using WorkLog.Responses;

namespace WorkLog.Endpoints;
public class CreateTimeEntryEndpoint : Endpoint<CreateTimeEntryRequest, CreateTimeEntryResponse>
{
    private readonly WorkLogDbContext _dbContext;

    public CreateTimeEntryEndpoint(WorkLogDbContext dbContext)
    {
        _dbContext = dbContext;
    }

    public override void Configure()
    {
        Post("/time-entries");
        AllowAnonymous();
        Summary(s =>
        {
            s.Summary = "Create a new time entry";
            s.Description = "Registers hours worked by a professional on a specific project.";
        });
    }

    public override async Task HandleAsync(CreateTimeEntryRequest req, CancellationToken ct)
    {
        var timeEntry = new TimeEntry
        {
            Id = Guid.NewGuid(),
            UserName = req?.UserName,
            ProjectName = req?.ProjectName,
            Date = req.Date,
            Hours = req.Hours,
            Description = req.Description,
            CreatedAt = DateTime.UtcNow
        };

        _dbContext.TimeEntries.Add(timeEntry);
        await _dbContext.SaveChangesAsync(ct);

        await SendAsync(new CreateTimeEntryResponse
        {
            Id = timeEntry.Id,
            UserName = timeEntry.UserName,
            ProjectName = timeEntry.ProjectName,
            Date = timeEntry.Date,
            Hours = timeEntry.Hours,
            Description = timeEntry.Description,
            CreatedAt = timeEntry.CreatedAt
        });
    }
}

Note that the CreateTimeEntryEndpoint class represents an HTTP endpoint responsible for creating a new record of hours worked by a professional on a project.

The class inherits from Endpoint<CreateTimeEntryRequest, CreateTimeEntryResponse>, defining the input and output contract of this endpoint.

The Configure() method defines the main settings of the endpoint. We specify that it responds to HTTP POST requests on the /time-entries route and allows anonymous access (without authentication). We also use the Summary() method to document the purpose of the endpoint, making it easier to generate automatic documentation and for other developers to read.

The most important part is the HandleAsync method. When a request is received, we create a new instance of TimeEntry, filling its fields with the data from the request. This new record is then added to the context and persisted in the database with SaveChangesAsync.

Finally, we send a response to the client with the newly created timer data, encapsulated in the CreateTimeEntryResponse.

Then, still within the Endpoints folder, add the following class, which represents the endpoint for data recovery:

using FastEndpoints;
using Microsoft.EntityFrameworkCore;
using WorkLog.Data;
using WorkLog.Responses;
namespace WorkLog.Endpoints;

public class GetTimeEntriesEndpoint : EndpointWithoutRequest<List<GetTimeEntryResponse>>
{
    private readonly WorkLogDbContext _db;

    public GetTimeEntriesEndpoint(WorkLogDbContext db)
    {
        _db = db;
    }

    public override void Configure()
    {
        Get("/time-entries");
        AllowAnonymous();
    }

    public override async Task HandleAsync(CancellationToken ct)
    {
        var entries = await _db.TimeEntries
            .Select(e => new GetTimeEntryResponse
            {
                Id = e.Id,
                UserName = e.UserName,
                ProjectName = e.ProjectName,
                Date = e.Date,
                Hours = e.Hours,
                Description = e.Description,
                CreatedAt = e.CreatedAt
            })
            .ToListAsync(ct);

        await SendAsync(entries);
    }
}

This separation between input, entity and response models keeps the application more robust, decoupled and ready to evolve. In addition, this structure provides clear reading, reduces the boilerplate common in REST APIs, and offers a more fluid experience for both the writer and the maintainer of the code.

Creating the Validators

FastEndpoints has integration with the FluentValidations package, which means we can perform validations without much effort. So, to configure the validations of our API, create a new folder called “Validators” and, inside it, add the class below:

using FastEndpoints;
using FluentValidation;
using WorkLog.Requests;

namespace WorkLog.Validators;
public class CreateTimeEntryValidator : Validator<CreateTimeEntryRequest>
{
    public CreateTimeEntryValidator()
    {
        RuleFor(x => x.UserName).NotEmpty();
        RuleFor(x => x.ProjectName).NotEmpty();
        RuleFor(x => x.Date).NotEmpty().LessThanOrEqualTo(DateTime.Today);
        RuleFor(x => x.Hours).GreaterThan(0).LessThanOrEqualTo(24);
    }
}

Here, we create a validation class to check the input data of the record creation request. Note that the class inherits from Validator, which is a class from the FastEndpoints namespace. In addition, it implements validation methods such as NotEmpty(), which belongs to FluentValidation. This way, we have separate and organized validations for each endpoint.

The last thing to do is add the necessary settings for the classes created previously to the Program class. So, replace the Program class code with the code below:

using FastEndpoints;
using Microsoft.EntityFrameworkCore;
using WorkLog.Data;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddDbContext<WorkLogDbContext>(options =>
    options.UseSqlite(builder.Configuration.GetConnectionString("DefaultConnection")));

builder.Services.AddFastEndpoints();

var app = builder.Build();

app.UseFastEndpoints();

app.Run();

Here, in addition to configuring the WorkLogDbContext database class, we also added the FastEndpoints configuration through the methods builder.Services.AddFastEndpoints() and app.UseFastEndpoints().

Note how the Program class is clean and organized, without the presence of endpoints, as happens when we use the Minimal APIs approach. Now we can reserve the Program class only for configurations, which is its main function .

Running the Fast Endpoints

Now that the implementations are ready, we can test if the endpoints are working correctly. To do this, we will use Progress Telerik Fiddler Everywhere to execute the requests and check the responses.

First, we will execute the HTTP-POST route: http://localhost:5011/time-entries to save a new record. This example will use the following JSON:

{
    "userName": "John Davis",
    "projectName": "john.davis@example.com",
    "date": "2025-08-01",
    "hours": 6.5,
    "description": "Worked on implementing the user authentication flow and fixed bugs related to token refresh."
}

The response in Fiddler returned a status of 200 – OK, which means that the endpoint worked correctly.

Now, let’s run the same endpoint, but this time without sending the required parameters to check if the FluentValidation validations are working. This time, the following JSON will be sent in the request body:

{
    "userName": "",
    "projectName": "",
    "date": "2025-08-01",
    "hours": 6.5,
    "description": "Worked on implementing the user authentication flow and fixed bugs related to token refresh."
}

Now, as expected, the response was an error indicating that some fields are mandatory.

Finally, we will make a request that will use the GetTimeEntriesEndpoint to retrieve the previously inserted record. So, executing the HTTP route: GET - http://localhost:5011/time-entries, we will have the following result:

Conclusion

FastEndpoints offers a modern and versatile way to build APIs in ASP.NET Core, combining the performance and simplicity of minimal APIs with the controller framework. This balanced approach improves maintainability and facilitates scalability and testability.

In this post, we explore its main advantages and create a sample API using the NuGet package, highlighting how its endpoint-centric design results in cleaner code.

If you are looking for an alternative to traditional API patterns, FastEndpoints is worth exploring. In addition to the features covered in this post, there are others, such as validation, filters and testability, that will probably help you in your projects.

Have you ever imagined having a complete history of data in a distributed application? With Event Sourcing, each change becomes an immutable event, for full traceability in ASP.NET Core.

Event Sourcing is an architectural pattern widely used in large and medium-sized systems due to its versatility in dealing with complexities through an approach different from traditional approaches: Instead of saving the current state, it records each change in the system as an event.

In this post, we will understand how Event Sourcing works and what its advantages are compared to traditional approaches. We will also implement an ASP.NET Core application using the principles of Event Sourcing.

Understanding Event Sourcing

Event Sourcing is an architectural pattern that aims to handle changes through immutable events, storing the complete history of all changes made to a system, allowing the reconstruction of the state at any time.

Imagine a bank account management platform. Instead of having an Account entity, which has a balance that is updated with each new transaction, in Event Sourcing, each transaction (deposit, withdrawal, transfer) is recorded as an event that does not change. Each event is recorded exactly as it was sent, so the current account balance is derived from the amounts deposited and withdrawn in previous events. This allows tracking the entire history of account movements, so all information from the first change to the last is present.

The image below demonstrates how movements in a bank account are handled using the traditional and Event Sourcing approaches.

Advantages of Using Events

The use of events brings several advantages, especially in systems that need to maintain traceability (history) and be scalable and resilient. Below are some of the main aspects that make the use of events a great choice:

Complete data history: The use of events allows you to have an immutable history of everything that happened. This facilitates audits, debugging and analysis of the behavior of the system during its life cycle.

Reproduction and reconstruction of the state: It is possible to reconstruct the current state of any entity, simply by reapplying past events.

Scalability and performance: The use of events allows the separation between writing (events) and reading (projections), allowing optimizations for each one in a specific way. In addition, systems can be designed to scale horizontally, since events are stored asynchronously.

Easy asynchronous integration: Allows the creation of decoupled microservices, where services react to events without the need for direct calls.

Resilience and fault tolerance: In case of failure, simply reprocess the events to restore the system state. In addition, there is no risk of data loss, as events are stored immutably and are always available.

Implementing Event Sourcing in ASP.NET Core

Now we will implement an ASP.NET Core application that uses the Event Sourcing pattern to send and receive deposit and withdrawal events. For this, we will use two libraries: RabbitMQ and MassTransit.

RabbitMQ is a message broker that implements the Advanced Message Queuing Protocol (AMQP). It acts as an intermediary between message producers and consumers, allowing them to communicate in a decoupled and asynchronous way.

MassTransit is a .NET library for asynchronous messaging. It simplifies integration with message brokers like RabbitMQ or Azure Service by abstracting away complex details and supporting messaging patterns like publish/subscribe, request/response and saga orchestration.

Prerequisites

Below are some prerequisites that you need to meet to reproduce the tutorial in the post.

1. .NET version – You will need the latest version of .NET (.NET 9 or higher)
2. Docker – Required to run the local RabbitMQ service

Creating the Application and Installing the Dependencies

To create the application, you can use the command below:

dotnet new web -o BankStream

Then, in the project root, you can use the following commands to install the NuGet packages:

dotnet add package Microsoft.EntityFrameworkCore
dotnet add package Microsoft.EntityFrameworkCore.Sqlite
dotnet add package Microsoft.EntityFrameworkCore.Design
dotnet add package MassTransit
dotnet add package MassTransit.RabbitMQ
dotnet add package MassTransit.AspNetCore

Creating the Events

Now let’s create the entities that represent the deposit and withdrawal events. They will be simple, as the focus is to demonstrate the sending and consumption of the events.

So, create a new folder called “Events” and, inside it, create the following records:

• DepositEvent

namespace BankStream.Events;

public record DepositEvent(Guid Id, string AccountId, decimal Amount);

• WithdrawalEvent

namespace BankStream.Events;

public record WithdrawalEvent(Guid Id, string AccountId, decimal Amount);

Creating the Consumers

Then, let’s create the consumers. They are responsible for receiving the events and processing the actions related to it. In this case, update the status and register it in the database.

First, let’s create the classes and enums used by the consumers. So, create a new folder called “Models” and, inside it, create the following classes:

• StatusEnum

namespace BankStream.Models;
public enum StatusEnum
{
    Pending,
    Completed,
    Failed,
    Canceled,
    Reversed,
    InProgress,
    OnHold
}

• TransactionTypeEnum

namespace BankStream.Models;

public enum TransactionTypeEnum
{
    Deposit,
    Withdrawal
}

• TransactionStatus

namespace BankStream.Models;

public class TransactionStatus
{
    public TransactionStatus()
    {
    }

    public TransactionStatus(Guid id, string accountId, StatusEnum statusEnum, decimal amount, bool isSuccess, string? errorMessage, TransactionTypeEnum type, DateTime createdAt)
    {
        Id = id;
        AccountId = accountId;
        StatusEnum = statusEnum;
        Amount = amount;
        IsSuccess = isSuccess;
        ErrorMessage = errorMessage;
        Type = type;
        CreatedAt = createdAt;
    }

    public Guid Id { get; set; }
    public string AccountId { get; set; }
    public StatusEnum StatusEnum { get; set;}
    public decimal Amount { get; set; }
    public bool IsSuccess { get; set; }
    public string? ErrorMessage { get; set; }
    public TransactionTypeEnum Type { get; set; }
    public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
}

Then, create a new folder called “Data” and inside it add the class below:

using BankStream.Events;
using BankStream.Models;
using Microsoft.EntityFrameworkCore;

namespace BankStream.Data;

public class EventDbContext : DbContext
{
    public DbSet<DepositEvent> Deposits { get; set; }
    public DbSet<WithdrawalEvent> Withdrawals { get; set; }
    public DbSet<TransactionStatus> TransactionStatus { get; set; }

    public EventDbContext(DbContextOptions<EventDbContext> options)
        : base(options) { }
}

Now, let’s create the consumer classes. Create a new folder called “Consumers” and add to it the following classes:

• DepositConsumer

using BankStream.Data;
using BankStream.Events;
using BankStream.Models;
using MassTransit;

namespace BankStream.Consumers;

public class DepositConsumer : IConsumer<DepositEvent>
{
    private readonly EventDbContext _dbContext;

    public DepositConsumer(EventDbContext dbContext) => _dbContext = dbContext;

    public async Task Consume(ConsumeContext<DepositEvent> context)
    {
        var deposit = context.Message;

        try
        {
            await _dbContext.TransactionStatus.AddAsync(new TransactionStatus(
                Guid.NewGuid(),
                deposit.AccountId,
                StatusEnum.Completed,
                deposit.Amount,
                true,
                string.Empty,
                TransactionTypeEnum.Deposit,
                DateTime.Now)
            );

            await _dbContext.Deposits.AddAsync(deposit);

            await _dbContext.SaveChangesAsync();
        }
        catch (Exception ex)
        {
            await _dbContext.TransactionStatus.AddAsync(new TransactionStatus(
                Guid.NewGuid(),
                deposit.AccountId,
                StatusEnum.Failed,
                deposit.Amount,
                true,
                ex.Message,
                TransactionTypeEnum.Deposit,
                DateTime.Now)
            );
            await _dbContext.SaveChangesAsync();
            throw;
        }
    }
}

• WithdrawalConsumer

using BankStream.Data;
using BankStream.Events;
using BankStream.Models;
using MassTransit;

namespace BankStream.Consumers;

public class WithdrawalConsumer : IConsumer<WithdrawalEvent>
{
    private readonly EventDbContext _dbContext;

    public WithdrawalConsumer(EventDbContext dbContext) => _dbContext = dbContext;

    public async Task Consume(ConsumeContext<WithdrawalEvent> context)
    {
        var withdrawal = context.Message;
        try
        {
            await _dbContext.TransactionStatus.AddAsync(new TransactionStatus(
                Guid.NewGuid(),
                withdrawal.AccountId,
                StatusEnum.Completed,
                withdrawal.Amount,
                true,
                string.Empty,
                TransactionTypeEnum.Withdrawal,
                DateTime.Now)
            );

            await _dbContext.Withdrawals.AddAsync(context.Message);
            await _dbContext.SaveChangesAsync();
        }
        catch (Exception ex)
        {
            await _dbContext.TransactionStatus.AddAsync(new TransactionStatus(
                Guid.NewGuid(),
                withdrawal.AccountId,
                StatusEnum.Failed,
                withdrawal.Amount,
                false,
                ex.Message,
                TransactionTypeEnum.Withdrawal,
                DateTime.Now)
            );
            await _dbContext.SaveChangesAsync();
            throw;
        }
    }
}

Now, let’s analyze what is being done in both consumers.

The above classes DepositConsumer and WithdrawalConsumer use MassTransit to process events through the IConsumer<T> interface.

