Azure
diff --git a/‎src/Core/Resolvers/SqlMutationEngine.cs‎
Lines changed: 78 additions & 0 deletions b/‎src/Core/Resolvers/SqlMutationEngine.cs‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎src/Core/Services/OpenAPI/OpenApiDocumentor.cs‎
Lines changed: 26 additions & 0 deletions b/‎src/Core/Services/OpenAPI/OpenApiDocumentor.cs‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎src/Core/Services/RequestValidator.cs‎
Lines changed: 42 additions & 7 deletions b/‎src/Core/Services/RequestValidator.cs‎
Lines changed: 42 additions & 7 deletions
diff --git a/‎src/Core/Services/RestService.cs‎
Lines changed: 28 additions & 11 deletions b/‎src/Core/Services/RestService.cs‎
Lines changed: 28 additions & 11 deletions
diff --git a/‎src/Service.Tests/OpenApiDocumentor/DocumentVerbosityTests.cs‎
Lines changed: 6 additions & 6 deletions b/‎src/Service.Tests/OpenApiDocumentor/DocumentVerbosityTests.cs‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎src/Service.Tests/OpenApiDocumentor/ParameterValidationTests.cs‎
Lines changed: 7 additions & 2 deletions b/‎src/Service.Tests/OpenApiDocumentor/ParameterValidationTests.cs‎
Lines changed: 7 additions & 2 deletions
@@ -541,6 +541,84 @@ await queryExecutor.ExecuteQueryAsync(
                 {
                     if (context.OperationType is EntityActionOperation.Upsert || context.OperationType is EntityActionOperation.UpsertIncremental)
                     {
+                        // When no primary key values are provided (empty PrimaryKeyValuePairs),
+                        // there is no row to look up for update. The upsert degenerates to a
+                        // pure INSERT - execute it via the insert path so the mutation engine
+                        // generates a correct INSERT statement instead of an UPDATE with an
+                        // empty WHERE clause (WHERE 1 = 1) that would match every row.
+                        if (context.PrimaryKeyValuePairs.Count == 0)
+                        {
+                            DbResultSetRow? insertResultRow = null;
+
+                            try
+                            {
+                                using (TransactionScope transactionScope = ConstructTransactionScopeBasedOnDbType(sqlMetadataProvider))
+                                {
+                                    insertResultRow =
+                                        await PerformMutationOperation(
+                                            entityName: context.EntityName,
+                                            operationType: EntityActionOperation.Insert,
+                                            parameters: parameters,
+                                            sqlMetadataProvider: sqlMetadataProvider);
+
+                                    if (insertResultRow is null)
+                                    {
+                                        throw new DataApiBuilderException(
+                                            message: "An unexpected error occurred while trying to execute the query.",
+                                            statusCode: HttpStatusCode.InternalServerError,
+                                            subStatusCode: DataApiBuilderException.SubStatusCodes.UnexpectedError);
+                                    }
+
+                                    if (insertResultRow.Columns.Count == 0)
+                                    {
+                                        throw new DataApiBuilderException(
+                                            message: "Could not insert row with given values.",
+                                            statusCode: HttpStatusCode.Forbidden,
+                                            subStatusCode: DataApiBuilderException.SubStatusCodes.DatabasePolicyFailure);
+                                    }
+
+                                    if (isDatabasePolicyDefinedForReadAction)
+                                    {
+                                        FindRequestContext findRequestContext = ConstructFindRequestContext(context, insertResultRow, roleName, sqlMetadataProvider);
+                                        IQueryEngine queryEngine = _queryEngineFactory.GetQueryEngine(sqlMetadataProvider.GetDatabaseType());
+                                        selectOperationResponse = await queryEngine.ExecuteAsync(findRequestContext);
+                                    }
+
+                                    transactionScope.Complete();
+                                }
+                            }
+                            catch (TransactionException)
+                            {
+                                throw _dabExceptionWithTransactionErrorMessage;
+                            }
+
+                            if (isReadPermissionConfiguredForRole && !isDatabasePolicyDefinedForReadAction)
+                            {
+                                IEnumerable<string> allowedExposedColumns = _authorizationResolver.GetAllowedExposedColumns(context.EntityName, roleName, EntityActionOperation.Read);
+                                foreach (string columnInResponse in insertResultRow.Columns.Keys)
+                                {
+                                    if (!allowedExposedColumns.Contains(columnInResponse))
+                                    {
+                                        insertResultRow.Columns.Remove(columnInResponse);
+                                    }
+                                }
+                            }
+
+                            string pkRouteForLocationHeader = isReadPermissionConfiguredForRole
+                                ? SqlResponseHelpers.ConstructPrimaryKeyRoute(context, insertResultRow.Columns, sqlMetadataProvider)
+                                : string.Empty;
+
+                            return SqlResponseHelpers.ConstructCreatedResultResponse(
+                                insertResultRow.Columns,
+                                selectOperationResponse,
+                                pkRouteForLocationHeader,
+                                isReadPermissionConfiguredForRole,
+                                isDatabasePolicyDefinedForReadAction,
+                                context.OperationType,
+                                GetBaseRouteFromConfig(_runtimeConfigProvider.GetConfig()),
+                                GetHttpContext());
+                        }
+
                         DbResultSet? upsertOperationResult;
                         DbResultSetRow upsertOperationResultSetRow;
 
