How to create a WebAPI authenticated by JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) to exchange information securely via a signed token. For example, a server could issue a token with the claim “user identified as an administrator” and provide it to the client. The client could then check the token to prove that the user is logged in as an administrator.

Personally, it is a solution that I find elegant because

  • Simple to set up: a few configuration lines and the use of the [Authorize] attribute,
  • Easily manage my own security rules when checking the username and password,
  • Very easy to test in client applications: just add an HTTP header “Authorization: Bearer [Token]“.

General flow

The principle is to call a method that generates a JWT Token, containing an expiration date and some meta-data, and signed to avoid alterations. This token is then sent to all requests via the HTTP header.

Once you have generated a JWT token, you can easily validate it from

Contents of the JWT token

A JWT token consists of three parts: a header, a payload and a signature:

  • The header indicates which algorithm is used to generate the signature (e. g. HMAC-SHA256).
  • The Payload is content according to the application. It is indicated in the JWT specifications to include a time stamp in the creation: nbf (not before – date and time after of use) and exp (expiration date and time).
  • The signature is obtained via the algorithm specified in the header applied to the token and key. It ensures that the Token has not been modified since its creation.

Configuring WebAPIs

The first step is to create an ASP.NET Core project, via Visual Studio or VSCode. It will be able to host your WebAPIs.

  1. 1. First of all, it is necessary to add the Nuget packages IdentityModel.Tokens.Jwt and System.Runtime.Serialization.Json.

2. Next, adapt the Startup.cs class to configure the JWT service.

public class Startup
    public void ConfigureServices(IServiceCollection services)

        // Configure the JWT Authentication Service
        services.AddAuthentication(options =>
            options.DefaultAuthenticateScheme = "JwtBearer";
            options.DefaultChallengeScheme = "JwtBearer";
        .AddJwtBearer("JwtBearer", jwtOptions =>
            jwtOptions.TokenValidationParameters = new TokenValidationParameters()
                // The SigningKey is defined in the TokenController class
                IssuerSigningKey = TokenController.SIGNING_KEY,
                ValidateIssuer = false,
                ValidateAudience = false,
                ValidateIssuerSigningKey = true,
                ValidateLifetime = true,
                ClockSkew = TimeSpan.FromMinutes(5)

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        app.UseAuthentication();  // Must be before app.UseMvc

3. Create the TokenController.cs class to create the method to generate the token.

public class TokenController : Controller
    private const string SECRET_KEY = "TQvgjeABMPOwCycOqah5EQu5yyVjpmVG";
    public static readonly SymmetricSecurityKey SIGNING_KEY = new 

    public IActionResult Get(string username, string password)
        if (username == password)
            return new ObjectResult(GenerateToken(username));
            return BadRequest();

    // Generate a Token with expiration date and Claim meta-data.
    // And sign the token with the SIGNING_KEY
    private string GenerateToken(string username)
        var token = new JwtSecurityToken(
            claims:    new Claim[] { new Claim(ClaimTypes.Name, username) },
            notBefore: new DateTimeOffset(DateTime.Now).DateTime,
            expires:   new DateTimeOffset(DateTime.Now.AddMinutes(60)).DateTime,
            signingCredentials: new SigningCredentials(SIGNING_KEY, 

        return new JwtSecurityTokenHandler().WriteToken(token);

4. The last step is to add [Autorize] attribute to reduce access to some methods.

public class ValuesController : Controller
    // GET api/values
    public IEnumerable<string> Get()
        return new string[] { "value1", "value2" };

Verification of secured methods

When running your WebAPI project, you can no longer call the action “api/values”: you will receive an error like “401. Unauthorized“.
To be able to perform this action without error, you must first obtain a Token and use it in the request header.

To test your queries, you can use Postman or the cURL command

Example with cURL (see the video to use Postman). The flag “-i” include the HTTP response headers in the output.

> curl -i http://localhost/api/values

  HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Bearer
  X-Powered-By: ASP.NET
  Content-Length: 0
> curl -i http://localhost/api/token/denis/mypassword

  HTTP/1.1 200 OK
  X-Powered-By: ASP.NET

> curl -i http://localhost/api/values -H "Authorization: Bearer eyJhbGciOi...”

  HTTP/1.1 200 OK
  Content-Type: application/json; charset=utf-8
  X-Powered-By: ASP.NET



JSON Web Token (JWT) is an open standard that requires only a few lines of configuration and makes it easy to secure WebAPIs developed in C#. This protocol being standardized, it is compatible with other platforms and languages: Java, Python, JavaScript, Go, Ruby, …

The token used during data exchanges is signed and can contain your own meta-data. It is also very easy to integrate WebAPIs into unit test projects and decrypt values if necessary.

In a future article, we will see how to consume these secure WebAPIs, in Angular 4 projects: creating a HttpInterceptor class that automatically adds the token to all web queries.

Posted in ASPNET, JWT

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow me
   RSS Feed    Twitter    Linked In

Write you email address to subscribe at this blog and to receive new posts by mail.

Join 647 other followers

Who I am?

%d bloggers like this: