Bank API š¦
The Bank API is a design reference project suitable to bootstrap development for a compliant and modern API.
Explore the live š API with sidecars (hosted on Azure Container Apps) and š MCP server (hosted on F1 tier Azure App Service).
Compliance
API
ā OWASP API Security Top 10 - v2023 via Spectral OWASP API Security ruleset
ā OpenAPI Specification v3.1.1 via Spectral "oas" ruleset
ā Dutch Public Sector (NLGov) REST API Design Rules via API Design Rules ruleset
ā Additional naming conventions, structure, and clarity via Bank API project ruleset
ā California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) via ASP.Net Core Compliance
ā
RFC 7515 - JSON Web Signature (JWS) for response signing, via X-JWS-Signature header
ā
RFC 7517 - JSON Web Key Set (JWKs) for validating JWS responses, via /.well-known/jwks.json endpoint
EDA (Event-driven architecture) with outbox-pattern
ā OpenAPI Specification v3.1.1 - webhook field
ā CloudEvents - Version 1.0.2 for defining the format of event data
ā CloudEvents - Version 1.0.2 - HTTP Protocol Binding for HTTP transport
ā CloudEvents - Version 1.0.2 - HTTP 1.1 Web Hooks for Event Delivery for delivering events via the webhook pattern
MCP Server
ā Model Context Protocol, version 2025-11-25
Technology stack
-
ASP.NET Core 10.0 - Minimal API for API development, with following base services:
-
Resilience for resilience when calling downstream APIs
-
Compliance for redacting sensitive data
-
Health checks for checking health status
-
Service Discovery for resolving endpoints from config
-
Hybrid Cache for caching
-
Rate limiting for rate limiting
-
API Key, JWT bearer and OpenID Connection-based authentication for security, with:
- token reuse prevention for Entra ID tokens
-
OpenApi for generating OpenAPI specifications
-
Cross-Origin Resource Sharing (CORS) for cross-origin requests
-
Validation for validating requests on endpoints
-
-
OpenTelemetry (OTel) for observability
-
Aspire for development bootstrapping and client integrations
-
Kiota API client generation for calling downstream APIs
-
Gridify for filtering, ordering and paging
-
Scalar for interactive API documentation
-
Spectral for linting
-
TUnit for unit tests
-
REST Client extension in Visual Studio Code for quick local tests via
.httpfiles -
MCPify for exposure via Model Context Protocol
-
CloudEvents for event delivery
Design
Technically, the design is layered like the following flowchart.
flowchart TB
apis[BankApi.Service.Beta / BankApi.Service.Stable]
aspire[BankApi.Orchestration]
mcp[BankApi.Mcp]
test[BankApi.Tests]
infra_gen[Infra.Generated]
specs_gen[Specs.Generated]
subgraph core[BankApi.Core]
Defaults
DownstreamClients
Implementation
end
Defaults --> Implementation
DownstreamClients --> Defaults
DownstreamClients --> Implementation
Defaults --> apis
Implementation --> apis
Implementation --> test
apis --> aspire
apis --> specs_gen
aspire--> infra_gen
specs_gen --> mcp
Prerequisites
If not using the Dev Container, install:
Quick start
-
Use a
pwshshell (for a click-a-long experience). -
(Optionally) regenerate the GitHub downstream API client by going to the Kiota workspace and clicking
Re-generateunderclients.
-
(Optionally) regenerate the ASP.NET Core HTTPS development certificate:
dotnet dev-certs https --clean && dotnet dev-certs https -ep ./.certs/AspNetDev.pfx -p '' --trust -
(Optionally) regenerate the Helm chart artifacts via the Aspire CLI:
rm -r Infra.Generated/* && aspire --version && aspire publish -o Infra.Generated -
Generate a new JWT-token for secured endpoints:
dotnet user-jwts create --scope "bank_api" --role "banker" --valid-for 3650d --project BankApi.Service.Stable -
Run
dotnet buildto output the OpenAPI definition. Make sure the local environment for ASP.NET Core points to development:setx ASPNETCORE_ENVIRONMENT "Development" -
Validate the OpenAPI definition by going to the openapi_v1.json definition and check for problems via the Spectral extension.
Container images
Rename the env sample file to .env and replace the values.
Create a pod:
podman pod create --name bank-api-pod -p 127.0.0.1:8080:8080 -p 127.0.0.1:5201:10000 -p 127.0.0.1:6070:6070 -p 127.0.0.1:3500:3500
Start the Dapr sidecar to expose secret stores, explore via the metadata endpoint or check a secret:
podman build -t bank-api-daprd:v1 ./Sidecar.Dapr
podman run --pod bank-api-pod --env-file .env bank-api-daprd:v1
Start the OpenTelemetry Collector to process and export telemetry data:
podman build -t bank-api-otelcol:v1 ./Sidecar.OpenTelemetry
podman run --pod bank-api-pod --env-file .env bank-api-otelcol:v1
Start the S3Proxy sidecar to expose Azure Blob Storage as an S3-compatible endpoint:
podman build -t bank-api-s3proxy:v1 ./Sidecar.S3Proxy
podman run --pod bank-api-pod --env-file .env bank-api-s3proxy:v1
Start the Stable version of the API as an Alpine with Composite ready-to-run image with ready-to-run format:
podman build -t bank-api:v1 .
podman run --pod bank-api-pod --env-file .env bank-api:v1
To facade the API as well, start the Proxy:
podman build -t bank-api-proxy:v1 ./Sidecar.Proxy
podman run --pod bank-api-pod bank-api-proxy:v1
Then navigate to the proxied OpenAPI Spec or Scalar UI, or use :8080 to directly call the API.
