How To Implement API Key Authentication In ASP.NET Core (2024)

Table of Contents
Implementing API Key Authentication Registering Services With Dependency Injection Applying API Key Authentication To Endpoints Next Steps

In this week's newsletter I want to show you how to implement API Key authenticationin ASP.NET Core. This authentication approach uses an API Key to authenticate theclient of an API. You can pass the API Key to the API in a few ways, such as throughthe query string or a request header.

I will show you how to implement API Key authentication where the API key is passedin a request header. But the implementation would be similar if we were to use anyother approach.

When would you want to use API Key authentication? This kind of authenticationmechanism is common in Server-to-Server (S2S) communication. When your API servesrequest for other server-side applications to consume and integrate with. It'sless common in client-server communication scenarios.

Let's see how we can implement API Key authentication in ASP.NET Core!

Implementing API Key Authentication

We will start off by creating an attribute that we can place on endpointswhere we want to apply API Key authentication. It won't be any kind ofattribute, because we will use a ServiceFilterAttribute.

See Also
Setting up API key validation  |  Apigee  |  Google CloudAuthenticating to a REST API from c#🧱Advanced API Security Practices in C#: A Developer’s Guide🛡️💻C# Program to Illustrate User Authentication - GeeksforGeeks

What a ServiceFilterAttribute allows us to do is specify a type for thefilter that will be created for that attribute.This means we can implement our authentication logic in an IAuthorizationFilter.With a ServiceFilterAttribute we also have support for dependency injectionin our IAuthorizationFilter implementation.

Let's first define the ApiKeyAttribute class:

public class ApiKeyAttribute : ServiceFilterAttribute{ public ApiKeyAttribute() : base(typeof(ApiKeyAuthorizationFilter)) { }}

In the ApiKeyAttribute we specify ApiKeyAuthorizationFilter class as thefilter that will be resolved from the DI container. Here's what it looks like:

public class ApiKeyAuthorizationFilter : IAuthorizationFilter{ private const string ApiKeyHeaderName = "X-API-Key"; private readonly IApiKeyValidator _apiKeyValidator; public ApiKeyAuthorizationFilter(IApiKeyValidator apiKeyValidator) { _apiKeyValidator = apiKeyValidator; } public void OnAuthorization(AuthorizationFilterContext context) { string apiKey = context.HttpContext.Request.Headers[ApiKeyHeaderName]; if (!_apiKeyValidator.IsValid(apiKey)) { context.Result = new UnauthorizedResult(); } }}

The implementation comes down to validating the API Key obtained fromthe header of the current request. If we determine that the API Keyis not valid, we set the value of AuthorizationFilterContext.Resultto a new instance of an UnauthorizedResult.

And lastly, all that's left for us to do is implement our customvalidation logic for the API Key inside of ApiKeyValidator:

public class ApiKeyValidator : IApiKeyValidator{ public bool IsValid(string apiKey) { // Implement logic for validating the API key. }}public interface IApiKeyValidator{ bool IsValid(string apiKey);}

The actual implementation for validating the API Key will vary basedon your use case, and where you are storing the API keys.For example, if you store the API keys in the database you would checkif the provided API Key exists in the database.If it exists, then validation passes.If it doesn't exist, then validation fails and we return anUnauthorizedResult.

Registering Services With Dependency Injection

We have to make sure to register our ApiKeyAuthorizationFilter andApiKeyValidator services with the dependency injection container.

builder.Services.AddSingleton<ApiKeyAuthorizationFilter>();builder.Services.AddSingleton<IApiKeyValidator, ApiKeyValidator>();

This will register them as singleton services in our application.You can use a different service scope such as Transient or Scopedif you need to.

Applying API Key Authentication To Endpoints

Finally, with our API Key authentication in place, we can apply theApiKeyAttribute attribute to our endpoints:

public class NewslettersController : ControllerBase{ [ApiKey] [HttpGet] public IActionResult Get() { // ... }}

In this case I'm applying the ApiKeyAttribute to an endpoint, butyou can also apply it on the NewslettersController and it will addauthentication to all the endpoints for that controller.