When a transaction event arrives, the Consume() method extracts the data from the received message and persists it to the database. In both classes, a new transaction status record (TransactionStatus) is created, making it possible to track the actions that occurred during processing.

After the transaction status is created, the deposit and withdrawal events are added to their database datasets (_dbContext.Deposits and _dbContext.Withdrawals). Finally, the changes are persisted in the database through the SaveChangesAsync() call.

Creating the Controller Class

In the controller class, we will add the endpoints for deposit and withdrawal that will call the events. So, create a new folder called “Controllers” and, inside it, add the following controller class:

• AccountController

using BankStream.Data;
using BankStream.Events;
using BankStream.Models;
using MassTransit;
using Microsoft.AspNetCore.Mvc;

namespace BankStream.Controllers;

[ApiController]
[Route("api/accounts")]
public class AccountController : ControllerBase
{
    private readonly IBus _bus;
    private readonly EventDbContext _dbContext;

    public AccountController(IBus bus, EventDbContext dbContext)
    {
        _bus = bus;
        _dbContext = dbContext;
    }

    [HttpPost("deposit")]
    public async Task<IActionResult> Deposit([FromBody] DepositEvent deposit)
    {
        await _dbContext.TransactionStatus.AddAsync(new TransactionStatus(
            Guid.NewGuid(),
            deposit.AccountId,
            StatusEnum.Pending,
            deposit.Amount,
            false,
            string.Empty,
            TransactionTypeEnum.Deposit,
            DateTime.Now)
        );
        await _dbContext.SaveChangesAsync();

        await _bus.Publish(deposit);
        return Accepted();
    }

    [HttpPost("withdrawal")]
    public async Task<IActionResult> Withdraw([FromBody] WithdrawalEvent withdrawal)
    {
        await _dbContext.TransactionStatus.AddAsync(new TransactionStatus(
             Guid.NewGuid(),
             withdrawal.AccountId,
             StatusEnum.Pending,
             withdrawal.Amount,
             false,
             string.Empty,
             TransactionTypeEnum.Withdrawal,
             DateTime.Now)
         );
        await _dbContext.SaveChangesAsync();

        await _bus.Publish(withdrawal);
        return Accepted();
    }

   [HttpGet("{accountId}/balance")]
    public IActionResult GetBalance(string accountId)
    {
        var deposits = _dbContext.
            Deposits.
            Where(d => d.AccountId == accountId)
            .Sum(d => d.Amount);

        var withdrawals = _dbContext
            .Withdrawals
            .Where(w => w.AccountId == accountId)
            .Sum(w => w.Amount);

        return Ok(deposits - withdrawals);
    }
}

Here, the controller uses the IBus interface, which is the MassTransit message bus used to publish events.

When a client makes an HTTP POST request to the /api/accounts/deposit endpoint, the Deposit() method receives a DepositEvent, representing the request for a deposit. Before publishing the event to the bus, a transaction status of Pending is recorded in the database, indicating that the operation has been requested but has not yet been completed. After persisting this status, the event is published with _bus.Publish(deposit), allowing asynchronous consumers such as DepositConsumer to process the transaction.

The same flow applies to the Withdraw method, which responds to the /api/accounts/withdrawal endpoint. It receives a WithdrawalEvent, records the transaction as Pending in the database, and publishes the event to the bus for later processing by the WithdrawalConsumer.

In addition to these two endpoints, there is a third one that is used to check the balance. To do this, instead of just fetching the value from the database as in traditional approaches, it uses the principle of Event Sourcing to reconstruct the current state through the transaction history. So, first, the totals of deposits and withdrawals are obtained, and the balance value is obtained by subtracting the total withdrawals from the total deposits.

Configuring the Program Class

In the Program class, we will configure the EventDbContext class to use the SQLite database. In addition, we will configure MassTransit and RabbitMQ to send and consume events.

So, open the Program class of your application and replace whatever is in it with the following code:

using BankStream.Consumers;
using BankStream.Data;
using MassTransit;
using Microsoft.EntityFrameworkCore;

var builder = WebApplication.CreateBuilder(args);

builder
    .Services
    .AddDbContext<EventDbContext>(options => options.UseSqlite("Data Source=events.db"));
builder
    .Services
    .AddMassTransit(x =>
    {
        x.AddConsumer<DepositConsumer>();
        x.AddConsumer<WithdrawalConsumer>();
        x.UsingRabbitMq(
            (context, cfg) =>
            {
                cfg.Host("rabbitmq://localhost");
                cfg.ReceiveEndpoint(
                    "event-queue",
                    e =>
                    {
                        e.SetQueueArgument("x-message-ttl", 500000);
                        e.ConfigureConsumer<DepositConsumer>(context);
                        e.ConfigureConsumer<WithdrawalConsumer>(context);
                    }
                );
            }
        );
    });

builder.Services.AddControllers();

var app = builder.Build();

app.MapControllers();

app.Run();

Let’s analyze the code above.

After configuring SQLite, MassTransit is registered, where the two consumers are configured: DepositConsumer and WithdrawalConsumer. In addition, communication with RabbitMQ is established to transport the messages, for which the connection is established with a local host (rabbitmq://localhost).

Within the RabbitMQ configuration, a receiving endpoint called event-queue is defined. This queue is configured with the SetQueueArgument() method and a special argument, x-message-ttl, which determines the time to live of the messages within the queue. This lets us remove expired messages automatically after 500,000 milliseconds (500 seconds). This is done so that the messages can be checked in the RabbitMQ dashboard. Finally, the consumers are linked to the queue, so that any deposit or withdrawal event received by RabbitMQ will be forwarded to the appropriate consumer for processing.

Running EF Migrations

To create the database and tables, run the EF Core commands:

1. Command to install EF if you don’t have it yet:

dotnet tool install --global dotnet-ef

2. Generate the Migration files:

dotnet ef migrations add InitialCreate

3. Run the persistence:

dotnet ef database update

Setting up RabbitMQ in Docker

To run the application, you need to have RabbitMQ running locally. To do this, you can use the command below to download the RabbitMQ image and run a Docker container of it:

docker run -d --name rabbitmq -p 5672:5672 -p 15672:15672 rabbitmq:3-management

After running the command, you can check the RabbitQM container running on Docker Desktop:

Sending and Consuming Events

Now run the application and request the endpoint below. This post uses Progress Telerik Fiddler Everywhere to make the requests.

POST - http://localhost:PORT/api/accounts/deposit

{
  "id": "a1a7c1f2-3d4e-42b9-9e77-5f1e7c8b6c2f",
  "accountId": "123456789",
  "amount": 1300.90
}

Now, access the RabbitMQ homepage at the address indicated in Docker (you can use the default username and password guest). Then click on the “Queues and Streams” menu, then on “Get messages”, and finally “Get message(s)”.

So, you can check the data sent in the message, as well as other data such as operating system, etc., as shown in the images below:

Now let’s run the withdrawal endpoint, so make a new request to the endpoint

POST - http://localhost:PORT/api/accounts/withdraw

{
"id": "fef6df04-df3f-46a7-99a7-6d9992dd3558",
"accountId": "123456789",
"amount": 200.00
}

Then, make another request to the endpoint below to retrieve the current balance:

GET - http://localhost:PORT/api/accounts/123456789/balance

If everything goes well, you will get the result below as shown in the image.

Note that the resulting value was 1100.90. This value does not exist in the database but is the result of subtracting the deposit value of 1300.90 from the withdrawal value of 200.00.

Conclusion

Whether or not to use Event Sourcing is a choice that should be made based on the needs of the project. If you need to keep a history of changes to a specific object, such as a bank account balance, for example, Event Sourcing can be a great choice. In addition, Event Sourcing has other advantages such as easy scalability, performance, decoupling, resilience and fault tolerance.

In this post, we understand how Event Sourcing differs from traditional approaches and how to implement a bank balance management system in practice, using the resources of RabbitMQ and MassTransit for sending and consuming messages.

So, I hope this post helps you understand and implement Event Sourcing using cutting-edge resources like ASP.NET Core, RabbitMQ, MassTransit and Docker.

Queues play an important role in building performant and scalable applications. They make it possible to avoid congestion in systems by streaming tasks or jobs from a producer to a consumer. Producers are just entities that add the jobs/tasks to the queue, and jobs are typically some JSON data. The worker/consumer is just a function whose job is to process the added jobs or tasks in a controlled manner without being overwhelmed.

Firebase Cloud Functions is a serverless offering by Google that allows developers to focus on writing functions without worrying about the servers they run on. When these functions are written, they can be called via HTTP like a regular web server endpoint, and they can be made to run immediately or in the background when an event happens on some resource/service. For example, when something is added to the database, or when a new file is uploaded to a storage bucket, etc.

This guide will explore one type of Cloud function called Task Queue Functions that automatically leverage Google’s Cloud Tasks API. This is an API that makes it easy for us to use queues. Our use case will be a simple ecommerce app that needs to send emails to users. After processing dummy orders, we will store email-sending requests in a queue and add workers function to send actual emails to the user’s inbox. We will explore the options that can be used to enqueue tasks to the queue.

Prerequisites

To follow along with this guide, it is assumed you understand Firebase and are familiar with JavaScript and comfortable with basic TypeScript.

Google Cloud Tasks API and Task Queue Functions

Let’s briefly describe the Cloud Tasks API and where task queue functions come in. The idea here is to see how these two are related and how they are intended to be used.

The Cloud Tasks API is based on four core constructs: queues, tasks/jobs, handlers/workers and targets.

The queue holds the task. The task is some data, typically a plain JavaScript object. The handler/worker is the function that completes the task. The target refers to the environment where the worker runs. A task is added by making an HTTP request to the Cloud Tasks API, which adds it to the queue, after which the task is then dispatched to the worker to handle it.

The essence of this API is to make it budget-friendly and easy for developers to offload resource-intensive background tasks to queues and then connect worker functions that will process or handle the tasks in the queue. The use case for this API is best suited strictly for tasks that need to be done in the background and do not require immediate results from processing that task. Make sure that your use case fits into this area before using the API.

Some examples of such tasks include:

• Sending emails
• Updating analytics
• Coordinated access to a third party that is rate-limited

While the basic explanation of this API sounds simple, there are some caveats to note. First, even though directly interacting with the Cloud Tasks API allows for more dynamism and supports many use cases, using and understanding all its moving parts can be challenging for a new developer who just wants to have everything working.

The Cloud Tasks API is structured so that when queues are created, the developer has to create the environment (target) separately and add the worker function that will process tasks that will be added to the queue. In some cases, this may also need to handle scaling of the workers under intense workloads. Task functions simplify this.

Task functions are cloud functions that make it easy for the developer to write a worker function and declaratively write the settings for the queue. Under the hood, Firebase takes care of the rest. It interacts with the Cloud Tasks API, creates the queue and connects the worker function to it. It also handles all the scaling related logic so that enough worker functions are spawned when necessary and killed with little or no effort by the developer.

What We Will Be Building

Our mini-application will be a simple ecommerce app that needs to send users emails after processing their order. For this, we will be defining two cloud functions.

First, we will start with the main task queue function, which will manage the queue containing the email-sending tasks. We will add the worker function, which will send emails using EmailJS. Then, we will test our task queue function locally by calling it via HTTP.

Next, to make our setup feel more like a real-world app, we will create another cloud function, which will be a regular user-facing HTTP endpoint that simulates a simple order processing endpoint. This function will not do anything fancy here; we will just show how to queue email-sending tasks from this function and trigger the task queue function’s worker to execute the task.

We will deploy both functions to a live URL and go over how to expose them in production via HTTP endpoints. We will test all endpoints during development or production.

Project Setup

Let’s put everything we will need in place before we begin. We will be doing three things mainly:

• Setting up a Firebase project
• Setting up cloud functions locally using the Firebase project
• Setting up EmailJS for sending emails

Create a Firebase Project

Visit the Firebase console to create a project. Give your project a name. As shown below, I’m calling mine “awesome project”.

If you plan to follow this guide and only test locally, you can omit this step. However, since we plan to deploy our cloud functions and use the Cloud Tasks API, we need to enable billing on the Firebase project we just created.

You get up to one million free calls when using the Cloud Tasks API, so feel free to add a billing account.

Initialize Cloud Functions from the Firebase Project

Now, let’s set up a cloud functions project locally. We will start by installing the required Firebase tools needed to do this.

If you have Node.js installed on your system, open your terminal and run this command:

npm install -g firebase-tools

Next, you need to authenticate by running firebase login. Then, you can create a directory of your choice on your device by running mkdir cloud-tasks && cd cloud-tasks.

Then, initialize your project by running firebase init. In the prompt, select the features you want to add to your project. Select cloud functions and emulators. Emulators allow you to test the project locally.

Next, let’s choose the Firebase project we created on the authenticated account and connect it to our local setup.

We will write our functions in TypeScript and use cloud tasks and functions. We will only choose their respective emulators since that is what we will need.

If everything is done correctly, your project setup should look like this:

Next, run the following command to install the dependencies for our Cloud Functions project.

cd functions
npm install

As of the time of writing, it is important to note that Cloud Functions are compatible when testing locally and in production for Node.js versions 18 through 20. However, Node.js 22 is only supported for previewing the project when testing locally. If you get an error about your Node version when running the command above, and you are using Node.js 22, you can update the engines property in your functions/package.json file.

// Update the engines property from this:
"engines": {
        "node": "18"
    },

//to this:
    "engines": {
        "node": "22"
    },

Set Up EmailJS for Emails

EmailJS is a service that makes it easy to send emails directly from a client or serverside app. Visit the EmailJS website and create an account. Then, on the dashboard, set up a service.

We can use the Gmail service since emails will be sent from a personal account. Feel free to select any service of your choice. Once you have created a service, it will be displayed in the services list. Take note of the Service ID.

Next, we need to create an email template. In the Email Templates section, click Create New Template.

Our template will take four parameters that are quite intuitive.

Here are some of them:

• title: The title of the email
• body: The raw HTML representing the body of the email. Notice it’s wrapped in 3 braces, i.e., {{{body}}}
• recipient: The email address of the receiver

Once you are done, save the template. You should see the newly created template, as shown below. Make sure you take note of the template ID.

Finally, we need to get our API keys. You can retrieve them in the Account section.

In the functions folder of the project, create a .env file and add the following to it:

GMAIL_SERVICE_ID = ENTER - EMAILJS - SERVICE - ID;
EMAIL_SERVICE_PRIVATE_KEY = ENTER - EMAILJS - PRIVATE - KEY;
EMAIL_SERVICE_PUBLIC_KEY = ENTER - EMAILJS - PUBLIC - KEY;

Since we will be making HTTP requests to the EmailJS server, we will also need Axios. From the functions directory, run the following command in your terminal:

npm i axios

Add Task Queue Function for Sending Emails

Add the following to your functions/src/index.ts file:

import { onTaskDispatched, Request } from "firebase-functions/tasks";
import axios from "axios";
import { initializeApp } from "firebase-admin/app";
initializeApp();

type notificationTask = {
  recipients: string[];
  title: string;
  body: string;
};
exports.handleNotification = onTaskDispatched(
  {
    retryConfig: {
      maxAttempts: 2,
      minBackoffSeconds: 30,
    },
    rateLimits: {
      maxConcurrentDispatches: 5,
    },
  },
  async (req: Request<notificationTask>) => {
    const data = req.data;
    await sendEmail("template_tz98ape", {
      title: data.title,
      body: data.body,
      recipient: data.recipients[0],
    });
    return;
  }
);
async function sendEmail(templateId: string, params: any) {
  await axios.post("https://api.emailjs.com/api/v1.0/email/send", {
    service_id: process.env.GMAIL_SERVICE_ID,
    template_id: templateId,
    template_params: params,
    accessToken: process.env.EMAIL_SERVICE_PRIVATE_KEY,
    user_id: process.env.EMAIL_SERVICE_PUBLIC_KEY,
  });
  return true;
}

In the code above, we use initializeApp to set up the Cloud Functions project using the Firebase project we linked to it earlier. This function has to be called first before any other code. Every project has a default service account that allows the app to access one or more resources, and this call verifies that our application is ready to interface with the cloud.

