Latest Posts

Using Fiddler/Postman with Power Pages APIs

Posted on by Rishan Solutions

Loading

Working with Power Pages APIs (especially when dealing with CRUD operations via the Web API) often requires testing and debugging using external tools like Fiddler and Postman. These tools help developers understand API behavior, test endpoints, and monitor traffic between the client and server. Below is a comprehensive guide on how to use both Fiddler and Postman effectively with Power Pages.

Table of Contents

  1. Introduction to Power Pages Web API
  2. Why Use Fiddler and Postman?
  3. Prerequisites
  4. Using Postman with Power Pages APIs
  5. Using Fiddler with Power Pages APIs
  6. Authenticating with Azure AD
  7. Common Use Cases
  8. Troubleshooting Tips
  9. Best Practices
  10. Summary
  11. Tags

1. Introduction to Power Pages Web API

Power Pages enables external users to interact with Dataverse tables through a secure Web API. The Power Pages Web API is OData-compliant and supports CRUD operations:

  • Create
  • Read
  • Update
  • Delete

It can be consumed using tools like JavaScript, Power Automate, and external tools like Postman and Fiddler.

2. Why Use Fiddler and Postman?

  • Postman: Great for testing and sending HTTP requests (GET, POST, PATCH, DELETE).
  • Fiddler: Ideal for intercepting, analyzing, and debugging API traffic.

These tools allow you to:

  • Inspect request/response headers
  • Debug error codes
  • Understand token-based authentication
  • Test security settings like Table Permissions

3. Prerequisites

Before you begin:

  • Power Pages site with Web API enabled
  • Table permissions configured for the entities you want to access
  • Authentication provider (e.g., Azure AD B2C or Entra ID)
  • A registered App in Azure AD with proper permissions

4. Using Postman with Power Pages APIs

Step 1: Set up Authentication

You need a bearer token (OAuth 2.0) from Azure AD. In Postman:

  1. Go to Authorization tab
  2. Choose OAuth 2.0
  3. Click Get New Access Token

Fill in:

  • Token Name: PowerPagesToken
  • Grant Type: Authorization Code or Client Credentials (depending on setup)
  • Auth URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
  • Access Token URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
  • Client ID and Client Secret: From Azure App Registration
  • Scope: https://{org}.crm.dynamics.com/.default

Replace {tenant-id} and {org} with your own values.

Click Request Token, then Use Token.

Step 2: Send an API Request

Example: GET contacts

  • Method: GET
  • URL: https://yourportal.powerappsportals.com/_api/contacts
  • Headers: Authorization: Bearer <access_token> Accept: application/json Content-Type: application/json

Step 3: Create or Update Records

To create a new record:

  • Method: POST
  • URL: https://yourportal.powerappsportals.com/_api/contacts
  • Body: { "firstname": "John", "lastname": "Doe", "emailaddress1": "john.doe@example.com" }

5. Using Fiddler with Power Pages APIs

What is Fiddler?

Fiddler is a proxy tool that allows you to capture HTTP/HTTPS traffic. It’s useful when debugging API calls made from within the browser or app.

Steps to Use Fiddler

  1. Install Fiddler Classic or Everywhere
  2. Launch Fiddler and enable HTTPS decryption
    • Tools > Options > HTTPS > Check “Decrypt HTTPS Traffic”
  3. Open your Power Pages site in a browser
  4. Perform actions that trigger API calls (e.g., form submit)
  5. In Fiddler:
    • Filter traffic by your site domain
    • Look for requests to paths like /_api/ or /_services/

What to Inspect

  • Request URL and method
  • Request headers (especially Authorization and Content-Type)
  • Response codes (200, 401, 403, 500)
  • Payload (JSON in request/response body)
  • Timing and latency

6. Authenticating with Azure AD

To access Web API securely:

  • Register your app in Azure Portal
  • Provide necessary API permissions (Dynamics CRM)
  • Configure redirect URI (e.g., https://oauth.pstmn.io/v1/callback)
  • Obtain tokens using OAuth 2.0 flows (Auth Code is recommended)

Make sure users exist in the Dataverse as contacts or users with appropriate web roles.

7. Common Use Cases

  • Test form submission APIs before going live
  • Automate data pushes with external integrations
  • Monitor issues in JavaScript-based API interactions
  • Debug permission errors (403)
  • Validate response structures for dynamic UI generation

8. Troubleshooting Tips

IssueFix
403 ForbiddenCheck table permissions and web roles
401 UnauthorizedVerify the bearer token and its validity
500 Internal Server ErrorInspect request body and JSON format
Token fails in PostmanCheck if client secret and redirect URI match
Web API path not workingEnsure Web API is enabled and URL is correct (/_api/)

9. Best Practices

  • Use Table Permissions and Web Roles strictly — never expose sensitive tables publicly.
  • Use Client Credential Flow for background/server tasks.
  • Log errors using Fiddler and Application Insights together.
  • Secure your API with HTTPS and IP filtering if needed.
  • Avoid hardcoding tokens in production scripts.

Leave a Reply

Your email address will not be published. Required fields are marked *