Swagger and OpenAPI — Complete Guide

What is Swagger?

Swagger is a set of tools built around the OpenAPI Specification — an industry standard for describing REST APIs in a machine-readable format (JSON/YAML). In .NET, the Swashbuckle library reads your ASP.NET Core code and automatically generates interactive API documentation at /swagger.

OpenAPI = the specification standard. Swagger = the toolset. Swashbuckle = the .NET library that generates both.

Why Use Swagger?

Without Swagger, you'd need to manually write API documentation in Word or Notion — which gets outdated the moment code changes. Swagger auto-generates documentation directly from your code — always accurate, always current. It also gives every API endpoint a "Try it out" button to test directly in the browser.

Where is it Used?

Scenario	Use
Development testing	✅ Test endpoints without Postman
API documentation	✅ Auto-generated, always up-to-date
Client SDK generation	✅ Generate TypeScript/Angular clients from spec
API gateway configuration	✅ Import OpenAPI spec to Azure API Management
Onboarding new developers	✅ Self-documenting API

Key Benefits

Zero maintenance docs — generated from code, never goes stale
Interactive UI — try every endpoint in the browser
JWT auth support — add Bearer token once, test all protected endpoints
OpenAPI JSON — machine-readable spec for tooling, code generation
Free — Swashbuckle package is open source
Industry standard — every enterprise .NET API uses it

Swagger generates interactive API documentation automatically from your ASP.NET Core code.

Install

dotnet add package Swashbuckle.AspNetCore

Basic Setup

// Program.cs
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen(options =>
{
    options.SwaggerDoc("v1", new OpenApiInfo
    {
        Title       = "School Management API",
        Version     = "v1",
        Description = "REST API for School Management System — students, teachers, exams, fees.",
        Contact     = new OpenApiContact
        {
            Name  = "NexCoding",
            Email = "info@nexcoding.in",
            Url   = new Uri("https://nexcoding.in")
        }
    });
});

var app = builder.Build();

if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI(c =>
    {
        c.SwaggerEndpoint("/swagger/v1/swagger.json", "School Management API v1");
        c.RoutePrefix = "swagger";    // access at /swagger
        c.DocumentTitle = "School Management API";
    });
}

Access at: http://localhost:5001/swagger

Add JWT Bearer Auth to Swagger UI

builder.Services.AddSwaggerGen(options =>
{
    options.SwaggerDoc("v1", new OpenApiInfo { Title = "School Management API", Version = "v1" });

    options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
    {
        Name         = "Authorization",
        Type         = SecuritySchemeType.Http,
        Scheme       = "Bearer",
        BearerFormat = "JWT",
        In           = ParameterLocation.Header,
        Description  = "Enter JWT token from /api/auth/login"
    });

    options.AddSecurityRequirement(new OpenApiSecurityRequirement
    {
        {
            new OpenApiSecurityScheme
            {
                Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" }
            },
            Array.Empty<string>()
        }
    });
});

Swagger UI now shows Authorize button. Enter token → all requests include it.

Document Controllers with XML Comments

Enable in .csproj:

<PropertyGroup>
    <GenerateDocumentationFile>true</GenerateDocumentationFile>
    <NoWarn>$(NoWarn);1591</NoWarn>
</PropertyGroup>

Add to Swagger setup:

var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile);
options.IncludeXmlComments(xmlPath);

Use in controller:

/// <summary>Get all students with optional filtering.</summary>
/// <param name="className">Filter by class (10th, 11th, 12th)</param>
/// <returns>List of students</returns>
/// <response code="200">Students retrieved successfully</response>
/// <response code="401">Unauthorized</response>
[HttpGet]
[ProducesResponseType(typeof(List<StudentDto>), 200)]
[ProducesResponseType(401)]
public async Task<IActionResult> GetAll([FromQuery] string? className) { ... }

Swagger UI Shortcuts

Action	Shortcut / Step
Expand endpoint	Click on endpoint row
Try it out	Click Try it out button
Send request	Fill params → click Execute
Authorize	Click Authorize (lock icon)
Copy curl	Click Copy under curl section
View schema	Scroll to Schemas section

OpenAPI JSON Spec

Swagger generates machine-readable spec at /swagger/v1/swagger.json:

{
  "openapi": "3.0.1",
  "info": { "title": "School Management API", "version": "v1" },
  "paths": {
    "/api/students": {
      "get": {
        "summary": "Get all students",
        "responses": { "200": { ... } }
      }
    }
  }
}

Import this into Postman, generate client SDKs, or use with API gateways.

Never Enable Swagger in Production

💻 Try It — Console App

💡 Paste into Program.cs and press F5⌥ GitHub

// CORRECT — only dev
if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

// WRONG — exposes your entire API structure to attackers
app.UseSwagger();   // always on — security risk

Swagger Interview Questions

Q1: What is Swagger and what problem does it solve?

Swagger (OpenAPI) auto-generates interactive API documentation.
Developers can see all endpoints, try requests, see request/response schemas.
Without it: write documentation manually — gets outdated quickly.

Q2: What is the difference between Swagger, OpenAPI, and Swashbuckle?

OpenAPI    → The specification standard (JSON/YAML format)
Swagger    → Tools built around OpenAPI (UI, editor, codegen)
Swashbuckle → .NET library that generates OpenAPI from C# attributes/comments

Q3: Should Swagger be enabled in production?

NO. Swagger in production:
- Exposes full API structure to attackers
- Shows all endpoint parameters and schemas
- Can reveal internal implementation details
Always gate it: if (Environment.IsDevelopment())

Q4: How do you add JWT auth to Swagger UI?

AddSecurityDefinition("Bearer", ...) — define the scheme
AddSecurityRequirement(...) — apply to all operations
In Swagger UI: click Authorize → enter "Bearer {token}"

🤖Use AI to Learn Faster

Use ChatGPT, Claude, or Copilot to go deeper on Swagger OpenAPI ASP.NET Core. Try these prompts:

"How do I configure JWT Bearer authentication in Swagger UI for ASP.NET Core?"
"What is the difference between Swagger, OpenAPI, and Swashbuckle?"
"Why should Swagger be disabled in production and how do you do it?"
"Quiz me on Swagger — 5 interview questions about OpenAPI and Swashbuckle"

💡 Tip: After reading this article, paste your own code into AI and ask "What could go wrong here and why?" — fastest way to find edge cases and deepen understanding.

nexcoding.in

Have questions on your tech stack, ongoing projects, or need one-to-one training?

📧 info@nexcoding.in 💬 WhatsApp +91-9951510727 📸 Instagram — NexCoding ▶ YouTube — NexCoding 📢 WhatsApp Channel — Jobs & Tips

What is Swagger?​

Why Use Swagger?​

Where is it Used?​

Key Benefits​

Install​

Basic Setup​

Add JWT Bearer Auth to Swagger UI​

Document Controllers with XML Comments​

Swagger UI Shortcuts​

OpenAPI JSON Spec​

Never Enable Swagger in Production​

Swagger Interview Questions​