Next, we called our task queue function handleNotification. Task queue functions are created using the onDispatch function, which expects two parameters: the first is an object that allows us to declaratively specify how we want to configure the queue and its behavior, and the second is the actual worker function.

For the queue options, we use its retryConfig property and specify that each task in the queue should be retried a maximum of two times if it fails. We also specified that each time it fails, there should be a delay of 30 seconds before trying it again.

We also specified that if many tasks are in the queue, at least five should be processed at once. This means that, at most, five instances of the worker function should be spawned in those situations.

The worker function is the second parameter passed to the onDispatch function. Worker functions only accept a request object. Since they are not meant to return a response, each time a worker function is called, the task payload is contained in the request’s body. In our case, our notification task payload type looks like this:

type notificationTask = {
  recipients: string[];
  title: string;
  body: string;
};

It is retrieved from the request body and then used to invoke the sendEmail function to send the email.

You can create and configure powerful customized queues with task queue functions with just a few lines of code and get things to work.

To test our function, run npm run serve, then head over to localhost:4000. In the logs tab, you should see that our handleNotification task queue function is initialized and ready to be called.

Now, let’s add a task to our queue and then trigger the worker function in Progress Telerik Fiddler Everywhere.

To avoid errors, when adding a task, the request body must contain a data property that holds the contents of the task. In our case, we added our notification task payload. When we make the request, we add the task to the queue via the Cloud Tasks API, and we get back the 204 response.

Later, the Cloud Tasks API will dispatch the task to the worker function to run it. This makes the response time short since the call has no business with the worker directly.

Upon successful execution of the worker, when we check the user’s inbox we should see the email as shown below.

Enqueueing Tasks from Another Cloud Function

We have been able to explore task queue functions, but we are still missing one thing—adding practicality to their usage. In this section, we will be looking at the following:

• In a real-world app like our dummy ecommerce app, email sending typically happens after an order has been processed, so it is common for us to queue notification tasks from a separate function.
• For security reasons and because we know the task producers, we may not want to expose an endpoint that can be called directly to add tasks to the task queue, as we did in Fiddler.

In view of all this, we will define another simple Cloud Function to process orders. It will simply interact with the Cloud Tasks API and enqueue a notification task. Let’s now update our functions/scr/index.ts file with the following:

import { onRequest } from "firebase-functions/v2/https";
import { onTaskDispatched, Request } from "firebase-functions/tasks";
import axios from "axios";
import { getFunctions } from "firebase-admin/functions";
import { initializeApp } from "firebase-admin/app";
initializeApp();
// Start writing functions
// https://firebase.google.com/docs/functions/typescript
type notificationTask = {
  recipients: string[];
  title: string;
  body: string;
};

exports.handleNotification = onTaskDispatched(
  {
    //... queue options
  },
  async (req: Request<notificationTask>) => {
    //....
  }
);
async function sendEmail(templateId: string, params: any) {
  //....
}
type order = {
  order_id: string;
  order_date: string;
  customer: {
    customer_id: string;
    name: string;
    email: string;
  };
  items: {
    item_id: string;
    name: string;
    quantity: number;
    price_per_unit: number;
    subtotal: number;
  }[];
  payment: {
    payment_id: string;
    method: string;
    status: string;
    amount: number;
    currency: string;
    transaction_id: string;
  };
  order_status: string;
  notes: string;
};
export const processOrder = onRequest(async (request, response) => {
  const order: order = request.body;
  const queue = getFunctions().taskQueue("handleNotification");
  const notification: notificationTask = {
    recipients: [order.customer.email],
    title: "order processed succussfully",
    body: `<h2>dear ${order.customer.name} , your order has been processed successfully</h2>`,
  };
  queue.enqueue(notification, {
    scheduleDelaySeconds: 5,
  });
  response.json({
    message: "order processed successfully!",
  });
});

We defined an HTTP function called processOrder using the onRequest function from the firebase-functions library. Our HTTP function simulates a dummy endpoint that expects an order as a payload. Using getFunctions().taskQueue("handleNotification"), the reference to the handleNotification queue is retrieved. It constructs a notification task and then enqueues it to the task queue using its enqueue method.

When using enqueue, we pass two arguments: the task and a configuration on the task. In our case, we just set a delay of 5 seconds. There are many things that can be configured here; for example, you can specify the exact time you want the task to run, etc.

Let’s now proceed to test the function locally again. In your terminal, run npm run serve, head over to Fiddler, and call the function using the URL printed in the logs section of your emulator suite.

Deploying Our Functions

Let’s take our two functions live. Open your terminal and run npm run deploy. To get the live URLs of your functions, do the following:

1. Head over to your Cloud console and search for "cloud run functions.”

We want to trigger the processOrder function, so select it. In the trigger section, you should see the live URL to our Cloud Function. We won’t expose the handleNotification task queue function for reasons specified earlier.

However, when we try to access this function, we get an error, as shown below.

We need to make the function available to the public. In Google Cloud terms, we need to add the cloud invoker role for all users to this function.

In the permissions tab, copy the command to add the invoker role. If you have the Google Cloud CLI installed, and the target project (awesome-project) selected, run this command in your terminal:

gcloud functions add-invoker-policy-binding processOrder \
--region="us-central1" \
--member="allUsers"

Testing Production Endpoints

Let’s head to Fiddler Everywhere to trigger our processOrder HTTP function with a dummy order to add a notification task to our queue on the Cloud Tasks API. Then, we trigger our task queue function’s worker to process it and send an email to the user’s inbox.

Conclusion

Queues remain indispensable in building scalable, distributed systems. Finding a budget-friendly way to integrate them using the Cloud Tasks API is something to look into whenever you need to integrate these powerful structures in a project. Hopefully, this will serve as a marker to look out for in future projects.

If you’re building a web service, a client for a web service or both, you’re going to get everything up and running faster with Progress Telerik Fiddler Everywhere (unless everything works the first time … and we both know that won’t happen). I’m actually selling Fiddler short here: If your application involves any kind of network traffic, Fiddler is going to be helpful because, once you start Fiddler Everywhere, it monitors all your outgoing and incoming network requests, not just your HTTP traffic.

In this post, though, I’m going to focus just on using Fiddler Everywhere when building web services and their clients. Fiddler not only gives you the ability to debug what’s really going on in the conversation between your client and your server but, also, the ability to use your own messages to support debugging and testing. Fiddler Everywhere is the fastest/easiest way to trigger a debugging session with your service, for example, along with being the most efficient way to debug special cases.

Exploring Problems

Installing Fiddler Everywhere is easy (download it from your Telerik account). However, when you start Fiddler up, it’s initial display can be … daunting. These days, there’s a ton of traffic going in and out of your computer and Fiddler, by default, shows all of it.

However, typically all you want to see is what’s happening with the client and web service that you’re currently working on. Your first step, then, is to narrow that list of messages down to just the requests sent by your client and the responses returned from your service. To do that, click on the Filters button at the top of Fiddler’s list of network messages to open the Filters dialog.

In that dialog, you can use multiple parameters to filter the messages that Fiddler shows you, but the parameter you probably want is the default one: URL.

To limit your messages to those between your client and service, just copy the URL that your client is using to call your web service and paste it (or some part of it) into the textbox on the right of the filter. At the bottom of the dialog, you’ll get a message saying how many of the current messages match your filter. (If that number is 0, don’t panic! It just means that you haven’t run your client yet and there are no messages to display.)

After setting the filter, click the Apply button in the lower right corner of the Filters dialog to close the dialog and return to the main Fiddler UI.

You can now switch to your client and have it call your web service to display the request message sent by your client and the response returned by your service (Fiddler bundles those up into a single entry in the message list). It doesn’t matter, by the way, if your client is a desktop app or a client-side app running in your web browser: Fiddler sees everything.

If you’re lucky, your client’s call will succeed and you’ll get a display like this:

But, if everything was working, you wouldn’t be using Fiddler, would you? It’s more likely that you’re using Fiddler because you have a problem and your client application is displaying a message like this (in this case, the message is from a browser-based client accessing a secured Azure web service):

If your client is sending and receiving lots of messages that work just fine, you can re-filter your message to focus on your “problem messages.” To focus on your error, return to the Filters dialog, set the filter type to Status Code, and enter the status code that your client is getting into the value text box (502 in this case). The middle dropdown list will automatically switch to “is equal to” when you select Status Code as your parameter.

Now you’re focusing on the messages between your client and service that you care about. The panel to the right of the message list in Fiddler Everywhere will let you explore that failing exchange.

Exercising Your Client and Service

But building an app isn’t always about tracking down bugs: As you write new code in either your client or your service, you need to run it to see what it does. Fiddler can make you more productive in running the code in both your client and service by performing the first step in testing: Isolating the code you want test.

One caveat: Fiddler Everywhere is great for doing the interactive, exploratory testing that lets you diagnose and fix the problems between your client and service. This is the kind of testing that precedes developing suites of automated regression tests. Fiddler isn’t a replacement for a package that supports creating test suites to be run on a schedule or when new code is checked in. (Advertising plug: The Progress offering in that area is Test Studio for APIs, which you can use starting with unit testing and all the way through to integration tests.)

Testing Your Service

The cleanest way to test your service is to isolate it from your client so you can see how your service responds to the messages it receives.

The easiest way to do that is to reuse an existing message in Fiddler’s message list: Just right-click on the message of your choice and, from the popup menu, select Replay. Fiddler will send your message to the service and display the resulting messages as new items in the message list. You can now modify your service and test how well (or sadly) your changes work without having to restart your client and navigate through its interface (as I said earlier: this is also the fastest, easiest way to start a debugging session with your service).

If you have a Pro license, you can also modify an existing request/response message to see what happens when, for example, your service is sent a malformed message—and do that without torturing your client into sending a malformed message.

All you have to do is right-click on the message and select Edit in Composer to open the Composer window. In Composer, you can modify one or more of the message’s method, URL, headers, HTTP version and payload/body. Make your changes and click the Execute button at the top of composer to send your revised message to your service.

Testing Your Client

You can also, with the Pro license, simplify exercising the changes in your client by isolating your client from your service. You do that by defining rules in Fiddler that define responses to client requests (this feature was formerly called Auto Responder). Now, when your client sends a message, Fiddler will catch it and send a response for you. This lets you, for example, see how your client responds to an unfortunate status code (e.g., a 503 “server too busy” response) without finding some way to force your service to send that status.

To add a rule, switch to the rules tab in Fiddler’s right panel and click on the Add Rule button to a dialog to generate your rule. Once that rule dialog is open, you first need to specify a condition that will invoke a rule—in many cases that will be the URL and method that your client is using when invoking your service (use the Add Condition button at the top of the tab to add another condition).

After you’ve added a connection to specify what requests from your client you want to Fiddler to respond to, your next step is to add an Action that specifies the message to be sent to your client. You do that with the Add Action on the right side of the Rules dialog.

You can use actions to either modify the client’s request message to be sent to the service or the response to be sent to the client when the rule’s conditions are met. This example creates a rule that returns a 401 unauthorized response for any GET request sent from my client:

Your last steps in creating a rule are to give your rule a name and click the Save button in the lower right of the Rules dialog. Your new rule will be added to the list in the Rules tab and is ready to be used (by default, Fiddler ignores your rules until you want to use them).

To use your rule, you need to first enable using any rules: Set the toggle at top of the Rules tab. With rules now enabled, you then selectively enable the rules you want to use to exercise your client. Now, when you run your client, Fiddler Everywhere will intercept any requests that meet your rule’s condition and send back the message you specified in your action (in my case, that’s an unauthorized status code so I can see what problems that creates in my client).

You’ve now got the tools you need to analyze the conversation between your client and service, plus the ability to perform the key task in testing any code: Isolating the component under test. Now you just, you know, get them to work.

Try Fiddler Everywhere

Vector search is an approach that allows finding a specific piece of data in a different way from traditional methods, as it is based on vector similarity. That is, vectors that are semantically or visually similar to each other.

Entity Framework Core 9 introduced, albeit experimentally, the possibility of creating and searching vector data in the Azure Cosmos DB database. In this post, we will see an introduction to vector search, what its advantages are and how to implement vector search in ASP.NET Core using the experimental features of EF 9.

What Is Vector Search?

Vector search is a search technique used to find data that has some similarity to each other. Vectors commonly determine this similarity.

Vectors, or embeddings, are numeric characters that represent words, documents, images or videos. Vectors capture semantic relationships between data. This technique identifies similar items based on their proximity in a multidimensional vector space, rather than relying solely on exact text matches, as in traditional search approaches.

Differences Between Vector Search vs. Traditional Search

Traditional search uses a keyword-based approach to retrieve information. In this way, the search is performed through an exact or approximate match of terms, without interpreting the context or the semantic relationship between the terms.

In contrast, vector search transforms data into multidimensional numerical representations (vectors), allowing the identification of semantic similarities and expanding the power of the search.

While the traditional approach is effective for exact and structured searches, vector search excels in scenarios where understanding the context and the relationship between terms is essential, such as in semantic searches, chatbots and recommendation systems.

Imagine the following scenario: If you search for a “good fantasy movie” in a traditional search engine, it may return pages that contain exactly those words, but it may not necessarily understand that “great adventure movie” may have the same meaning. However, vector search, through embeddings, can perceive this relationship and return more relevant results, even if the words are not identical.

In other words, traditional search is based on character matching and word frequency, while vector search uses machine learning to capture the meaning and relationships between terms.

Note in the example below where the main differences between traditional search and vector search are demonstrated.

When Is Vector Search Most Useful?

Search is useful in situations where it is necessary to search for information in large volumes of unstructured data, especially when the exact search for keywords is not very relevant, in which case the search for similarity in vector search stands out.

In this context, we can highlight some scenarios:

Semantic search in texts – Unlike traditional keyword-based searches, vector search can find files such as documents that have similar meanings, even if they use different words. For example, social networks and ecommerce.

Image and video search – Vector search allows you to find similar images without relying on metadata, directly analyzing the visual characteristics of the files.

Multimodal data search – Vector search can capture complex relationships between different types of data, such as text and images, and combine them for a more in-depth result.

Chatbots and Virtual Assistants – Vector search can be used to formulate more relevant responses for the user, based on the meaning (sentiment) and not just the exact words.

Vector Search in ASP.NET Core

.NET 9 brought native vector search support to ASP.NET Core for the first time, and it is currently available in Azure Cosmos DB, Microsoft’s cloud database. If you are not familiar with Cosmos DB, I suggest you read this post: Working with Cosmos DB in ASP.NET Core.

Disclaimer 1: At the time of writing the post, vector search was still in preview, which may be changed in the future.

Disclaimer 2: This post uses the Cosmos DB Emulator, in which case no additional configuration is required. However, if you are going to use the official version of Cosmos DB, you will need to update your account resources to support vector search. You can do this using the Azure CLI:

az cosmosdb update --resource-group <resource-group-name> --name <account-name> --capabilities EnableNoSQLVectorSearch

Disclaimer 3: This post uses the generation of similar random vectors. To generate vectors using data, it is necessary to use external APIs, such as OpenAI vector embeddings, which will not be covered in this post.

Azure Cosmos DB now supports vector storage, allowing you to run all queries in a single database, directly on documents that contain other data in addition to the vector. This eliminates the need to create an additional solution for a dedicated vector database, which can significantly simplify the architecture of applications.

