GB.
Back to Articles
2025-04-178 min read

Model Binding & Validation Flow in Web API

#.NET#Model Binding#Web API#ASP.NET Core#Validation#Serialization#API Development

Model Binding vs Validation vs Serialization in ASP.NET Core

One of the most confusing topics for ASP.NET Core developers is understanding the difference between model binding, validation, and serialization. Many mix these three concepts and end up facing null values, unexpected 400 errors, and difficult-to-debug APIs.

This guide explains each part clearly with real examples and practical insights.

1. Model Binding: How Data Enters Your API

Model binding is the process of converting HTTP request data into C# objects.

Example

POST /api/users
Content-Type: application/json
{
  "name": "Bihaan",
  "age": 25,
  "email": "bihaan@example.com"
}

[HttpPost]
public IActionResult CreateUser(UserDto dto)
{
    return Ok(dto);
}

public class UserDto
{
    public string Name { get; set; }
    public int Age { get; set; }
    public string Email { get; set; }
}

ASP.NET Core reads the JSON from the request body, converts it into the UserDto object, and passes it to your action method.

Model binding can source data from:

  • Route values ([FromRoute])
  • Query string ([FromQuery])
  • Request body ([FromBody])
  • Form data ([FromForm])

Important rule: When a request body is present for complex types, it takes full priority. Other sources like query strings are ignored.

What happens in this request?

httpPOST /api/users?name=Syams
Content-Type: application/json
{
  "name": "Syams"
}

The Name property becomes "Syams". The query string value is ignored because the body takes precedence.

Hidden behavior:

httpPOST /api/users?name=bihaan
{
  "age": 25
}

The Name property becomes null. Once body binding starts, there is no automatic fallback to query string values.

2. Validation: Checking the Data

After model binding completes successfully, validation runs to check whether the data meets your rules. Example with Data Annotations

{
    [Required]
    public string Name { get; set; }

    [Range(18, 60)]
    public int Age { get; set; }

    [EmailAddress]
    public string Email { get; set; }
}

Consider this request:

httpPOST /api/users
{
  "age": 25
}

Model binding succeeds (Name becomes null), but validation fails due to the [Required] attribute.

When you use the [ApiController] attribute on your controller, ASP.NET Core automatically returns a 400 Bad Request response with validation errors. The controller action is not executed.

Without [ApiController], you must manually check ModelState.IsValid in your action.

3. Serialization: Sending Data Back

Serialization happens when you return an object from your controller. It converts the C# object into JSON for the HTTP response.

Example:

[HttpGet]
public IActionResult GetUser()
{
    var user = new UserDto
    {
        Name = "Bihaan",
        Age = 25,
        Email = "bihaan@example.com"
    };
    return Ok(user);
}

The response will be:

JSON{
  "name": "Bihaan",
  "age": 25,
  "email": "bihaan@example.com"
}

Serialization uses System.Text.Json by default and only affects the output. It has no impact on how data is bound from incoming requests.

You can control serialization behavior using attributes like [JsonIgnore] or by configuring options in Program.cs.

Common Bug: Binding Failure vs Validation

Many developers confuse binding failures with validation errors.

httpPOST /api/users
{
  "name": 123
}

Even though the JSON looks almost correct, this request results in a 400 Bad Request. The error occurs because model binding fails - it cannot convert the number 123 into a string property.

This is not a validation error. It is a deserialization failure during model binding.

The Complete Pipeline

  1. HTTP Request arrives
  2. Model Binding builds the C# object
  3. Validation checks the rules
  4. Controller action executes (if binding and validation succeed)
  5. Serialization converts the object to JSON
  6. HTTP Response is sent

Pro Tips for Better APIs

  • Always examine ModelState errors when debugging 400 responses
  • Treat binding failures and validation failures separately
  • Use [FromBody] explicitly when you want body-only binding
  • Test your APIs with incorrect data types, not just missing fields
  • Log detailed model binding errors during development

Summary

Model Binding builds the object from the incoming request.

Validation checks whether the data is correct according to your rules.

Serialization converts objects to JSON for the response.

Understanding this sequence helps you avoid null values, debug 400 errors faster, and build more predictable APIs.

Next time your API returns a 400 status, ask yourself:

Did the model binding fail, or did validation fail?

Answering this single question can save hours of debugging time.

Happy coding!

Read Next
2025-03-11

Understanding CORS in Modern Web APIs

#CORS#Web API#.NET

Enjoyed this article? Share it with your network!

More Articles