It's looking more and more like I should just be using knockout.js + plain old jQuery for templating and CRUD in the ViewModel. I just need to expose the server side parts through WebApi, but I need to think about strategies for not allowing a user to fiddle with the DOM and post updates, inserts or deletes against IDs that they aren't privy to. WebForms had this kind of safety feature built in. I already have a forms authentication based shell of a project that handles users and roles. I guess I could do a granular security check against the current thread's user before any CRUD operation down to the ViewModel's ID level but that seems expensive. Maybe I can do my own poor man's ViewState?