To implement vector search in practice, we will create a simple API in ASP.NET Core, insert some sample data and retrieve this data through vector search. The database used for insertion and search will be Cosmos DB, through the Cosmos DB Emulator, running locally.

You can access the full project code in this GitHub repository: Source code.

Implementing the Application

To create the base application, you can use the command below in the terminal:

dotnet new web -o VectorMovieRecommendation

The NuGet packages used in the application are the following:

• Microsoft.Azure.Cosmos
• Microsoft.EntityFrameworkCore
• Microsoft.EntityFrameworkCore.Cosmos
• Microsoft.EntityFrameworkCore.Design
• Newtonsoft.Json

You can install them via the terminal or use the Visual Studio package manager or another IDE of your choice.

So, in the application, create a new folder called “Models” and, inside it, create the following class:

using Newtonsoft.Json;

namespace VectorMovieRecommendation.Models;
public class Movie
{
    [JsonProperty("id")]
    public string Id { get; set; } = Guid.NewGuid().ToString();
    public float[] Vector { get; set; } = new float[1025];
    public string Title { get; set; } = string.Empty;
    public string Description { get; set; } = string.Empty;
    public int ReleaseYear { get; set; }
    public List<string> Genres { get; set; } = new List<string>();
    public double Rating { get; set; }
}

Note that here we declare a property called Vector which is a list of float arrays. And we also declare a value of 1025, which represents the number of elements stored in the array. This property will represent the vector when we insert a record into Cosmos DB and will be used for verification during the similarity search.

The next step is to create the context class, which will contain the EF Core settings for creating the tables. Create a new folder called “Data” and, inside it, add the class below:

using Microsoft.Azure.Cosmos;
using Microsoft.EntityFrameworkCore;
using VectorMovieRecommendation.Models;
namespace VectorMovieRecommendation.Data;
public class AppDbContext : DbContext
{
    public AppDbContext(DbContextOptions<AppDbContext> options) : base(options) { }
    public DbSet<Movie> Movies { get; set; } = default!;

    protected override void OnModelCreating(ModelBuilder modelBuilder)
    {
        #pragma warning disable EF9103 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
        modelBuilder.Entity<Movie>()
            .Property(e => e.Vector)
            .IsVector(DistanceFunction.Cosine, 1025);
        #pragma warning restore EF9103 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
    }
}

Let’s analyze the code.

Here we create a context class to perform the default EF Core configurations, but note that in the OnModelCreation method there is an additional configuration:

modelBuilder.Entity<Movie>()
.Property(e => e.Vector)
.IsVector(DistanceFunction.Cosine, 1025);

This configuration tells EF to map the Vector property of the Movie entity as a 1025-dimensional vector, using the cosine distance function. This is done through the IsVector method during model configuration.

By defining the property as a vector and specifying the cosine distance function, EF can optimize queries that involve similarity comparisons between vectors.

Another element that you may notice is the #pragma warning disable EF9103 directive that is used to suppress a compiler warning, identified by the code EF9103. This warning indicates that a given feature or API is experimental, intended for evaluation purposes only, and is subject to change or removal in future updates. Since it is still an experimental feature (at least as of the date this post was written), if you do not use the directive, the compiler will report an error.

The next step is to configure the environment variables. They are in the appsettings.json file, add the following:

 "CosmosDb": {
    "AccountEndpoint": "https://localhost:PORT_NUMBER",
    "AccountKey": "YOUR_COSMOS_DB_ACCOUNT_KEY",
    "DatabaseName": "VectorMovieRecommendationDB",
    "ContainerName": "Movies"
  },

Remember to replace PORT_NUMBER with the port where the Cosmos DB Emulator is running and YOUR_COSMOS_DB_ACCOUNT_KEY with the configuration key.

Configuring the Program Class

In the Program class we will configure the dependency injections, the environment variables and the endpoints and methods. So, first add the following code, just below the var builder = WebApplication.CreateBuilder(args);:

var cosmosConfig = builder.Configuration.GetSection("CosmosDb");
var connectionString = cosmosConfig["AccountEndpoint"];
var accountKey = cosmosConfig["AccountKey"];
var databaseName = cosmosConfig["DatabaseName"];

builder.Services.AddDbContext<AppDbContext>(options =>
    options.UseCosmos(connectionString!, accountKey!, databaseName!));

Here we are extracting the information from the environment variables created previously and passing them to the EF Core context class configuration.

Now, let’s create endpoints and methods to insert some sample data and to create the database and collections during program execution if they do not already exist.

Add to the Program.cs class the following code:

app.MapPost("/movies/seed", async (AppDbContext db) =>
{
    await Seed(db);
    return Results.Ok();
});

using (var scope = app.Services.CreateScope())
{
    var dbContext = scope.ServiceProvider.GetRequiredService<AppDbContext>();
    await dbContext.Database.EnsureCreatedAsync();
}

static async Task Seed(AppDbContext dbContext)
{
    var sampleMovies = new List<Movie>
            {
                new Movie
                {
                    Title = "Sci-Fi Adventure",
                    Description = "A thrilling space journey",
                    ReleaseYear = 2022,
                    Genres = new List<string> { "Sci-Fi", "Adventure" },
                    Rating = 8.5,
                    Vector = GenerateRandomVector()
                },
                new Movie
                {
                    Title = "Interstellar Voyage",
                    Description = "A group of explorers travel through a wormhole",
                    ReleaseYear = 2014,
                    Genres = new List<string> { "Sci-Fi", "Drama" },
                    Rating = 8.6,
                    Vector = GenerateRandomVector()
                },
                new Movie
                {
                    Title = "Futuristic Battle",
                    Description = "A war between humans and AI",
                    ReleaseYear = 2023,
                    Genres = new List<string> { "Sci-Fi", "Action" },
                    Rating = 8.2,
                    Vector = GenerateRandomVector()
                },
                new Movie
                {
                    Title = "Galactic War",
                    Description = "Intergalactic conflict between empires",
                    ReleaseYear = 2019,
                    Genres = new List<string> { "Sci-Fi", "Adventure" },
                    Rating = 8.4,
                    Vector = GenerateRandomVector()
                }
            };

    dbContext.Movies.AddRange(sampleMovies);
    await dbContext.SaveChangesAsync();
}

static float[] GenerateRandomVector()
{
    int size = 1536;
    var random = new Random();
    return Enumerable.Range(0, size)
                     .Select(_ => (float)random.NextDouble())
                     .ToArray();
}

Note that to generate the vector we are using the local method GenerateRandomVector(), which sets the vector size to 1536, then instantiates a random number generator (new Random()), then generates a sequence of size integers starting from 0 (random.NextDouble()) and finally converts the sequence to an array. This method is made generically for creating vectors; if you are going to use it elsewhere, remember to modify it to suit your needs.

Now, still in the Program.cs class, add the following endpoint to retrieve the records from the database using the vector search:

app.MapGet("/movies/vector-movies", async (AppDbContext db) =>
{
    var queryVector = GenerateRandomVector();

    #pragma warning disable EF9103 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
    var movies = await db.Movies
    .OrderBy(m => EF.Functions.VectorDistance(m.Vector, queryVector))
    .Take(5)
    .ToListAsync();
    #pragma warning restore EF9103 // Type is for evaluation purposes only and is subject to change or removal in future updates. Suppress this diagnostic to proceed.
    
    return Results.Ok(movies);
});

In the code above, an HTTP GET endpoint is defined that returns a list of the five most similar movies based on a vector comparison. The similarity is determined by calculating the distance between a randomly generated query vector and the vectors associated with each movie in the database. Let’s analyze each part:

1. Generating the query vector:

var queryVector = GenerateRandomVector();

Here the GenerateRandomVector() method is called to create a floating point vector with 1,536 elements, each containing a random value between 0.0 (inclusive) and 1.0 (exclusive). This vector serves as a reference for measuring the similarity with the vectors of the stored movies.

2. Querying the database:

var movies = await db.Movies
.OrderBy(m => EF.Functions.VectorDistance(m.Vector, queryVector))
.Take(5)
.ToListAsync();

In this query, the list of movies (db.Movies) is ordered based on the vector distance between each movie’s vector (m.Vector) and the queryVector. The EF.Functions.VectorDistance function calculates this distance, allowing the movies to be ordered from the smallest to the largest distance—that is, from the most similar to the least similar to the query vector. Then, the five most similar movies are selected with Take(5) and converted to an asynchronous list with ToListAsync().

3. Returning the results:

return Results.Ok(movies);

Finally, the list of selected movies is returned with an HTTP status of 200 OK.

4. Compilation warning: Warning suppression is required again. The directives #pragma warning disable EF9103 and #pragma warning restore EF9103 are used to suppress warning EF9103 during compilation. This warning indicates that the functionality used is under evaluation and may change or be removed in future updates.

Running Vector Search

Now let’s run the GET /vector-movies route to return the records using the EF 9 VectorDistance() method, which calculates the distance between vectors, allowing the search for close or similar vectors.

So, just run the application, and run the endpoint to insert data: https://localhost:PORT/movies/seed. Then access the endpoint https://localhost:PORT/movies/vector-movies, so that the list of movies is returned, as you can see in the image below, using Progress Telerik Fiddler Everywhere:

Conclusion

Vector search is an advanced search technique that has evolved a lot in recent years. With the arrival of EF 9, we had the introduction of vector search support in Azure Cosmos DB, which makes it easy to implement and run this feature.

In this post, we created a simple API to insert data into Cosmos DB and use the new feature to retrieve those records using vector search. Remember that this is still an experimental feature, but you can start using it right now and discover the many possibilities that vector search offers.

When people show you how Progress Telerik Fiddler Everywhere works, it seems to me that the examples don’t show you nearly enough of what Fiddler can do for you. I’m going to walk through doing a standard stress test for a Web Service with Fiddler and, along the way, show you a bunch of features that I don’t think you know about.

In order to stress test my service, I first need to isolate it—remove my client application from the equation to make my service the “component under test.” Fiddler is perfect for that: I can call my service from Fiddler without having to invoke my client.

I also want to isolate the messages related to my test so I also set up a filter in Fiddler Everywhere to limit the message list to requests and responses to my service. (That way, I don’t have to look at all the other network traffic that Fiddler catches … and Fiddler captures everything).

Getting Authenticated

My clients are part of my stress test, but they can still be useful. To begin my test, I need a request and, while I can use the Fiddler Everywhere Composer to create my test message, I need that message to have a valid authentication header to get past my service’s security. That sounds … challenging because I’m testing against a Web Service running in an Azure App Service that I’ve locked down with App Registrations and Managed Identities.

Fortunately, that’s easier than you might think because I have both a client-side application and a server-side application that are successfully accessing my service and retrieving the necessary authentication tokens. The easiest way for me to get the authorization tokens I need is to have one of my clients generate a request and grab the token I need from that request.

To do that, I start Fiddler Everywhere and then run one of my clients once, having it access my service. In the resulting list of messages from that run, I select a message that successfully retrieved content from my service and, in the panel on right side of the Fiddler window, switch to the message’s Inspectors tab.

Within the Inspectors tab, I select the Headers tab to display all the headers generated by my client. To get the security header I need for my test message, I just right-click on the Authorization header in the tab’s list and select Copy Value to copy the access token from the header. I’m now ready to create my test message.

To create my test message, in the menu bar down the left side of Fiddler, I click on the bottom icon to open the Fiddler Composer tab. That tab shows me a default method, URL and protocol for my request, along with a blank list of headers.

The list of headers has an empty row for me to start with so that’s where I add my Authorization header. In the first column (called Key), I start typing “Authorization.” Fiddler immediately displays a dropdown list of standard header names. I just select the rest of the Authorization header name when it appears in the list. I then tab over to the Value column and paste in the value I copied from my original message.

I finish by setting my test request’s method (GET), the URL for my service (also copied from my client’s message) and protocol (HTTP 1.1). With those in place, I click the Execute button at the top right of the Compose tab and get the result of sending my messages to my service in the pane on the left.

But, in a stress test, I’m not really interested in what that message has retrieved but how well my service is doing when it processed the message. Before checking on that, I recognize that I could need this message again, so I click the Save button in the upper-right corner of the Composer tab and save this message under the name “Basic GET request.”

Now, to see how well my request’s processing went, I switch to the Fiddler Live Traffic tab (the eye icon in the middle icon of the menu down the left side of Fiddler) to see my message and, in its Overview tab, how well the message did.

Stress Testing Your Service

And the statistics look pretty good. But that’s just one request—everything looks good if you set the bar low enough. I want to see what my service’s capacity is: How well does my service do when it gets multiple, simultaneous requests.

To do that, I just right-click on may sample message in the message list and select Advanced Replay. In the Advanced Replay dialog, I can set the number of requests I want to make (I picked 100) and whether I want those requests sent in parallel or in series (I picked “Parallel”).

And now, just by clicking the dialog’s Start button, I can see what happens when my service gets 10 simultaneous messages.

Analyzing Conversations: Grouping Messages

Sure enough, when I switch back to the Live Traffic tab in Fiddler Everywhere, I can see all 100 of my requests. I can select on any single message to see how it did but, in a capacity test, I want to know I want to know how well the messages succeeded as a group (is my service is able to meet any SLAs I’ve committed to). Fiddler will tell me that, too.

Initially, in my message list, only the message I used to trigger my test is selected, with its details presented in Fiddler’s Overview tab on the right. To see the results from all of my messages, I click on the first message of my 100 requests and, holding down the shift key, use my down arrow to select the rest of the messages.

Fiddler now displays the summary results of all my selected messages in the panel on the right, in three groups: a bar graph showing response times, followed by a bar graph showing response sizes and, at the bottom, a set of summary statistics.

In this stress test, just looking at the initial bar graph, some of my requests completed quickly (about 300 milliseconds—yay!) and others took … longer (as much as 37 seconds—boo!).

If I scroll down to the next section in the overview panel, I can see in the bar graph showing the size of the responses that two response bodies were much smaller than the rest. Since all 100 requests were identical, all 100 responses should have been, too.

If I scroll all the way down to the bottom of the panel, I get my summary statistics for my tests. Those statistics show that, while my test took about 37 seconds to complete, my median and average times to complete for any single request were much lower: 7 seconds and 8.5 seconds (roughly). Those statistics also show that I was able to push about three transactions through per second. But those statistics also show that two of my requests failed with 500 (internal error) status codes which explains the two small response sizes.

If I can’t reasonably expect my service to get 100 simultaneous requests then, obviously, I have some work to do (maybe it’s time to implement a caching strategy in my service or, since my service is running in an Azure App Service, scale up or turn on scaling out).

Before going on, though, it’s worth pointing out that, while I’m using this feature for 100 identical messages, Fiddler Everywhere will generate summary results for any group of messages. That’s important because your client probably doesn’t send just one message to your service—your client is probably engaged in a conversation with my service that involves an exchange of multiple messages.

Being able to select all the messages in a conversation between your client and service enables you to analyze the conversation as a group and can go a long way to understanding the performance characteristics of your application as a whole. It will answer, for example, which of the requests and responses in your application are having the biggest impact on my client’s response time.

Keeping Track

Obviously, this data is important, if only to compare to my results after I make my changes to my service. I can save these results as a snapshot by right-clicking on my message list and selecting Save. That opens the Save Snapshot dialog where I can give my snapshot a name and pick a folder to save those messages with their results in before clicking the Save button in the dialog’s lower right corner (the snapshot will contain only my currently selected messages).

I can now shut Fiddler down, make my changes to my service and, when I get around to it, restart Fiddler to rerun my stress test. To rerun my test, I first double-click on my snapshot’s name in Fiddler’s Snapshots list on the right to restore my saved messages (with their statistics) into a new tab in Fiddler’s messages list.

