Power Pages Web API – Full Explanation & CRUD Operations

Power Pages Web API – Full Explanation & CRUD Operations

A complete overview of how the Web API works in Power Pages, how to enable it, how security works, and how to perform Create, Read, Update, and Delete operations on Dataverse records.

What Is the Power Pages Web API?

The Power Pages Web API allows you to interact with Dataverse data directly from your website using JavaScript or client-side code. It works similar to standard REST APIs and supports Create, Read, Update, and Delete (CRUD) operations.

It enables developers to build modern, interactive, dynamic features in Power Pages without relying only on out-of-the-box forms and lists. Web API calls work securely and respect Dataverse permissions.

Key Capabilities

  • Perform CRUD operations on Dataverse tables
  • Build custom UI components with real-time data
  • Use JavaScript on pages to fetch or update data
  • Securely interact with Dataverse using the logged-in user context

Requirements to Use the Web API

To use Web API in Power Pages, the following must be configured:

  • Web API must be enabled using Site Settings
  • Each table must explicitly allow Web API access
  • Fields must be whitelisted for API access
  • The user must have proper Table Permissions
  • A valid CSRF token must be added to requests

Important Site Settings

  • Webapi/Enabled = true
  • Webapi/tablename/enabled = true
  • Webapi/tablename/fields → List of allowed fields
  • Webapi/error/innererror → Optional for debugging

How Security Works

Web API calls follow the same security model as Power Pages:

  • The logged-in user's Web Roles determine access
  • Table Permissions control which CRUD operations are allowed
  • CSRF tokens protect the API from unauthorized requests
  • Anonymous users must be explicitly granted permissions

If a user does not have permission for a specific table or operation, the API request will fail even if the request itself is valid.

CRUD Operations Using the Web API

1. Create (POST)

Use POST to create new Dataverse records. The endpoint uses the table's plural name: 

POST /_api/accounts
{
  "name": "New Account",
  "telephone1": "9876543210"
}

The response includes the record ID of the newly created row.

2. Read (GET)

Use GET to retrieve Dataverse data. You can retrieve all records or filter using OData: 

GET /_api/accounts
GET /_api/accounts?$select=name,telephone1
GET /_api/accounts?$filter=name eq 'Contoso'

3. Update (PATCH)

To update a specific record, include its GUID in the URL: 

PATCH /_api/accounts(00000000-1111-2222-3333-444444444444)
{
  "telephone1": "9999999999"
}

Only fields listed in the Web API fields configuration can be updated.

4. Delete (DELETE)

Use DELETE to remove a Dataverse record permanently: 

DELETE /_api/accounts(00000000-1111-2222-3333-444444444444)

The table permission must explicitly allow Delete; otherwise, the API call will fail.

Important Notes & Best Practices

  • Always test CRUD actions as a user with correct Web Roles.
  • Use browser DevTools to debug API errors via the network tab.
  • Use table permissions to strictly control what anonymous users can do.
  • Enable only the fields you need - do not expose unnecessary fields.
  • Use PATCH instead of PUT for updates (Dataverse supports PATCH only).
  • Always include a valid CSRF token in headers when sending POST, PATCH, DELETE.

Comments

Post a Comment

Popular posts from this blog

Part 1: Creating Code Apps in Power Apps - A step-by-step guide (with real errors I faced & how I fixed them)

Image
Intro In this post I’ll walk you through how I set up a code-based app for Power Apps (React/Vite front-end + Power Platform CLI for packaging/deployment), the exact errors I ran into, and how I solved them. If you want a hands-on, copy-paste able guide that covers Node versions, pac auth, environment issues, and packaging tips, this is for you. Prerequisites Microsoft 365 account with access to a Power Platform environment Node.js ( 20.19+  recommended LTS) VS Code Install power platform tools extension in VS Code. Steps: Step 1 : Open Visual Studio Code and launch the integrated terminal. Step 2: In the terminal, run the following commands one by one.   mkdir D:\CodeApps - Force cd D:\CodeApps npm create vite @latest myfirstapp -- -- template react - ts cd D:\CodeApps\myfirstapp npm install Initially, I ran the command: npm create vite@latest MyFirstApp -- --template react-ts This gave the error: Invalid package.json name The issue was caused because package...
Read more

Calling Microsoft Graph API from Power Automate Using Azure App Services – Step-by-Step Guide

Image
Step 1: You should have an Azure subscription, or if you have access to the Microsoft Entra Admin Center, you can create an app from there. This app can then be used in Power Automate to connect to Microsoft Graph API. Step 2: Click on "New registration" , provide a name for your app, assign the required API permissions (such as Microsoft Graph permissions), and then click "Register" to complete the app registration process. Step 3: After registration, you'll be redirected to the app's overview page. From there, navigate to the API permissions tab and click "Add a permission" to assign the necessary Microsoft Graph API permissions. Step 4: Select Microsoft Graph as the API, and based on your requirements, choose the appropriate permissions. In my case, I selected Application permissions , which do not require user sign-in and are suitable for background services or automation. Step 5: Select the required Microsoft Graph API permissions. Yo...
Read more

Step-by-Step Guide: Power Automate Custom Connector Using Graph API from Azure App Service

Image
Step 1: Open Power Automate, navigate to the Custom Connectors tab, and select Create from blank as shown in the image below. custom connector(click image for better resolution) Step 2: In the General tab, upload an icon (less than 1MB), add a description, select the correct scheme (in my case, HTTPS ), and provide the host name. For example, if your API URL is https://graph.microsoft.com/v1.0/users/{email} , the host name will be the highlighted part — graph.microsoft.com . Step 3: Go to the Security tab. Here, you need to select the authentication method. Choose OAuth 2.0 as the authentication type, as shown in the image below. Step 4: Select the Identity Provider as Azure Active Directory . Check the box Enable Service Principal Support . This option allows you to create a connection using a Client ID and Client Secret instead of using the user's own authentication. Next, provide the Client ID , Client Secret , Tenant ID , and other required details as shown in t...
Read more