Next Steps

Now that you know how to implement API Key authentication, I think youshould also learn how to implement JWT authentication. And while you'reat it, why not throw authorization into the mix.

I made a few videos about JWT authentication and permission authorizationthat you should take a look at next:

How To Implement API Key Authentication In ASP.NET Core (2024)
Top Articles
Failure To Launch Syndrome - 8 Financial Tips To Free Your Children | Dr. Breathe Easy Finance
How to Budget Your Money - 8 Best Personal Budgeting Methods [2023]
Use Copilot in Microsoft Teams meetings
Maxtrack Live
Danatar Gym
Ymca Sammamish Class Schedule
Jesus Calling December 1 2022
7.2: Introduction to the Endocrine System
Shaniki Hernandez Cam
Bbc 5Live Schedule
Gfs Rivergate
Bjork & Zhulkie Funeral Home Obituaries
House Party 2023 Showtimes Near Marcus North Shore Cinema
Cvb Location Code Lookup
Directions To 401 East Chestnut Street Louisville Kentucky
Houses and Apartments For Rent in Maastricht
Craiglist Tulsa Ok
Does Breckie Hill Have An Only Fans – Repeat Replay
25Cc To Tbsp
Kountry Pumpkin 29
Loft Stores Near Me
/Www.usps.com/International/Passports.htm
Lakers Game Summary
Www Craigslist Madison Wi
Home
Koninklijk Theater Tuschinski
Hannaford Weekly Flyer Manchester Nh
Phantom Fireworks Of Delaware Watergap Photos
Relaxed Sneak Animations
Harbor Freight Tax Exempt Portal
Delete Verizon Cloud
Login.castlebranch.com
Things to do in Pearl City: Honolulu, HI Travel Guide by 10Best
Yu-Gi-Oh Card Database
Craigslistodessa
Publix Daily Soup Menu
The Hoplite Revolution and the Rise of the Polis
ShadowCat - Forestry Mulching, Land Clearing, Bush Hog, Brush, Bobcat - farm & garden services - craigslist
Suspect may have staked out Trump's golf course for 12 hours before the apparent assassination attempt
Vitals, jeden Tag besser | Vitals Nahrungsergänzungsmittel
Sam's Club Gas Prices Florence Sc
Torrid Rn Number Lookup
ESA Science & Technology - The remarkable Red Rectangle: A stairway to heaven? [heic0408]
Ehome America Coupon Code
Makes A Successful Catch Maybe Crossword Clue
Sea Guini Dress Code
Movie Hax
Canonnier Beachcomber Golf Resort & Spa (Pointe aux Canonniers): Alle Infos zum Hotel
Automatic Vehicle Accident Detection and Messageing System – IJERT
Craigslist Marshfield Mo
The top 10 takeaways from the Harris-Trump presidential debate
Craiglist.nj
Latest Posts
Fysieke ETF’s: Uitleg + Voor- en Nadelen bij Beleggen
2 Things You Need to Know if You Buy the Vanguard Growth ETF Portfolio (TSX:VGRO) Today
Article information

Author: Edmund Hettinger DC

Last Updated:

Views: 6213

Rating: 4.8 / 5 (58 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Edmund Hettinger DC

Birthday: 1994-08-17

Address: 2033 Gerhold Pine, Port Jocelyn, VA 12101-5654

Phone: +8524399971620

Job: Central Manufacturing Supervisor

Hobby: Jogging, Metalworking, Tai chi, Shopping, Puzzles, Rock climbing, Crocheting

Introduction: My name is Edmund Hettinger DC, I am a adventurous, colorful, gifted, determined, precious, open, colorful person who loves writing and wants to share my knowledge and understanding with you.