To run all my snapshot’s requests again, I select them all with Ctrl + A (Windows)/Cmd + A (macOS), right-click on the selected list and select Replay from the popup menu. As my messages execute, I switch to the Fiddler Everywhere Live Traffic tab to see the results of my test. To get results from my new requests that I can compare to my original results, I select all of the re-executed messages by right-clicking on any one of the re-executed messages and choosing Select | Duplicate Requests from the popup menu. That generates the summary statistics for my new run of my snapshot in Fiddler’s Overview tab on the right.

Reviewing the Results

I’ll cut to the chase: My service did much better after implementing my changes (I added a server-side cache). Not only did all my requests succeed, I cut both my median and average response times in half, with my longest response taking under five seconds. Since those are well under the values specified in my SLA (and my SLA also specifies that I can reasonably expect to get only 25 simultaneous requests), I can move on to the next problem.

But first, I’ll save the new run as another snapshot so that, at appraisal time, I can pull them these statistics to demonstrate just how wonderful I am.

Give It a Try for Yourself

Explore these features and more with your own free 10-day trial of Fiddler Everywhere.

Try Now

Creating an API from scratch can be a laborious and error-prone process, especially due to syntax errors or even typos. However, Visual Studio offers a feature that makes this process easier, saving time and avoiding complications. Check out this post to learn how to use Visual Studio's scaffolding features to create a complete API.

Web APIs have become a fundamental concept in modern web applications, thanks to their versatility and simplicity. Despite recent additions to ASP.NET Core, such as minimal APIs, additional code is still required, especially when using the code-first approach with Entity Framework Core. In this approach, incorrect configurations can generate errors that often slow down development.

To make this process easier, there are features such as the scaffolding technique. In this post, we will use Visual Studio to create a complete CRUD API using the main functions available in scaffolding, such as generating a context class and configuring a connection string, among others.

What Is Scaffolding?

Scaffolding in the context of technology is a concept that refers to an approach or tool used to accelerate software development by providing a basic structure or skeleton for the code or system.

The term refers to a “scaffold,” a temporary structure commonly used in building construction to provide support while construction is underway. Similarly, in the context of technology, scaffolding provides support during software development, facilitating the creation of complex or labor-intensive parts of software that would otherwise be done manually.

Scaffolding in ASP.NET Core

In ASP.NET Core, the concept of scaffolding is present through tools that automate the creation of basic code needed to implement common web application features, such as the user interface (UI), database operations, application templates and others.

In this post, we will explore some of the latest scaffolding features provided by Visual Studio for creating a complete web API, with basic CRUD (Create, Read, Update and Delete) operations and integration with a SQL Server database. In addition, we will explore the integration with Entity Framework Core to automate the creation of classes, databases and tables used in the application.

Advantages of Using Scaffolding

Scaffolding can be useful in several development scenarios in ASP.NET Core, especially where agility and consistency are needed. Below are some scenarios where it is recommended.

• Automatically generate code: Scaffolding features allow you to generate code automatically, which minimizes the chance of typos and other issues that can occur when writing code manually.
• Speed up development: Scaffolding provides a ready-made base for CRUD operations, leaving the developer free to focus on more complex features. Some scenarios where scaffolding can be useful include technical interviews where time is usually reduced, initial projects that need a minimum viable product (MVP) and smaller projects where there is no need for much customization. For these kinds of scenarios, scaffolding can be used to quickly configure interactions with the database.
• Code standardization: The code generated by scaffolding follows the predefined ASP.NET Core standards, which helps maintain project consistency. This is especially useful in larger teams where code uniformity is important.
• Entity Framework integration: Scaffolding integrates with Entity Framework Core, allowing code generation from data models or the creation and execution of database scripts.

Prerequisites

To reproduce the example shown in the post, you must have the latest version of .NET installed. At the time the post was created, the latest stable version was .NET 8.

In addition, you must have the latest versions of Visual Studio. The post uses Visual Studio 2022 version 17.11.2.

This example uses the SQL Server database, so you must have a local connection to SQL Server. You can use another database if you find it necessary.

You can access the source code of the project created in the post in this GitHub repository: InventoryHub.

Creating the Application

To demonstrate the scaffolding functions, we will create a web API for registering products in an inventory.

To create the base application, open Visual Studio and click on “Create a new project” and then choose the option “ASP.NET Core Web API.” Give the project a name (in the example, we used “InventoryHub”). In the next window, select the most recent .NET version (in this case, 8) and leave only these options selected: Configure for HTTPS and Enable OpenAPI support. And then click on “Create.”

Then, open the project with Visual Studio, and inside the project create a new folder called “Entities.” Inside it, create the class below:

namespace InventoryHub.Entities;
public class ProductItem
{
        public Guid Id { get; set; }
        public string Name { get; set; }
        public string Description { get; set; }
        public decimal Price { get; set; }
        public int QuantityInStock { get; set; }
        public string SKU { get; set; }

        public string Category { get; set; }
        public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
        public bool IsActive { get; set; } = true;
}

Here we create a simple class to represent a product item with only properties, such as the post focus and scaffolding functions; in-depth examples of classes and functions will not be used.

Creating the Scaffolding Items

The ProductItem class created previously is the only class created manually; everything else will be done with the scaffolding functions present in Visual Studio.

So, right-click on the project and look for the option Add > New Scaffolded Item....

In the window that opens, click on the left menu “API” and select the option “API with read/write endpoints, using Entity Framework.” Finally, click on “Add.”

In the next window, you must configure the EF core classes and endpoints. So, in the “Model class” option, select the ProductItem class.

In the Endpoint class option, click the “+” (plus) icon and click add.

In the DbContext class option, click the “+” (plus) icon and click add.

In the Database provider option, select SQL Server (or another database you want to use)

The other options can be left with the default value. Finally, click “Add.”

Note that two new classes have been created. One is the “InventoryHubContext” class, which is inside the “Data” folder. And the other is the “ProductItemEndpoints” class.

Let’s analyze each of them.

DbContext Class

The “InventoryHubContext” class generated in the “Data” folder contains the EF Core configurations.

namespace InventoryHub.Data
{
public class InventoryHubContext : DbContext
{
public InventoryHubContext (DbContextOptions<InventoryHubContext> options)
: base(options)
{
}

public DbSet<InventoryHub.Entities.ProductItem> ProductItem { get; set; } = default!;
}
}

The class inherits from DbContext. This means that it has access to the methods and properties of DbContext, allowing it to interact with the database by performing CRUD operations.

The constructor receives an options parameter of type DbContextOptions<InventoryHubContext>, which contains configuration options for the database context (such as the connection string). It passes these options to the base class constructor (DbContext) using : base(options).

ProductItem represents a collection of entities in the context that can be queried and saved to the database.

Here, ProductItem is a property of type DbSet<ProductItem>, which indicates that it will manage instances of the ProductItem entity. The = default!; syntax is used to suppress null warnings, indicating that this property will be correctly initialized at runtime.

ProductItemEndpoints

Another class generated in the scaffolding was the ProductItemEndpoints class:

public static class ProductItemEndpoints
{
    public static void MapProductItemEndpoints (this IEndpointRouteBuilder routes)
    {
        var group = routes.MapGroup("/api/ProductItem").WithTags(nameof(ProductItem));

        group.MapGet("/", async (InventoryHubContext db) =>
        {
            return await db.ProductItem.ToListAsync();
        })
        .WithName("GetAllProductItems")
        .WithOpenApi();

        group.MapGet("/{id}", async Task<Results<Ok<ProductItem>, NotFound>> (Guid id, InventoryHubContext db) =>
        {
            return await db.ProductItem.AsNoTracking()
                .FirstOrDefaultAsync(model => model.Id == id)
                is ProductItem model
                    ? TypedResults.Ok(model)
                    : TypedResults.NotFound();
        })
        .WithName("GetProductItemById")
        .WithOpenApi();

        group.MapPut("/{id}", async Task<Results<Ok, NotFound>> (Guid id, ProductItem productItem, InventoryHubContext db) =>
        {
            var affected = await db.ProductItem
                .Where(model => model.Id == id)
                .ExecuteUpdateAsync(setters => setters
                    .SetProperty(m => m.Id, productItem.Id)
                    .SetProperty(m => m.Name, productItem.Name)
                    .SetProperty(m => m.Description, productItem.Description)
                    .SetProperty(m => m.Price, productItem.Price)
                    .SetProperty(m => m.QuantityInStock, productItem.QuantityInStock)
                    .SetProperty(m => m.SKU, productItem.SKU)
                    .SetProperty(m => m.Category, productItem.Category)
                    .SetProperty(m => m.CreatedAt, productItem.CreatedAt)
                    .SetProperty(m => m.IsActive, productItem.IsActive)
                    );
            return affected == 1 ? TypedResults.Ok() : TypedResults.NotFound();
        })
        .WithName("UpdateProductItem")
        .WithOpenApi();

        group.MapPost("/", async (ProductItem productItem, InventoryHubContext db) =>
        {
            db.ProductItem.Add(productItem);
            await db.SaveChangesAsync();
            return TypedResults.Created($"/api/ProductItem/{productItem.Id}",productItem);
        })
        .WithName("CreateProductItem")
        .WithOpenApi();

        group.MapDelete("/{id}", async Task<Results<Ok, NotFound>> (Guid id, InventoryHubContext db) =>
        {
            var affected = await db.ProductItem
                .Where(model => model.Id == id)
                .ExecuteDeleteAsync();
            return affected == 1 ? TypedResults.Ok() : TypedResults.NotFound();
        })
        .WithName("DeleteProductItem")
        .WithOpenApi();
    }
}

This class is used to organize the endpoints, preventing them from being scattered in the Program class. It contains all the endpoints required for CRUD operations (Create, Read, Update and Delete). In addition, the endpoints include advanced features, such as “Route Groups”, which allow you to group the endpoints efficiently.

Another important feature is the AsNoTracking() method, which prevents the mapping of modifications to entities by Entity Framework Core, resulting in a performance gain.

Program Class

The Program class already contains the necessary configurations created by scaffolding:

using Microsoft.EntityFrameworkCore;
using InventoryHub.Data;
using InventoryHub;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddDbContext<InventoryHubContext>(options =>
    options.UseSqlServer(builder.Configuration.GetConnectionString("InventoryHubContext") ?? throw new InvalidOperationException("Connection string 'InventoryHubContext' not found.")));

builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();

var app = builder.Build();

if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

app.UseHttpsRedirection();

app.MapProductItemEndpoints();

app.Run();

Here, the InventoryHubContext class settings were created, passing it the connection string that has the same name as the class. If the connection string is not found, an exception is thrown.

In addition to the Swagger settings, the MapProductItemEndpoints(); method is also used, which is responsible for mapping the API endpoints.

If you open the appsettings.json file you may notice that the connection string created by scaffolding is present:

"ConnectionStrings": {
"InventoryHubContext": "Server=(localdb)\\mssqllocaldb;Database=InventoryHubContext-59891a8e-5733-47b5-8e27-26982d11988a;Trusted_Connection=True;MultipleActiveResultSets=true"
}

Note that the database name has a GUID (Globally Unique Identifier) to check that a database with that name does not already exist.

Creating and Running EF Core Migrations

EF Core’s migrations feature is used to generate database scripts and execute them, automatically creating databases and tables based on the application’s entities. To do this through scaffolding, follow the steps below:

1. In Visual Studio, double-click on the Connected Services option.

2. In the window that opens, in the right corner, in the second option, click on the three dots and then select the “Add migration” option as shown in the image below:

3. In the window that opens, select the context class and click finish:

Note that the migrations script files have been created. The next step is to run the scripts and generate the database and tables. So, still in the “Connected services” tab, click on the three dots, and then choose the “Update database” option and in the next window click on “Finish.”

After completing the Database update execution, you can check the database and table created by EF Core through scaffolding:

Testing the Application

Now let’s run the application and see if it is working as expected. This post uses Progress Telerik Fiddler Everywhere to make requests to the API.

1. Inserting a New Record

You can use this JSON example to insert a new record:

{
  "id": "9a27baf2-4f4e-41b1-9b7e-715b7d89656b",
  "name": "Wireless Bluetooth Headphones",
  "description": "High-quality noise-cancelling Bluetooth headphones with 40-hour battery life.",
  "price": 129.99,
  "quantityInStock": 250,
  "sku": "WBH-9876",
  "category": "Electronics",
  "createdAt": "2024-10-12T18:53:42.919Z",
  "isActive": true
}

2. Retrieving the Data

Conclusion and Final Considerations

As you can see, the API is working correctly. This shows that all the classes and configurations needed to make a CRUD API were correctly implemented by the scaffolding resources. The only class created manually was the ProductItem entity class.

The scaffolding features available in ASP.NET Core are excellent for speeding up the development process, as they avoid the repetitive work of creating basic components, such as controllers, EF Core configuration classes, connection strings and others from defined data models and data context.

This is especially useful in projects that follow the MVC (Model-View-Controller) pattern, where standard code generation can save time and reduce manual errors. In addition, scaffolding allows developers to quickly implement CRUD (Create, Read, Update, Delete) functionalities, freeing them to focus on more complex and specific aspects of the application, such as business rules.

Finally, the use of scaffolding speeds up initial development without compromising code quality, since it follows the best practices recommended by the ASP.NET Core platform itself.

Fiddler Everywhere comes with features that allow you to modify, mock, filter and automate how HTTP(S) traffic is processed. Developers can simulate various scenarios by altering requests and responses dynamically. Fiddler’s rule system is highly customizable and provides great flexibility when working with network traffic. This article will demonstrate the top five debugging issues you can solve using Progress Telerik Fiddler Everywhere.

1. Syntax Errors

Syntax errors are one of the main reasons bugs are introduced in the development process. While there are complex IDE tools for maintaining manually written codebase, the syntax errors are harder to pinpoint when appearing within calls to online API or are part of received HTTPS responses.

Fiddler headers and body inspectors are neat places to track these kinds of errors. Let’s demonstrate this through a sample app that calls the public NASA API for an Astronomical Picture of the Day (APOD).

The initial source we use is as follows:

<html>
    <head>
        <script>
            let nasa_endpoint = "https://api.nasa.gov/planetary/apod?1&api_key=";
            let api_key = "DEMO_KEY";
            let apod = fetch(nasa_endpoint + api_key)
                .then((response) => response.json())
                .then(data => {
                    document.getElementById('img').src = data['url'];
                })
        </script>
    </head>
    <body>
        <img id="img"/>
    </body>
</html>

The above page runs on a local https server with the address 192.168.100.4:8080 for demonstration.

While using the Fiddler’s browser capturing mode, we can immediately see that our application loads, but the fetch request to the NASA APIs fails with status code 400 (Bad Request).

Double-clicking on the session further reveals the server’s response message, which indicates that we have used incorrect fields. We can now use the Params inspector in the Request tab to further analyze the query parameters passed. Here, our API endpoint contains an additional key named “1” with no value—which causes the issue.

While status code 400 is not so descriptive, sometimes the API will help us identify an issue with a more specific status code. Let’s rewrite the above snippet, so that now it uses the proper endpoint. However, this time the syntax error will be intentionally introduced in the value of the required API key.

<script>
    let nasa_endpoint = "https://api.nasa.gov/planetary/apod?api_key=";
    let api_key = "WRONG_KEY"
    let apod = fetch(nasa_endpoint + api_key)
        .then((response) => response.json())
        .then(data => {
            document.getElementById('img').src = data['url'];
        })
</script>

This time, the NASA API returns status code 403 (Unauthorized). By default, Fiddler Everywhere is configured to display and highlight the sessions with status codes 4xx and 5xx to detect problematic sessions easier (if needed, you can show and hide different columns in the traffic grid).

The above immediately shows that the issue is within the value of the used API key, which developers can quickly fix.

2. Logical Errors

Like syntax errors, an issue can appear and break our web application when there is a logical error within our codebase or the API itself.

