Backend Web/REST API for JS Apps with Access Control Rights (Powered by EF Core)
Client-side JavaScript (JS) applications often require an easy-to-setup and secure Web API backend for CRUD and custom operations with a database, authentication, and authorization (role-based access control, permission management). To implement such functionality, you can use DevExpress .NET App Security & Web API Service. XAF's Solution Wizard includes a "1-Click" solution to create ASP.NET Core Web/HTTP API services (via OData and Swagger/OpenAPI).

Benefits
- Powered by Entity Framework Core ORM (EF Core) 
 DevExpress Web API Service leverages the functionality of EF Core to implement CRUD operations required for your app.
- Multiple Authentication Strategies 
 Your application’s authentication mechanism can utilize the built-in OAuth2, JWT, and OpenID support. You can also implement custom authentication.
- IDE Integration 
 If you work in Visual Studio 2022+ for Windows, the integrated Solution Wizard automatically scaffolds your Web Service to speed up application development.
Basic functionality of DevExpress Web API Service is available for free. Additional capabilities and services listed below are available as part of the DevExpress Universal Subscription:
- Audit trail
- Endpoints to download reports and file attachments
- Data validation
- Localization endpoints that return translated captions for UI elements
- Technical support and full source code
Get Started: Add DevExpress Web API Service Functionality
Refer to the following articles to get started:
- Predefined Users, Roles, and Permissions: describes how to configure permissions for your ORM data models or EF Core entities. 
- JavaScript (DevExtreme) Example: shows a client-side HTML/JavaScript CRUD app that uses the DevExtreme Data Grid and connects to an OData v4 web service (using the ASP.NET Core Web API). 
Authorization (Role-Based Access Control)
Web API Service apps ship with built-in Role-based Access Control (RBAC) - a part of the Security System module.
You can implement access control for object relationships, individual objects, or columns. For example, you can allow a user to read the Name field, but not modify the Salary field. Use API to check access permissions and customize UI accordingly, for instance, mask protected editors or disable menu commands.
If you have technical questions, please create a support ticket in the DevExpress Support Center.