Who it’s for
WebCorporativa API is designed for development teams building internal web applications that need:- A centralized auth layer with short-lived JWT tokens
- Fine-grained, per-module permissions attached to user profiles
- A dynamic navigation menu driven by what each profile is permitted to access
- User avatar storage without managing your own file infrastructure
Architecture overview
The API is a single ASP.NET Core service backed by the following components:ASP.NET Core + EF Core
The API runtime and ORM layer. All business logic and data access live here.
SQL Server
Primary data store for users, profiles, modules, and permission assignments.
ASP.NET Core Identity
Manages user accounts, password hashing, and credential validation.
Cloudinary
Stores and transforms user avatars. Images are accepted as Base64 and automatically resized to 200×200 px.
Cloudflare Turnstile
Validates a captcha token on every login request to block automated credential attacks.
JWT Bearer tokens
Stateless authentication. Tokens expire after 30 minutes and must be included in every protected request.
Key capabilities
JWT authentication
Every request to a protected endpoint must include anAuthorization: Bearer <token> header. Tokens are issued by POST /api/Auth after validating credentials and a Cloudflare Turnstile captcha token. Tokens expire after 30 minutes; your client must re-authenticate to obtain a new one.
Role-based access control (RBAC)
Permissions in WebCorporativa are not flat roles — they are per-module permission sets attached to a profile. Each permission set controls five actions:| Action | Description |
|---|---|
agregar | Create new records |
editar | Modify existing records |
eliminar | Delete records |
consultar | List or search records |
detalle | Retrieve a single record |
Profiles
A profile groups a set of module permissions. You assign a profile to one or more users. Profiles are managed through the/api/Perfil endpoints.
Modules
Modules represent discrete sections of your application (for example, a reporting section or an admin panel). You define modules through the/api/Modulo endpoints, then grant or revoke per-action permissions on those modules per profile.
Dynamic menu
GET /api/Menu returns the list of modules the authenticated user’s profile has access to. Your frontend can use this response to render navigation without hard-coding any access rules on the client.
Image uploads
User avatars are submitted as Base64-encoded strings and stored in Cloudinary. The API handles the upload and stores the resulting URL on the user record. The maximum request body size is 10 MB.Cloudinary credentials are optional at startup. If they are not configured, image upload requests will fail, but all other API functionality works normally. See Configuration for details.
Next steps
Quickstart
Make your first authenticated API call in under five minutes.
Configuration
Set the environment variables the API needs at runtime.
Authentication
Understand how JWT tokens and permissions work together.
API Reference
Browse every endpoint with request and response details.