Let’s slightly modify the above example as follows:

<script>
    let nasa_endpoint = "https://api.nasa.gov/planetary/apod?api_key=";
    let api_key = "DEMO_KEY"
    let apod = fetch(nasa_endpoint + api_key)
        .then((response) => response.json())
        .then(data => {
            document.getElementById('img').src = data['title'];
        })
</script>

Have you noticed the logical error? It is not immediately obvious. The issue here is based on results from the NASA endpoint, which returns an object with multiple keys, including URLs to images and thumbnails. In this specific case, our JS code uses the value of the title key and assigns it as a source for an HTML image. The error might not be detected immediately—the initial call to the NASA API works as expected. However, running the above in Fiddler shows the following:

We know we explicitly ran our app on http://192.168.100.4:8080, so the first session is expected. We also know that internally, our application makes a call to https://api.nasa.gov/planetary/apod, so that is also another expected session.

However, we also know that our application has an image that has not loaded properly, and we see a third session that returned status 404 (Not Found). This is the session that should be constructed through the URL contained in the JSON key-value pair, but we can immediately see that the added query parameter is not the expected HTTP address (that points to the JPG image) but rather a string that contains other information.

While in the simplified scenario, the issue is caused by a logical error in our own codebase (because we used data["title"] instead of data["url"]), the very same type of issues could be the result of a fault within the backend server. For example, we could have the right property called in our codebase, but its value might be deformed by the server API. In both cases, Fiddler allows you to quickly filter and detect that information and apply the needed fix.

Finally, let’s run the proper API call.

<script>
    let nasa_endpoint = "https://api.nasa.gov/planetary/apod?api_key=";
    let api_key = "DEMO_KEY"
    let apod = fetch(nasa_endpoint + api_key)
        .then((response) => response.json())
        .then(data => {
            document.getElementById('img').src = data['url'];
        })
</script>

Now, we can see all API calls made as expected, and Fiddler can even preview images or HTML pages.

3. Execution Errors (Error Simulation with Rules)

In the previous sections, we discussed how you can use Fiddler to detect syntax and logical errors within our web applications.

However, you don’t have to wait for your application to crash (especially in production) to test that you have recovery mechanisms or if you are passing the proper information to the end users.

Here is where you can use Fiddler to debug various issues, mock status codes and load alternative responses to fully test the ability of your web application to handle different scenarios.

Perhaps one of the most powerful features of Fiddler is its Rules tab. Simply put, this application section enables you to debug, modify, filter and/or entirely mock sessions.

While still using our little astronomical application, we can use the Rules to mock various status codes. You don’t need to access the backend—the modifications of the requests and responses happens in the middle which is why tools like Fiddler are called MITM proxies (man-in-the-middle).

For example:

1. Capture the traffic from our APOD application.
2. Open the context menu and use the Add New Rule feature.

3. Within the Fiddler’s Rules Builder, create new rule that uses the Return Predefined Responses action.

With the above steps, you can mock a server behavior or test different scenarios on-the-fly and within few seconds. No need to modify the backend—no need to even have access to the server! Fiddler stands in the middle and allows you to mock the production or staging environments of your web applications.

And things are getting better. While the above example shows how to use a list of predefined HTTP responses (that are mocking different status codes), you can also create entirely custom responses. This enables you to test potential fixes or new designs—again without having to make changes within your application or server.

For example:

1. Capture the traffic from the targeted page.
2. Open the context menu and use the Add New Rule feature.
3. Within the Fiddler’s Rules Builder, create a new rule that uses the Return Manual Response or Return File actions.

4. Runtime Changes and Errors

One of the most powerful features of Fiddler Everywhere is its ability to “pause” the traffic and modify it during the HTTP Sessions execution. Similarly to Neo dodging the bullets in the iconic Matrix scene, you can use Fiddler to pause the execution of a targeted API call and then to modify its behavior with the idea of fixing an error or to demonstrate an entirely new reality. The feature is well-known to the Fiddler community—Fiddler breakpoints.

In Fiddler Everywhere, you can create two types of breakpoints. The first one will pause the session before the HTTP Request is sent to the server, while the second one will pause before the HTTP Response is sent to the client.

The immediate effect of the above feature is that you can modify live traffic before it reaches the targeted destination. The possibilities here are endless—you can test any API call on how it will behave with different headers, cookies and bodies. You can “hack” a page without having access to either the client or the server. All you need is Fiddler to stand in the middle as a proxy and to use a breakpoint.

Let’s visualize the process through a quick demo. We will use a well-known online service that mocks a cached endpoint.

1. Start Fidder Everywhere and use the browser capturing mode.

2. Open an endpoint that mocks cached responses like https://httpbin.org/cache.

The above returns a 304 if an If-Modified-Since header or If-None-Match is present within the HTTP request. Otherwise, it returns the same as a GET (200). If this is your first time accessing the page, it will show 200. Refresh the page, and you will receive status 304

We will use Fiddler to pause the request execution and explicitly add or remove the mentioned headers before they reach the server.

3. Open the context menu from the captured session and use “Add New Rule.”

4. Within the Rules Builder, add the action called “Set Breakpoint”, and specific that to use “Before Sending a Request.”

5. Return to the browser and refresh the page.

At this moment, Fiddler will pause the execution of the HTTP Request. Once the request pauses, you can load the Request inspector and use the Raw tab to make any modifications.

6. Finally, unpause the request and the session will proceed with its execution.

With the above we have just made a runtime modification that changed the behavior of the client and the server. As said before, no actual changes are made in either destination—we simply made a Matrix-style hack move that opens a ton of testing possibilities!

5. Testing Performance and Security

Many modern web applications use various features that can cause performance or security issues. One typical example is authentication, which is typically linked to a backend server that needs to be operational for uninterrupted service for clients. Testing the server’s vulnerabilities and weak points to help prevent potential attacks, such as DDoS, is a significant task for developers.

Fiddler Everywhere allows you to test your server endpoints for security issues, such as the following example. You can test if your application has a secure authentication process by following best practices, like creating exponential retries for consecutive requests.

Consider a scenario where a web application attempts to fail authentication requests. The server (in this example, HTTPBin) consistently returns a status 500, prompting our application to retry continuously.

Using Fiddler, we can capture the traffic from our app (with process name node:16176) and identify several issues immediately:

• The retried requests appear to be never-ending.
• The retried requests are executed after a specific period, lacking an exponential backoff strategy.

You can notice this from the Request Time column or by selecting all sessions in Fiddler Everywhere and then switching to the Overview tab, confirming the absence of exponential timing between each request.

These issues could lead to a significant problem. For instance, if the server is unavailable for an extended period, the application’s users will continually trigger many requests, potentially resulting in a self-inflicted DDoS that renders the server unresponsive.

After obtaining information from Fiddler, we can review our application. The demo app used a well-known NPM library called retry (which sets the number and type of retries) alongside axios (for executing the requests). A quick code review revealed that the retry operation was configured with specific parameters.

const retry = require('retry');

function faultTolerantHttpRequest(URL, cb) {
    // Initialize a retry operation with custom settings
    const operation = retry.operation({
        forever: true,                  // Retries forever
        factor: 0,                        // Exponential backoff factor
        minTimeout: 100,          // Minimum timeout (in milliseconds)
        maxTimeout: 10 * 100,  // Maximum timeout (in milliseconds)
        randomize: false,          // Randomize the timeouts
    });

The configuration confirmed our findings—the retry was explicitly set to “forever,” and the exponential backoff factor was set to 0, meaning no exponential timings. To address this, we removed the “forever” setting, set a strict limit for the maximum possible number of retries, implemented an exponential backoff strategy and adjusted the timeout values.

const operation = retry.operation({
    retries: 5,             // Limits the number of retries to 5
    factor: 2,              // Sets an exponential timing that adds two additional times after each retry
    minTimeout: 1000
    maxTimeout: 60 * 1000
    randomize: false
});

With these changes in place, the retried requests in Fiddler now appear as follows:

The captured traffic reveals that our application makes only five retries and accepts and ends all requests on the sixth attempt. The Overview tab visualizes the change in the factor attribute, indicating that our exponential backoff strategy is operational and protects us from a potential DDoS attack.

This demonstration illustrates how you can use Fiddler’s capabilities, like the Overview tab, to diagnose your web app within seconds without handling complex applications or codebases. Similar approaches can be applied to test refresh tokens, check for invalid or expiring API certificates, create rules to mimic unexpected client behavior and more.

Fiddler Is a Swiss Army Knife for Web Debugging

Fiddler is a versatile tool with expanded functionalities and good testing capabilities. Whether you would like to debug an error, test a fallback mechanism, try a new user interface or check the ability of your web app and backend server to withstand unexpected scenarios, Fiddler offers all the right tools.

Do you have another scenario in mind? Please share your ideas and suggestions in the Fiddler Everywhere public GitHub repository or the Feedback Portal, and help us improve Fiddler Everywhere.

If you aren’t yet using Fiddler Everywhere, test it out with a free trial.

Try Now

Is gRPC all about performance? Or is it gaining so much popularity because it is efficient, cross-platform, multi-language, interoperable, with a small footprint and, of course, secure? How does Progress Telerik Fiddler Everywhere fit, and what exactly is the “human readable gRPC call” part? I’m not sure if starting a blog post with so many questions is a good idea, but I can tell you that finishing a blog post with providing all the answers is.

Image source: Unsplash

First things first though, let’s do a quick intro on the main players today. gRPC (Google Remote Procedure Calls) is a modern open-source framework or—even better—architectural style that is highly suitable for building fast, scalable and language-agnostic microservices with strict contracts and real-time communication capabilities. It’s based on HTTP/2 and is a top choice for cloud-native applications, low-latency networks and systems requiring efficient data serialization.

Fiddler Everywhere is a web-debugging tool that captures, inspects, edits, filters and logs traffic (be it HTTPS, WebSocket, Server-Sent Events, Socket.IO or—of course—gRPC), issues requests between a machine (including mobile) and the internet, and fiddles with incoming and outgoing data. With it, you can compose API requests and share network debugging logs. It is cross-platform, human-readable and friendly (pun intended) and brings in high performance.

If you are a fan of quick five-minute videos explaining how everything works, I’ve got you covered as this video about gRPC is exactly for you, accompanied by a link to their official documentation. As a good beginner’s guide on how to get started with gRPC and Fiddler Everywhere, I’d recommend this blog post: Introduction to gRPC with Fiddler Everywhere, and of course the official Fiddler Everywhere documentation.

Image source: Unsplash

The purpose of the current blog post, however, is to take you one step further and unveil some more tips and tricks. Its main topic will focus on how to benefit from making the gRPC calls human-readable.

gRPC Traffic Is Not Human-Readable by Default

Unlike HTTP API requests, which can be created and read by humans, because they are sent as text, gRPC is not human-readable by default.

A major factor behind gRPC’s exceptional performance is its use of Protobuf for serialization. It is a binary protocol that’s not human-readable. On one hand, this significantly accelerates the remote procedure calls operations, but it can also complicate manual interactions with the server. Protobuf requires the message’s interface description specified in the .proto file to properly deserialize.

I can’t hide that I am a superheroes franchises fan, so let’s explore the difference between human-readable and Protobuf binary formats with such an example!

Protobuf Definition

message Superhero {
  optional  string name = 1;
  optional string superpower = 2;
  optional string favorite_food = 3;
  optional string sidekick_name = 4;
}

Based on the data structure above, here is my data instance:

• Name: “Someone that had a close encounter with a spider”
• Superpower: “Ability to cling to solid surfaces”
• Favorite Food: “Aunt’s Cherry Pie”
• Sidekick’s Name: “They are so many”

JSON Representation (Human-Readable)

{
  "name": "Someone that had a close encounter with a spider",
  "superpower": "Ability to cling to solid surfaces",
  "favorite_food": "Aunt's Cherry Pie",
  "sidekick_name": "They are so many"
}

Although still a mystery (right?), in this JSON format, it’s easy to see the superhero’s identity and abilities in a clear, human-readable form. Anyone can immediately understand the details about this superhero’s life, powers and food preferences as the key-value pairs are clearly displayed.

Protobuf Binary Representation (Not Human-Readable)

When serialized using Protobuf, this same data might look something like this in hex:

0a 2e 53 6f 6d 65 6f 6e 65 20 74 68 61 74 20 68 61 64 20 61 20 63 6c 6f 73 65 20 65 6e 63 6f 75 6e 74 65 72 20 77 69 74 68 20 61 20 73 70 69 64 65 72 12 23 41 62 69 6c 69 74 79 20 74 6f 20 63 6c 69 6e 67 20 74 6f 20 73 6f 6c 69 64 20 73 75 72 66 61 63 65 73 1a 10 41 75 6e 74 27 73 20 43 68 65 72 72 79 20 50 69 65 22 0e 54 68 65 79 20 61 72 65 20 73 6f 20 6d 61 6e 79

This is the exact same superhero information but serialized in Protobuf’s binary format. It’s efficient and compact, but completely unreadable to the naked eye. Without decoding, you would have no idea that this represents someone with a spider-related backstory who enjoys Aunt’s Cherry Pie!

Why Is It Not Readable?

• Binary Format: Protobuf uses binary encoding to store data, which is efficient but lacks the transparency of text formats.
• Field Numbering: Each field is identified by a number (e.g., 1 for name, 2 for superpower, etc.) instead of its name in the binary format, making it difficult to infer the meaning without knowing the schema.
• Compactness: The binary format is designed to be as compact as possible, so strings, numbers and other data types are encoded in a way that minimizes space but sacrifices readability.

While listing Protobuf’s binary format advantages like compact data storage, quick parsing, cross-language and cross-project compatibility, along with being forward-compatible, the lack of human-readable structure means you need tools or code to decode and interpret the data. In contrast, JSON or XML formats trade off performance for better readability, making them more suitable when human inspection is required.

This can create a challenge when trying to inspect gRPC traffic for debugging, testing or logging purposes. If you’re capturing gRPC calls with a traditional network analyzer, you’ll typically see unreadable binary blobs, making it difficult to verify the contents of requests and responses.

Enter Fiddler Everywhere

One of the common hurdles developers face when working with gRPC is monitoring and debugging its binary-encoded data. Tools like Fiddler Everywhere that support HTTP/2 can provide a solution to this because they are capable of parsing and displaying gRPC traffic in a human-readable format. As a side note, you can also use gRPC with “transcoded” mode over HTTP/1.

For the sake of this blog post, I have created a gRPC client and server in ASP.NET Core using Visual Studio 2022 and .NET 8. In my gRPC service project files, the Protos/greet.proto file looks like this:

syntax = "proto3";
option csharp_namespace = "GrpcGreeter";
package  greet;

service  Greeter {
  rpc  SayHello (HelloRequest) returns (Superhero);
}

message  HelloRequest {
  string name = 1;
}

message  Superhero {
  optional  string name = 1;
  optional  string superpower = 2;
  optional  string favorite_food = 3;
  optional  string sidekick_name = 4;
}

My gRPC client is a .NET Console app and its Protos/greet.proto file looks like this:

syntax = "proto3";
option csharp_namespace = "GrpcGreeterClient";
package  greet;

// The greeting service definition.
service  Greeter {
  // Sends a greeting
  rpc  SayHello (HelloRequest) returns (Superhero);
}

// The request message containing the user's name.
message  HelloRequest {
  string name = 1;
}

// The response message containing the greetings.
message  Superhero {
  optional  string name = 1;
  optional  string superpower = 2;
  optional  string favorite_food = 3;
  optional  string sidekick_name = 4;
}

Upon successful run, I get the following in the command prompt:

Setup and Capture

In Fiddler Everywhere, you need to set up the client using the gRPC framework to go through the Fiddler proxy. This condition depends on the different types of clients used.