Run podman pod rm -f bank-api-pod to teardown.
Run in Aspire minimal mode
This mode just runs the ASP.NET Core API.
-
Make sure a container runtime is started.
-
Start the standalone Aspire Dashboard for developer visualization:
podman run --rm -it ` -p 18888:18888 ` -p 4317:18889 ` --name aspire-dashboard ` mcr.microsoft.com/dotnet/aspire-dashboard:latestCopy the url shown in the resulting output when running the container (e.g. http://localhost:18888/login?t=123456780abcdef123456780) and open that in a browser, or paste the key part seen after
/login?t=when the login dialog is shown. The token will change each time the container is started. -
Run the launch config
API - Stable release channel.
Run in Aspire mode
This mode starts the Stable and Beta versions of the API with required sidecars, including an MCP server for the Stable version, in context of Aspire.
-
Make sure a container runtime is started and Aspire is set to use that runtime (if using anything other than docker):
podman machine start setx ASPIRE_CONTAINER_RUNTIME "podman" -
Run the launch config
Aspire Orchestration.
Run the MCP server
The MCP server is designed to run on HTTP Stream Transport, separately from the API, based on the OpenAPI specification generated by the API.
Currently, it registers tools for operations via API Key and OAuth Authorization Code authentication methods.
Make sure to run BankApi.Service.Stable, and BankApi.Mcp at the same time. The easiest way is to just Run in Aspire mode.
Claude
Configure your claude_desktop_config.json with the following mcpServers entry:
{
"mcpServers": {
"bankApi": {
"command": "npx",
"args": [
"mcp-remote",
"https://bankapi-mcp-001-ctcahwhschgrdqb4.westeurope-01.azurewebsites.net",
"--allow-http",
"--debug"
]
}
}
}
Replace the URL with
http://localhost:5200when using the local MCP server.
GitHub Copilot
To host the MCP server, make sure to Authorize Visual Studio Code in the app registration.
Considerations
General
-
To receive CloudEvents that are emitted via this API, see cloudevents/sdk-csharp - CloudEventBinding for an ASP.NET Core sample.
-
To extend OpenTelemetry logging to Application Insights, expand the OpenTelemetry exporter.
-
The compliance NullRedactor doesn't seem to work, the redactor is already defined at Builder.Compliance.cs but not used because of the issue.
-
API versioning is handled via a simple approach with PathBase, which is also more convenient for Azure API Management usage. Using the native way might look like this.
-
Extending Spectral rulesets from an NPM package can be problematic.
-
Generic exception handling is minimally implemented via ErrorHandling.cs.
-
API owners usually have customers outside of their own company - or outside of their own domain within a company - which inherently means adoption time will be slower for API contract changes, this is why there is a
StableandBetaversion of the API in this project, inspired by the Microsoft Graph API Current/Beta versioning design. New or modified contract-breaking (beta) operations to API consumers may be served via theBetaversion without distracting users on theStableversion.Do not confuse this versioning scheme as a replacement for DTAP; it is merely complementary to it. Many API changes will affect both the
StableandBetaendpoints (such as changes to the underlying shared database). That's why they both share a common layer in the form ofBankApi.Core.Nonetheless, versioning is very opinionated and one should always see what the best business and technical fit is. This might change over time and from project to project.
-
Dev Containers with the
docker-outside-of-dockerfeature instead ofdocker-in-dockerdo not work, for now we're usingdocker-in-docker.
Please see the Reddit r/dotnet post 1 and post 2 about this project for more considerations and information.
Troubleshooting
-
If debugging isn't working properly, please clear the Extension Host Cache at
%AppData%\Code\CachedData(on Windows) and restart VSCode. -
If getting the error
unable to get local issuer certificatewith Spectral, make sure to add the CA of the proxy toNODE_EXTRA_CA_CERTSand restart VSCode, for example:setx NODE_EXTRA_CA_CERTS "C:\ZscalerRootCA.crt" -
If getting the error
tls: failed to verify certificate: x509: certificate signed by unknown authoritywhen building a container image, make sure to add the CA of the proxy topodman, for example:Get-Content .\.certs\ZscalerRootCA.crt -Raw | podman machine ssh "sudo mkdir -p /etc/pki/ca-trust/source/anchors && cat | sudo tee /etc/pki/ca-trust/source/anchors/ZscalerRootCA.crt > /dev/null && sudo update-ca-trust" -
Extending Rulesets with local filepath not refreshing when working on Spectral rulesets in VSCode. Force an update in Specs.Ruleset/main.yml when changing a file that is used as an extend.
License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