 
@@ -43,6 +43,7 @@ public class OpenApiDocumentor : IOpenApiDocumentor
         private const string GETONE_DESCRIPTION = "Returns an entity.";
         private const string POST_DESCRIPTION = "Create entity.";
         private const string PUT_DESCRIPTION = "Replace or create entity.";
+        private const string PUT_PATCH_KEYLESS_DESCRIPTION = "Create entity (keyless). For entities with auto-generated primary keys, creates a new record without requiring the key in the URL.";
         private const string PATCH_DESCRIPTION = "Update or create entity.";
         private const string DELETE_DESCRIPTION = "Delete entity.";
         private const string SP_EXECUTE_DESCRIPTION = "Executes a stored procedure.";
@@ -502,6 +503,31 @@ private Dictionary<OperationType, OpenApiOperation> CreateOperations(
                     openApiPathItemOperations.Add(OperationType.Post, postOperation);
                 }
 
+                // For entities with auto-generated primary keys, add keyless PUT and PATCH operations.
+                // These routes allow creating records without specifying the primary key in the URL,
+                // which is useful for entities with identity/auto-generated keys.
+                if (DoesSourceContainAutogeneratedPrimaryKey(sourceDefinition))
+                {
+                    string keylessBodySchemaReferenceId = $"{entityName}_NoAutoPK";
+                    bool keylessRequestBodyRequired = IsRequestBodyRequired(sourceDefinition, considerPrimaryKeys: true);
+
+                    if (configuredRestOperations[OperationType.Put])
+                    {
+                        OpenApiOperation putKeylessOperation = CreateBaseOperation(description: PUT_PATCH_KEYLESS_DESCRIPTION, tags: tags);
+                        putKeylessOperation.RequestBody = CreateOpenApiRequestBodyPayload(keylessBodySchemaReferenceId, keylessRequestBodyRequired);
+                        putKeylessOperation.Responses.Add(HttpStatusCode.Created.ToString("D"), CreateOpenApiResponse(description: nameof(HttpStatusCode.Created), responseObjectSchemaName: entityName));
+                        openApiPathItemOperations.Add(OperationType.Put, putKeylessOperation);
+                    }
+
+                    if (configuredRestOperations[OperationType.Patch])
+                    {
+                        OpenApiOperation patchKeylessOperation = CreateBaseOperation(description: PUT_PATCH_KEYLESS_DESCRIPTION, tags: tags);
+                        patchKeylessOperation.RequestBody = CreateOpenApiRequestBodyPayload(keylessBodySchemaReferenceId, keylessRequestBodyRequired);
+                        patchKeylessOperation.Responses.Add(HttpStatusCode.Created.ToString("D"), CreateOpenApiResponse(description: nameof(HttpStatusCode.Created), responseObjectSchemaName: entityName));
+                        openApiPathItemOperations.Add(OperationType.Patch, patchKeylessOperation);
+                    }
+                }
+
                 return openApiPathItemOperations;
             }
         }
 
@@ -348,8 +348,12 @@ public void ValidateInsertRequestContext(InsertRequestContext insertRequestCtx)
         /// and vice versa.
         /// </summary>
         /// <param name="upsertRequestCtx">Upsert Request context containing the request body.</param>
+        /// <param name="primaryKeyInUrl">When true the primary key was provided in the URL route
+        /// and PK columns in the body are skipped (original behaviour). When false the primary key
+        /// is expected in the request body, so non-auto-generated PK columns must be present and
+        /// the full composite key (if applicable) must be supplied.</param>
         /// <exception cref="DataApiBuilderException"></exception>
-        public void ValidateUpsertRequestContext(UpsertRequestContext upsertRequestCtx)
+        public void ValidateUpsertRequestContext(UpsertRequestContext upsertRequestCtx, bool isPrimaryKeyInUrl = true)
         {
             ISqlMetadataProvider sqlMetadataProvider = GetSqlMetadataProvider(upsertRequestCtx.EntityName);
             IEnumerable<string> fieldsInRequestBody = upsertRequestCtx.FieldValuePairsInBody.Keys;
@@ -385,13 +389,45 @@ public void ValidateUpsertRequestContext(UpsertRequestContext upsertRequestCtx)
                     unValidatedFields.Remove(exposedName!);
                 }
 