This can be tricky, especially if you are using .NET, like in my project. If so, you need to know about a specific case in gRPC that prevents a gRPC channel from using the proxy settings. A possible solution to this would be to replace the default socket handler with the HttpHandler (which disables/removes some of the original logic and takes care of the proxy settings usage). This is valid not only for Fiddler but any proxy.

Without this workaround, whenever you run the client with a proxy on, you would get an error like “HttpRequestException: Unable to get subchannel from HttpRequestMessage.” I am calling it a workaround because a member of the grpc-dotnet team suggested in one of the threads that HttpClientHandler should be used when a proxy stands in the middle. You can read more about it here and here.

After adding the following to the Client Program.cs file, all should be fine and Fiddler Everywhere is ready to capture my superhero gRPC.

// using var channel = GrpcChannel.ForAddress(URL);
var URL = ;
// recreate the gRPC channel while using HttpClientHandler (to remove the default handler)
using  var channel = GrpcChannel.ForAddress(
  URL,
  new GrpcChannelOptions
  {
    HttpHandler = new HttpClientHandler()
  });

var client = new Greeter.GreeterClient(channel);

Inspect

The captured gRPC session shows a green badge until the gRPC channel is open and a red badge when the gRPC channel is closed.

Double-click on a gRPC session to open the Messages tab and the Message inspector to inspect each gRPC message as originally received (the context menu provides decoding option) or through the HEX inspector. The Messages tab lists the outgoing (Sender: Client) and incoming (Sender: Server) gRPC messages. You can see the size and the original content of each message.

The Messages tab lists the outgoing (Sender: Client) and incoming (Sender: Server) gRPC messages. You can see the size and the original content of each message.

Decode

The raw Protobuf content that is captured can be partially visualized in text via the Decode value and HEX inspector. The fun starts, however, once you have the .proto file (owned by the scheme creator) with it you can get the decoded values of the message fields.

Provide the .proto file through the Settings > Protobuf > Decode via .proto file field. Like that, the gRPC message will have a tooltip indicating that Fiddler used a Protobuf file for its decoding. Here it is how it looks on my end.

Alternatively, the received gRPC messages will be automatically decoded if server reflection is available. Fiddler Everywhere detects out of the box if the gRPC server supports and uses server reflection. Note that the server reflection might not work when it uses TLS due to certificate errors. You can ignore the errors through the Settings > HTTPS > Ignore Server Certificate Errors option.

Stay in Control of Your gRPC Traffic with Fiddler Everywehre

1. Simplified Inspection of Protobuf Data: With built-in support for decoding Protobuf messages, Fiddler Everywhere allows you to view the exact data being transmitted over gRPC in a familiar, human-readable format like JSON. This makes debugging significantly easier, as you no longer have to manually decode or write custom scripts to parse binary data.
2. Comprehensive Traffic Logging: By providing a complete log of all gRPC requests and responses, you have full insight into the flow of communication between services. This is especially valuable for troubleshooting issues like failed calls, performance bottlenecks or unexpected responses.
3. Detailed Request and Response Information: So you can verify that the correct metadata is being sent and that the data integrity is intact across services.
4. Seamless Debugging Experience: Its user-friendly interface and powerful features enable seamless debugging of gRPC services, allowing developers to focus on resolving issues quickly without dealing with cumbersome data formats.
5. Cross-Platform Support: It works on macOS, Windows and Linux and can capture traffic from just about any client that uses the HTTP(S) protocol.

As gRPC continues to gain traction, the need for effective debugging and inspection tools has never been greater. Fiddler Everywhere steps in as a versatile, cross-platform solution that enables developers to make gRPC traffic human-readable, simplifying the process of debugging, monitoring and understanding gRPC interactions. Whether you’re troubleshooting complex service interactions or simply checking that your APIs are functioning as expected, you can focus more on building and maintaining reliable gRPC-based applications, and less on struggling with unreadable data.

Happy debugging!

Fiddler Everywhere comes with a free trial. Ready to give it a whirl?

Try Now

Modern applications use Application Programming Interfaces (APIs) to receive and send data or commands. However, creating HTTP clients to consume these APIs can be exhausting and error-prone. Fortunately, some tools make this process simpler and more efficient. One of these tools is Refit, a powerful library that facilitates integration with APIs in ASP.NET Core applications.

This post will teach you how to configure and use Refit in an ASP.NET Core application. We will cover everything from the initial configuration to creating API clients and making HTTP calls. In addition, we will see how to implement a simple authentication system using JWT and how to configure Refit to receive the authentication token. At the end of the post, you will see how Refit can significantly simplify interaction with APIs, making your code cleaner and easier to maintain.

How Are Requests Between APIs Made?

In web applications, to request an external API, it is common to implement an API client. An API client in software development refers to a component or layer of the application responsible for making requests and interactions with external APIs.

The API client encapsulates the logic necessary to send HTTP requests to API endpoints, process received responses and serialize/deserialize data between formats such as JSON.

By default, ASP.NET Core has the HttpClient class in the System.Net.Http namespace which is used to send an HTTP request and receive the request-response.

Although HttpClient is a powerful class for making HTTP requests in ASP.NET Core applications, some disadvantages must be considered. For example, the need for manual configuration and management of HttpClient instances. Plus, it may be necessary to manage timeouts, headers and handlers, leading to greater complexity and potentially resulting in errors if not managed correctly.

Another less-favorable factor of HttpClient is that it has less abstraction and greater complexity compared to other resources such as third-party libraries, which can provide high-level abstraction through typed interfaces, while HttpClient requires more boilerplate code to configure and send requests.

In scenarios where applications make many calls to external APIs, excessive use of HttpClient can result in more verbose and less readable code.

Refit: A Good Alternative to HttpClient

In scenarios that require several calls to external APIs, a good alternative to HttpClient is Refit. Refit is a library for ASP.NET Core that provides a more simplified, elegant and productive approach to integrating with HTTP APIs.

Refit allows you to define simple, strongly typed C# interfaces to describe API endpoints, eliminating the need to manually write boilerplate code to construct URLs, configure headers, serialize/deserialize JSON objects, and other low-level details. Refit encapsulates all of these standard settings, allowing customization if necessary.

Furthermore, Refit uses attributes to configure HTTP request details, such as authentication and caching. This provides a more declarative and simplified configuration of requests, making the code more intuitive. Another advantage of Refit is that it simplifies error handling based on HTTP status codes returned by APIs.

Hands-on with Refit

In this post, we will create the basic configurations of Refit, and after adding an authentication layer to the external API, for this, we will create two APIs. The first (CustomerAPI) will request the second (CustomerAdditionalInfoApi). This request will be made through Refit, where we will explore some details and see how it is possible to facilitate integration with external APIs.

The complete project code can be accessed in this repository on GitHub: Customer Manager source code.

Creating the Applications

The example in the post uses .NET Version 8, you can create the example application in older versions but problems may occur that are not covered in the post.

To create the solution and the two API projects, you can use the following commands:

dotnet new sln -n CustomerManagement
dotnet new web -n CustomerApi
dotnet new web -n CustomerAdditionalInfoApi
dotnet sln add CustomerApi/CustomerApi.csproj
dotnet sln add CustomerAdditionalInfoApi/CustomerAdditionalInfoApi.csproj

Then you can open the solution project with your favorite IDE. This post uses Visual Studio.

The first API we will work on is CustomerApi. Open a terminal in the project and run the commands below to install the necessary NuGet packages in it:

dotnet add package Refit
dotnet add package Refit.HttpClientFactory

Then, inside the project create a new folder called “Models” and inside it create the class below:

namespace CustomerApi.Models;
public class Customer
{
    public string Id { get; set; }
    public string Name { get; set; }
    public string Email { get; set; }
}

The next step is to create a Data Transfer Object (DTO) to return the data from the API request for additional information. Create a new folder called “Dtos” and inside it add the class below:

• CustomerAdditionalInfoDto

namespace CustomerApi.Dtos;
public class CustomerAdditionalInfoDto
{
    public string Id { get; set; }
    public string CustomerId { get; set; }
    public string Address { get; set; }
    public string PhoneNumber { get; set; }
}

Now let’s create the interface that will be used by Refit to implement the endpoint for the external API. So, within the CustomerAPI project, create a new folder called “Repositories.” Within it, create another folder called “Interfaces” and within that add the interface below:

using CustomerApi.Dtos;
using Refit;

namespace CustomerApi.Repositories.Interfaces;
public interface ICustomerAdditionalInfoApi
{
    [Get("/customerAdditionalInfos/{customerId}")]
    Task<CustomerAdditionalInfoDto> GetCustomerAdditionalInfo(string customerId);
}

Note that in this interface a method is being declared to fetch additional data from a customer using the id as a parameter. In addition, the [Get("/customerAdditionalInfos/{customerId}")] attribute of Refit is used, which declares that the HTTP method is a GET and the route to be accessed is also declared: "/customerAdditionalInfos/{customerId}".

Now let’s configure Refit in the project’s Program class. To do this, simply add the following code just below where the builder variable is created:

builder.Services
    .AddRefitClient<ICustomerAdditionalInfoApi>()
    .ConfigureHttpClient(c => c.BaseAddress = new Uri("http://localhost:5080"));

Here we are informing Refit of the interface it should use to create the abstraction for accessing external APIs. Also, we are passing the Uniform Resource Identifier (Uri) as “http://localhost:5080” which is the http address and port that will be running the external API.

To keep things simple, in this example, we are configuring the Uri directly in the ConfigureHttpClient() method, but in real-world scenarios, this information must be stored in secure locations such as cloud storage hosts protected by encryption.

Now let’s add the endpoint that will communicate with the additional information API:

app.MapGet("/customers/{id}/additionalInfo", async (string id, ICustomerAdditionalInfoApi additionalInfoApi) =>
{
    try
    {
        var info = await additionalInfoApi.GetCustomerAdditionalInfo(id);

        return Results.Ok(info);
    }
    catch (ApiException ex) when (ex.StatusCode == HttpStatusCode.NotFound)
    {
        return Results.NotFound($"Additional information not found for the customer id: {id}");
    }
});

In this endpoint, we are using the interface that implements Refit to access the external API and fetch additional information from the customer. If the data is found, it is returned; if not, if the return is a 404 NotFound status, an error is returned stating that no additional information was found for that customer.

Note how simple it is to request an API through Refit, allowing you to add as many APIs and endpoints as necessary. And it is possible to handle the API return through HTTP status codes.

The first API is ready, now let’s implement the second API, which will be accessed via Refit by the first. Inside the project CustomerAdditionalInfoApi, create a new folder called “Models,” and inside that create the class below:

• CustomerAdditionalInfo

   public string Id { get; set; }
    public string CustomerId { get; set; }
    public string Address { get; set; }
    public string PhoneNumber { get; set; }

And in the Program class add the code below:

app.MapGet("/customerAdditionalInfos/{customerId}", async (string customerId) =>
{
    var customerAdditionalInfo = GetCustomerAdditionalInfos().FirstOrDefault(a => a.CustomerId == customerId);

    return customerAdditionalInfo is CustomerAdditionalInfo info ? Results.Ok(info) : Results.NotFound();
});

List<CustomerAdditionalInfo> GetCustomerAdditionalInfos()
{
    return new List<CustomerAdditionalInfo>
        {
            new CustomerAdditionalInfo
            {
                Id = "6FE892BB",
                CustomerId = "35A51B05",
                Address = "200 John Wesley Blvd, Bossier City, Louisiana, USA",
                PhoneNumber = "555-1234"
            },
            new CustomerAdditionalInfo
            {
                Id = "189DF59F",
                CustomerId = "4D8AD7B2",
                Address = "103100 Overseas Hwy, Key Florida, USA",
                PhoneNumber = "555-5678"
            },
            new CustomerAdditionalInfo
            {
                Id = "A9374B16",
                CustomerId = "23D4FCC2",
                Address = "6175 Brandt Pike, Huber Heights, Ohio, USA",
                PhoneNumber = "555-8765"
            }
        };
}

Note that here we are not using a database—we are just creating a simple API to return some sample data through an endpoint.

Another necessary configuration is defining the port configured in the other API. So, inside the Properties folder, in the launchSettings.json file within the profiles schema change the applicationUrl key port to 5080. This is so that the application starts on this port, which was configured in the customer’s API.

Now let’s run both applications and verify if Refit is working. In Visual Studio, right-click on the solution, and choose the properties option. In the open window, select Multiple startup projects and the Start option for both.

Then, run the applications.

This post uses Progress Telerik Fiddler Everywhere to request. So in Fiddler execute a request to the endpoint http://localhost:PORT/customers/additionalInfo/4D8AD7B2. Here we are making a request to the Customer API passing the customer ID in the URL, which makes the request to the second API (CustomerAdditionalInfoAPI) and returns the customer data.

Now, execute the request again but with an nonexistent ID—for example, 1A2AD1B2—and the response will be a status HTTP not found:

Note that using Refit we were able to predict the request’s response and treat it as necessary. In this case, when returning HTTP status 404, an exception was executed and a customized error message was returned.

Adding JWT Authentication to Refit

JSON Web Token (JWT) is a standard used for authentication/authorization in web APIs that uses tokens signed using a private secret or a public/private key.

In the previous example, we accessed the external API, but it did not have any rules for authentication/authorization. Next, we will check how to implement this when accessing the external API using Refit.

First, let’s configure the CustomerAPI to send the token to the CustomerAdditionalInfoApi. So, in the folder Interfaces add the following interface:

• IAuthTokenProvider

namespace CustomerApi.Repositories.Interfaces;
public interface IAuthTokenProvider
{
    string GetToken();
}

Then in the folder Repositories add the following class:

using CustomerApi.Repositories.Interfaces;

namespace CustomerApi.Repositories;
public class AuthTokenProvider : IAuthTokenProvider
{
    public string GetToken()
    {
        return "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.pg-7kh_cZ0m4yDULVjR7rKPZFh7nBprKGFVYzS7Y7y0";
    }
}

Note that here we define an interface with a method to fetch the token. Then we create a class that implements the GetToken() method and returns a JWT. This token was generated on the JWT website and is fixed in the code.

Remember that this is just an example—in real-world applications, this token must be obtained through a secure endpoint to generate the token. For more information on the subject, you can check out this post that goes deeper into authentication and authorization with JWT: Authentication and Authorization with JWT.

Then, in the Program class, add the following code just below the builder variable:

builder.Services.AddSingleton<IAuthTokenProvider, AuthTokenProvider>();

And replace the code:

builder.Services
 .AddRefitClient<ICustomerAdditionalInfoApi>()
 .ConfigureHttpClient(c => c.BaseAddress = new Uri("http://localhost:5080"));

with the following:

builder.Services
 .AddRefitClient<ICustomerAdditionalInfoApi>()
 .ConfigureHttpClient((serviceProvider, c) =>
 {
 var tokenProvider = serviceProvider.GetRequiredService<IAuthTokenProvider>();
 var token = tokenProvider.GetToken();

 c.BaseAddress = new Uri("http://localhost:5080");
 c.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
 });

Note that here we are obtaining the token and passing it to Refit through the request header, which will be of the “Bearer” type.

Then, below the snippet:

catch (ApiException ex) when (ex.StatusCode == HttpStatusCode.Unauthorized)
 {
 return Results.Unauthorized();
 }

add the following:

catch (ApiException ex) when (ex.StatusCode == HttpStatusCode.Unauthorized)
{
 return Results.Unauthorized();
}

Here we are dealing with the return of the external API, which from now on will have the option of returning an HTTP Unauthorized status.

