Like web apps, the ASP.NET and ASP.NET Core web APIs are protected because their controller actions are prefixed with the [Authorize] attribute. The controller actions can be called only if the API is called with an authorized identity.
Consider the following questions:
- Only an app can call a web API. How does the API know the identity of the app that calls it?
- If the app calls the API on behalf of a user, what’s the user’s identity?
Read more here;
Idempotent method is the one that results in same behavior either in a single or mutiple calls. For example a delete method will delete a resource
and return 204 first time. on subsequent calls it will return 404. return codes has nothting to do with idempotent behavior but the fact is that
behavior of call will always be the same.
| Method | Safe | Idempotent |
| CONNECT | no | no |
| DELETE | no | yes |
| GET | yes | yes |
| HEAD | yes | yes |
| OPTIONS | yes | yes |
| POST | no | no |
| PUT | no | yes |
| TRACE | yes | yes |