-                // Primary Key(s) should not be present in the request body. We do not fail a request
-                // if a PK is autogenerated here, because an UPSERT request may only need to update a
-                // record. If an insert occurs on a table with autogenerated primary key,
-                // a database error will be returned.
+                // When the primary key is provided in the URL route, skip PK columns in body validation.
+                // When the primary key is NOT in the URL (body-based PK), we need to validate that
+                // all non-auto-generated PK columns are present in the body to form a complete key.
                 if (sourceDefinition.PrimaryKey.Contains(column.Key))
                 {
-                    continue;
+                    if (isPrimaryKeyInUrl)
+                    {
+                        continue;
+                    }
+                    else
+                    {
+                        // Body-based PK: non-auto-generated PK columns MUST be present.
+                        // Auto-generated PK columns are skipped  they cannot be supplied by the caller.
+                        if (column.Value.IsAutoGenerated)
+                        {
+                            continue;
+                        }
+
+                        if (!fieldsInRequestBody.Contains(exposedName))
+                        {
+                            throw new DataApiBuilderException(
+                                message: $"Invalid request body. Missing field in body: {exposedName}.",
+                                statusCode: HttpStatusCode.BadRequest,
+                                subStatusCode: DataApiBuilderException.SubStatusCodes.BadRequest);
+                        }
+
+                        // PK value must not be null for non-nullable PK columns.
+                        if (!column.Value.IsNullable &&
+                            upsertRequestCtx.FieldValuePairsInBody[exposedName!] is null)
+                        {
+                            throw new DataApiBuilderException(
+                                message: $"Invalid value for field {exposedName} in request body.",
+                                statusCode: HttpStatusCode.BadRequest,
+                                subStatusCode: DataApiBuilderException.SubStatusCodes.BadRequest);
+                        }
+
+                        unValidatedFields.Remove(exposedName!);
+                        continue;
+                    }
                 }
 
                 // Request body must have value defined for included non-nullable columns
@@ -488,7 +524,6 @@ public void ValidateEntity(string entityName)
         /// Tries to get the table definition for the given entity from the Metadata provider.
         /// </summary>
         /// <param name="entityName">Target entity name.</param>
-        /// enables referencing DB schema.</param>
         /// <exception cref="DataApiBuilderException"></exception>
 
         private static SourceDefinition TryGetSourceDefinition(string entityName, ISqlMetadataProvider sqlMetadataProvider)
 
@@ -70,24 +70,25 @@ RequestValidator requestValidator
             ISqlMetadataProvider sqlMetadataProvider = _sqlMetadataProviderFactory.GetMetadataProvider(dataSourceName);
             DatabaseObject dbObject = sqlMetadataProvider.EntityToDatabaseObject[entityName];
 
-            if (dbObject.SourceType is not EntitySourceType.StoredProcedure)
-            {
-                await AuthorizationCheckForRequirementAsync(resource: entityName, requirement: new EntityRoleOperationPermissionsRequirement());
-            }
-            else
-            {
-                await AuthorizationCheckForRequirementAsync(resource: entityName, requirement: new StoredProcedurePermissionsRequirement());
-            }
-
             QueryString? query = GetHttpContext().Request.QueryString;
             string queryString = query is null ? string.Empty : GetHttpContext().Request.QueryString.ToString();
 
+            // Read the request body early so it can be used for downstream processing.
             string requestBody = string.Empty;
             using (StreamReader reader = new(GetHttpContext().Request.Body))
             {
                 requestBody = await reader.ReadToEndAsync();
             }
 
+            if (dbObject.SourceType is not EntitySourceType.StoredProcedure)
+            {
+                await AuthorizationCheckForRequirementAsync(resource: entityName, requirement: new EntityRoleOperationPermissionsRequirement());
+            }
+            else
+            {
+                await AuthorizationCheckForRequirementAsync(resource: entityName, requirement: new StoredProcedurePermissionsRequirement());
+            }
+
             RestRequestContext context;
 