The JWT implementation in the first API is ready, now let’s do the configuration in the CustomerAdditionalInfoApi API. So, first, open a terminal in the CustomerAdditionalInfoApi API and run the command below to install the JWT NuGet package dependency:

dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

Then, in the Program class add the following code below where the “builder” variable is created:

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = false,
        ValidateAudience = false,
        ValidateLifetime = false,
        ValidateIssuerSigningKey = true,
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("MIICWwIBAAKBgHZO8IQouqjDyY47ZDGdw9j"))
    };
});

builder.Services.AddAuthorization();

Here we are configuring the JWT requirements. Note that most of the requirements are marked as false because, as previously stated, this is just a didactic example. In real-world applications, care must be taken with this information. Furthermore, we are directly configuring the secret key (MIICWwIBAAKBgHZO8IQouqjDyY47ZDGdw9j). This key was used to create the JWT token that was configured in the customer API.

Still in the program class, below the app variable add the following:

app.UseAuthentication();
app.UseAuthorization();

These methods are used to tell the compiler to use authentication and authorization.

Finally, for the endpoint to consider JWT authorization rules, it is necessary to add the RequireAuthorization() extension method. Then the complete endpoint will look like this:

app.MapGet("/customerAdditionalInfos/{customerId}", async (string customerId) =>
{
 var customerAdditionalInfo = GetCustomerAdditionalInfos().FirstOrDefault(a => a.CustomerId == customerId);

 return customerAdditionalInfo is CustomerAdditionalInfo info ? Results.Ok(info) : Results.NotFound();
});
}).RequireAuthorization();

Testing Access to the Authenticated Endpoint Through Refit

Now that all authentication and authorization configurations are ready, we can run the application and check if the endpoint continues to work. Then start both APIs and execute the request through Fiddler again.

Note that again the data was returned successfully, as the API was authenticated. To test the authorization error, modify the secret key (MIICWwIBAAKBgHZO8IQouqjDyY47ZDGdw9j) in the Program class of the CustomerAdditionalInfoApi API and make the request again.

This time the additional information API did not recognize the secret key sent in the request and returned the HTTP status code 401 (Unauthorized).

Conclusion

In this post, we looked at some of the disadvantages of ASP.NET Core’s native HttpClient class, which despite meeting the main needs of communication between APIs can become a problem when managing many requests to external APIs.

In contrast, we explored the functionality of Refit, which is a good alternative to HttpClient, allowing the developer to create less boilerplate code and simplify the request process between APIs. Furthermore, we checked how to implement a simple authentication system and send the token to the external API through Refit.

Refit is a great tool for working with web APIs, so whenever you see the need, consider using Refit to manage external calls and ensure the success of your application.

When using Progress Telerik Fiddler Everywhere to capture web traffic, users are often overwhelmed by the sheer volume of information. Even a single webpage can generate hundreds of requests, and when capturing traffic from multiple applications, the HTTPS sessions can quickly become unmanageable. Many users wonder how to find the specific information they need within this captured traffic.

Fiddler Everywhere offers several techniques to help users focus on important data. Users can improve their work performance using Fiddler’s user interface by utilizing filters, search options and the ability to highlight specific sessions.

Identifying Session Type and State

One of the first things to do is to identify the type and the state of a targeted session. The quickest way to do that is by using the ID column in the Fiddler grid. Apart from the unique identifier, each session is also marked with an icon that depicts the session’s type (like CSS, gRPC session, CONNECT Tunnel, PNG image, etc.—you can see all supported icons here).

The ID column allows you not only to visually efficiently identify a session by its type, but you can also gain additional information through tooltips. For example, through the icon you can easily identify an issue related to the used site’s certificate.

The ID column will also contain an indicator in case the Session was paused through a breakpoint.

The breakpoints in Fiddler Everywhere are а powerful feature that allows you to pause, debug and modify web traffic on the fly.

In addition to the mentioned features, Fiddler Everywhere offers multiple predefined columns to help you further narrow down and identify specific sessions. For instance, you can utilize the Protocol column to distinguish sessions based on the technology (such as HTTP, gRPC, WebSocket, etc.). You can also use the Method column to monitor HTTP methods (GET, POST, PATCH, etc.) or the remote IP column to track traffic from a specific remote host. And even more—there is also an option to create your own custom columns based on the HTTP request and response headers.

Using Fiddler’s Quick Search

The Quick Search feature in Fiddler Everywhere allows you to search through the sessions and locate specific entries based on your search criteria. By default, Fiddler’s search function will only match values found in the traffic grid columns, such as URL, host and other live traffic column values.

With the latest version of Fiddler Everywhere, you can enable the search to match values from the HTTP(S) sessions. This valuable addition lets you quickly identify specific data buried deep within an HTTP body, headers or even within messages received from streaming protocols (like gRPC, WebSocket and SSE). However, it’s important to note that the captured traffic may contain numerous HTTP bodies, some of which can be large (several MBs).

Therefore, using the search in-body option may lead to performance issues if not used carefully. It’s recommended to use the search in-body option with a smaller set of sessions (you can limit the maximum number of visualized sessions through the Settings > Live Traffic > Sessions List Length option).

With the deep search option, some sessions are matched but might not have an explicit highlight within the traffic grid. That indicates that the matched string value is present within the session’s headers or body. To see the result for such a session, select it, open the Raw Inspector, press the search icon and reenter the search term.

Filtering Traffic

In Fiddler Everywhere, the filters provide another way to enhance your interaction with the captured traffic. The application lets you quickly filter a specific column in the traffic grid. For instance, you can use a filter for the URL column to display only the sessions that contain a particular value.

While the column filters are easy to use, there are cases where more advanced filter conditions are necessary. This is where the Filters option comes into play. This dedicated functionality allows you to add multiple matching conditions and see the number of matched sessions in real time. Filters can also be saved for later use, and a saved filter can be activated or deactivated based on current needs.

The filtering conditions are identical to Fiddler’s matching conditions for the Rules tab, which means you have another powerful tool to extract the needed information. For example, you can create a filter to sieve all sessions with specific TLS versions or to detect expiring certificates. Or why not both?

In addition to the advanced filtering options, Fiddler provides a quick and efficient way to clear the captured traffic from sessions that cover specific criteria. The “Clear” drop-down menu is accessible through the traffic grid and offers numerous options to restrict the shown sessions further.

Using the Fiddler’s filters alongside the saving, exporting and sharing functionalities makes the traffic capturing even more existing and opens new doors for teams to collaborate efficiently.

Highlighting Traffic

Apart from the importance of having a modern tool with a good UI, it is also imperative that the tools provide the ability to modify the UI to one’s own needs. In capturing traffic, the community requested a user interface feature to identify targeted sessions. This feature is delivered through the Rules tab, and there is an option to create custom marking rules to highlight the targeted web traffic.

Using the Rules tab to create and apply a rule is straightforward, but it also enables you to dive deep into the world of modifying HTTPS traffic. We won’t detail the more powerful options that Fiddler’s rules provide (some examples are available as rules preset here). Instead, we will show how to quickly create a rule to mark all sessions with static resources.

As demonstrated within a single rule, you can add multiple matching conditions and apply different actions, including the option to change the appearance of a row in the traffic grid.

Decoding Options

Often, the information passed through HTTP requests and responses is encoded. Searching within encoded information won’t make much sense, so Fiddler Everywhere provides an option to decode pre-selected encoded data manually. The supported formats are Base64 (commonly used with Basic Authentication headers), Escaped Sequences, encoded URLs, hex data and encoded HTML. For example, you can easily decode any Raw Inspector data portion through the Decode Selection option (accessible from the context menu).

Demonstration of how Fiddler can intercept and decode username and password passed as Base64 string through Basic Authentication.

With User Experience in Mind

Over the past several months, the team has delivered tremendous technology-related features, such as support for HTTP/2, TLS 1.3, gRPC, SSE, Network Capturing mode and many more. The user interface has also been significantly improved, ranging from minor UX-driven changes to significant UI enhancements.

Fiddler Everywhere is evolving rapidly. The newly added ability to search data within the captured traffic is mainly driven by feedback from the Fiddler community. Please let us know your thoughts and help us improve the Fiddler rules by sharing your ideas and suggestions in the Fiddler Everywhere public GitHub repository or the feedback portal.

Real-time communication in applications is a great tool to provide your users with the most up-to-date information. This might take the form of a message on social media, a breaking news story or an updated stock quote. Every piece of information is urgently needed by some users.

In a real-time application, information is constantly flowing between the client and the server. This can be minuscule synchronization and keep-alive messages, or large amounts of text. To better understand what information is being exchanged, how often it is exchanged and how that affects performance, a tool like Progress Telerik Fiddler Everywhere is invaluable.

To achieve real-time communication in a web application, both the client and server need to send and receive information using the same technology. One solution is gRPC, which is a protocol on top of HTTP/2. Another solution is called WebSockets, which is its own separate protocol over a TCP connection. Microsoft also provides an abstraction called SignalR for real-time communication, which transports data using WebSockets (most of the time).

MessagePack is a super simple way to improve both WebSockets and SignalR communication. It is an “efficient binary serialization format.” In short, it encodes the plain-text JSON data traditionally sent by SignalR to binary. This will roughly halve the size of the message. Since the longest part of the real-time communication process is often transmission of data, this can greatly improve application performance. What’s even better, those encoded messages can now be natively read and decoded in Fiddler Everywhere.

Creating a SignalR Application

The instructions below are an updated and abridged version of Use ASP.NET Core SignalR with Blazor. For a more detailed tutorial, follow the above link above.

Prerequisites

• Visual Studio (2022 or later)
• ASP.NET and web development workload
• .NET Core SDK 8.0 or later

Create a Blazor Web Application

• Create a new Blazor Web App project.

• Give your sample project a suitable name, such as BlazorSignalRApp.
• Configure your project as below:

Add the SignalR Client Library

• Add the following package to your client app, e.g., BlazorSignalRApp.Client:
  Microsoft.AspNetCore.SignalR.Client

Add a SignalR Hub

• In the server app, e.g., BlazorSignalRApp, create a Hubs folder and add ChatHubs.cs to the folder.

• In Hubs/ChatHubs.cs paste the below code:

using Microsoft.AspNetCore.SignalR;

namespace BlazorSignalRApp.Hubs;

public class ChatHub : Hub
{
    public async Task SendMessage(string user, string message)
    {
        await Clients.All.SendAsync("ReceiveMessage", user, message);
    }
}

Add Services and an Endpoint for the SignalR Hub

• In the Program.cs file of the server app, add the below namespaces.

using Microsoft.AspNetCore.ResponseCompression;
using BlazorSignalRApp.Hubs;

• Add SignalR and Response Compression Middleware service:

builder.Services.AddSignalR();

builder.Services.AddResponseCompression(opts =>
{
   opts.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(
       ["application/octet-stream"]);
});

• Use Response Compression Middleware at the top of the processing pipeline’s configuration. Place the following line of code immediately after the line that builds the app (var app = builder.Build();):

app.UseResponseCompression();  

• Add an endpoint for the hub immediately before the line that runs the app (app.Run();):

app.MapHub<ChatHub>("/chathub");

Add Razor Component Code for Chat

• In the client app, create a razor page named Pages/Chat.razor.

• Paste the following into Pages/Chat.razor:

@page "/chat"
@rendermode InteractiveWebAssembly
@using Microsoft.AspNetCore.SignalR.Client
@inject NavigationManager Navigation
@implements IAsyncDisposable

<PageTitle>Chat</PageTitle>

<div class="form-group">
    <label>
        User:
        <input @bind="userInput" />
    </label>
</div>
<div class="form-group">
    <label>
        Message:
        <input @bind="messageInput" size="50" />
    </label>
</div>
<button @onclick="Send" disabled="@(!IsConnected)">Send</button>

<hr>

<ul id="messagesList">
    @foreach (var message in messages)
    {
        <li>@message</li>
    }
</ul>

@code {
    private HubConnection? hubConnection;
    private List<string> messages = new List<string>();
    private string? userInput;
    private string? messageInput;

    protected override async Task OnInitializedAsync()
    {
        hubConnection = new HubConnectionBuilder()
            .WithUrl(Navigation.ToAbsoluteUri("/chathub"))
            .Build();

        hubConnection.On<string, string>("ReceiveMessage", (user, message) =>
        {
            var encodedMsg = $"{user}: {message}";
            messages.Add(encodedMsg);
            InvokeAsync(StateHasChanged);
        });

        await hubConnection.StartAsync();
    }

    private async Task Send()
    {
        if (hubConnection is not null)
        {
            await hubConnection.SendAsync("SendMessage", userInput, messageInput);
        }
    }

    public bool IsConnected =>
        hubConnection?.State == HubConnectionState.Connected;

    public async ValueTask DisposeAsync()
    {
        if (hubConnection is not null)
        {
            await hubConnection.DisposeAsync();
        }
    }
}

• Add an entry to the NavMenu for our new chat page. In the server app, add the below to Components/Layout/NavMenu.razor:

<div class="nav-item px-3">
    <NavLink class="nav-link" href="chat">
        <span class="bi bi-list-nested-nav-menu" aria-hidden="true"></span> Chat
    </NavLink>
</div>

Run the App

• Build and run the server app to test our progress. You should see the below:

Adding MessagePack

Now that we have a fully functional web application that uses standard plain-text SignalR, let’s add MessagePack to serialize our messages to binary.

• In BOTH the server app AND the client app, add the below package:
  Microsoft.AspNetCore.SignalR.Protocols.MessagePack

• In the server app, update the SignalR service to include MessagePack:

services.AddSignalR()
    .AddMessagePackProtocol();

• In the client app update the hubConnection in Pages/Chat.razor to include MessagePack:

var hubConnection = new HubConnectionBuilder()
                        .WithUrl("/chathub")
                        .AddMessagePackProtocol()
                        .Build();

• Build/run the updated app.

Finding WebSocket Connection in Fiddler Everywhere

To inspect SignalR traffic in Progress Telerik Fiddler Everywhere, you must first identify the WebSockets connection. SignalR will use WebSockets by default, wherever it is supported—gracefully falling back on older technologies when WebSockets are not supported. Since this is a seldom occurrence, it’s safe to assume that WebSockets are being used.

First, we should identify the URL and port of our running application and use that to filter Fiddler Everywhere traffic. We can do this even before we start listening to the traffic.

Now, we can filter Fiddler Everywhere traffic like this:

We can now launch our application and begin inspecting traffic.

Inspecting Traffic

Click the System Proxy switch to turn on the system network proxy a being inspecting all traffic. Everything not conforming to our filter will be discarded.

After running our application, we’ll see traffic start to appear in the Live Traffic window. All of this traffic is very informative, but we’re specifically looking for the WebSockets entry.

There are a few hints as to which item we need:

• It will be a GET request.
• We should see a status code 101 (switching protocols).
• Fiddler Everywhere represents WebSockets traffic with a plug icon.
• An open connection has a green dot.

Selecting the connection, we can now use the Inspectors tab to view the Request and Response panels:

Decoding MessagePack

To view the messages being sent and received over SignalR (WebSockets), we’ll switch from the Handshake tab (focused on the connection) to the Messages tab (focused on the content).

You notice that for each message sent in the app, we see both a client and server response. This is because our simple chat application sends a message and receives the same message back from the SignalR Hub.

You’ll also notice that the raw content of that message is in binary (displayed in HEX values). This is MessagePack doing its job. To decode the message, open the MessagePack tab.

Conclusion

Fiddler Everywhere can be used during all stages of your real-time web application development lifecycle. Early in development, you may allow SignalR to send plain-text messages for easier debugging. You might also check the number of requests being sent and their size, and profile their performance metrics. In late-stage development, you can enable MessagePack and other optimization/compression protocols to increase performance. Doing so does not sacrifice your ability to read and understand the data passing through your servers or degrade your ability to inspect and profile applications in production.

If you haven’t already used Fiddler Everywhere, you can try it for free today!

Try Fiddler Everywhere