             // If request has resolved to a stored procedure entity, initialize and validate appropriate request context
@@ -144,7 +145,21 @@ RequestValidator requestValidator
                     case EntityActionOperation.UpdateIncremental:
                     case EntityActionOperation.Upsert:
                     case EntityActionOperation.UpsertIncremental:
-                        RequestValidator.ValidatePrimaryKeyRouteAndQueryStringInURL(operationType, primaryKeyRoute);
+                        // For Upsert/UpsertIncremental, a keyless URL is allowed. When the
+                        // primary key route is absent, ValidateUpsertRequestContext checks that
+                        // the body contains all non-auto-generated PK columns so the mutation
+                        // engine can resolve the target row (or insert a new one).
+                        // Update/UpdateIncremental always require the PK in the URL.
+                        if (!string.IsNullOrEmpty(primaryKeyRoute))
+                        {
+                            RequestValidator.ValidatePrimaryKeyRouteAndQueryStringInURL(operationType, primaryKeyRoute);
+                        }
+                        else if (operationType is not EntityActionOperation.Upsert and
+                                 not EntityActionOperation.UpsertIncremental)
+                        {
+                            RequestValidator.ValidatePrimaryKeyRouteAndQueryStringInURL(operationType, primaryKeyRoute);
+                        }
+
                         JsonElement upsertPayloadRoot = RequestValidator.ValidateAndParseRequestBody(requestBody);
                         context = new UpsertRequestContext(
                             entityName,
@@ -153,7 +168,9 @@ RequestValidator requestValidator
                             operationType);
                         if (context.DatabaseObject.SourceType is EntitySourceType.Table)
                         {
-                            _requestValidator.ValidateUpsertRequestContext((UpsertRequestContext)context);
+                            _requestValidator.ValidateUpsertRequestContext(
+                                (UpsertRequestContext)context,
+                                isPrimaryKeyInUrl: !string.IsNullOrEmpty(primaryKeyRoute));
                         }
 
                         break;
 
@@ -23,7 +23,7 @@ public class DocumentVerbosityTests
         private const string UNEXPECTED_CONTENTS_ERROR = "Unexpected number of response objects to validate.";
 
         /// <summary>
-        /// Validates that for the Book entity, 7 response object schemas generated by OpenApiDocumentor
+        /// Validates that for the Book entity, 9 response object schemas generated by OpenApiDocumentor
         /// contain a 'type' property with value 'object'.
         /// 
         /// Two paths:
@@ -32,9 +32,9 @@ public class DocumentVerbosityTests
         ///             - Validate responses that return result contents:
         ///               GET (200), PUT (200, 201), PATCH (200, 201)
         ///     - "/Books"
-        ///         - 2 operations GET(all) POST
+        ///         - 4 operations GET(all) POST PUT(keyless) PATCH(keyless)
         ///             - Validate responses that return result contents:
-        ///               GET (200), POST (201)
+        ///               GET (200), POST (201), PUT keyless (201), PATCH keyless (201)
         /// </summary>
         [TestMethod]
         public async Task ResponseObjectSchemaIncludesTypeProperty()
@@ -71,10 +71,10 @@ public async Task ResponseObjectSchemaIncludesTypeProperty()
                 .Select(pair => pair.Value)
                 .ToList();
 
-            // Validate that 7 response object schemas contain a 'type' property with value 'object'
-            // Test summary describes all 7 expected responses.
+            // Validate that 9 response object schemas contain a 'type' property with value 'object'
+            // Test summary describes all 9 expected responses.
             Assert.IsTrue(
-                condition: responses.Count == 7,
+                condition: responses.Count == 9,
                 message: UNEXPECTED_CONTENTS_ERROR);
 
             foreach (OpenApiResponse response in responses)
 
@@ -117,8 +117,13 @@ public async Task TestQueryParametersExcludedFromNonReadOperationsOnTablesAndVie
         OpenApiPathItem pathWithouId = openApiDocument.Paths[$"/{entityName}"];
         Assert.IsTrue(pathWithouId.Operations.ContainsKey(OperationType.Post));
         Assert.IsFalse(pathWithouId.Operations[OperationType.Post].Parameters.Any(param => param.In is ParameterLocation.Query));
-        Assert.IsFalse(pathWithouId.Operations.ContainsKey(OperationType.Put));
-        Assert.IsFalse(pathWithouId.Operations.ContainsKey(OperationType.Patch));
+
+        // With keyless PUT/PATCH support, PUT and PATCH operations are present on the base path
+        // for entities with auto-generated primary keys. Validate they don't have query parameters.
+        Assert.IsTrue(pathWithouId.Operations.ContainsKey(OperationType.Put));
+        Assert.IsFalse(pathWithouId.Operations[OperationType.Put].Parameters.Any(param => param.In is ParameterLocation.Query));
+        Assert.IsTrue(pathWithouId.Operations.ContainsKey(OperationType.Patch));
+        Assert.IsFalse(pathWithouId.Operations[OperationType.Patch].Parameters.Any(param => param.In is ParameterLocation.Query));
         Assert.IsFalse(pathWithouId.Operations.ContainsKey(OperationType.Delete));
 
         // Assert that Query Parameters Excluded From NonReadOperations for path with id.