User Authentication with ASP.NET Web API


I was struggling to understand how to secure my Web API endpoint using some form of authentication mechanism. During my search, I came across a video on YouTube created by IAmTimCorey titled: Creating a WebAPI with Authentication – A TimCo Retail Manager Video that outlined exactly what I needed.

I’ve written about Tim Corey before, he has a great teaching style, easy to understand and he always delivers what he sets out to teach in every video.

After watching the video, I decided to outline exactly the steps required to secure API endpoints.

The steps are as follows:

  1. Create a ASP.NET Web Application (NET Framework) Project
  2. Build & Run the Project
  3. Register an Account
  4. Retrieve the Token
  5. Make a GET Request

In summary, we’re going to create a new ASP.NET Web Application using the Full .NET framework. Once the project has been created, we’ll build and run the project to ensure that the API endpoint loads correctly.

The Project template will include an Authentication step which will prevent us from accessing the API endpoint without registering first. Once we have registered, we will be able to retrieve a token that we can pass through a GET header to authenticate our requests.

*Note that I will be using a tool called Postman to make HTTP requests.

Create a ASP.NET Web Application (NET Framework) Project

Name the project appropriately.

Select Web API template with Authentication set to Individual User Accounts.

Build & Run the Project

Once you build and run the project, if you click the API link on the header you should see a list of HTTP methods you can call with some instructions on how to do so.

You can now test the API endpoint with Postman. Run Postman to retrieve a list of values:


You should see the following output:

This is to be expected as we’ve secured our API using the Individual User Accounts Authentication. In order to access the API resource, we will need to register with the service provider.

Register an Account

Using the POST method, register a new account. The API documentation for creating accounts is listed in the sample MVC webpage.

You should receive a Status 200 indicating that the new account registration was successful.

At this point, you will notice a new user account created in the LocalDB.

Retrieve the Token

The next step is to retrieve a token. This token will be passed through the header to authenticate our requests.

To get the token, enter the following URL or similar in Postman.

  1. Request Type: GET
  2. Body: x-form-urlencoded
username{account username}
password{account password}

Your request should look something like the following:

Once you have registered and retrieved the token, the output should be something similar to the below:

    "access_token": "Lg5PnQJSnR9z-zmTmGdrm1i0c1DkcaWo42ufDjamRPZ5xa0Hhe47ZLoPo3_Z92iX5FTJ03SAXAXdn6nT4N9A_oBxLhh4UzdhgIgEGPzGuQLHhaLkUaGcTcjF5L5dMNaXHkgTLwp9KMeKrvwFvEkfrY96qFFSQLtyms4iGy5VDKNfR1O0A8s4BUCT_EimvGJf838um3ylwmUzvdPGyhCZphskkcLEcLNx87K2OdU_tj7ZiyrAxhVrbHiihVkzWNhI-doHVpFKG1tFJoD07Ri4aR4CxrtT63pi6NaBu4tPihQeVmE9Oi5gdWjk39Xl-lC0t3PxbQH22liLQOJK4J9ID2czPHkq3_d7ho_iy8rDcG5Ze_6Xj0u7YAVJeha-cjjlMr-tKK3nng89-OrWeajRR4vZIl9qgwArQhWNH3mmOCoW_uf7jcIl6u7BLy1RhovJXBUh-btBE6vPGTFXxp03VAsyut1NdXcm0svXzGJKz5rFoWLupkHKtabRba9-Qa0f",
    "token_type": "bearer",
    "expires_in": 1209599,
    "userName": "",
    ".issued": "Mon, 06 Jan 2020 18:53:29 GMT",
    ".expires": "Mon, 20 Jan 2020 18:53:29 GMT"

Keep a note of the access_token. You will need this later.

Make a GET Request

The final step is to use the access_token to create the request. Earlier, we tried to issue a GET request on the following URL:


Our output in Postman was as follows:

This was to be expected as our endpoint was secure. There are two key pieces of information required here:

  1. A key called Authorization must be added to the Header for the GET request.
  2. The token that was created earlier needs to be passed in, preceded by the word bearer.
Authorization bearer Lg5PnQJSnR9z-zmTmGdrm1i0c1DkcaWo42ufDjamRPZ5xa0Hhe47ZLoPo3_Z92iX5FTJ03SAXAXdn6nT4N9A_oBxLhh4UzdhgIgEGPzGuQLHhaLkUaGcTcjF5L5dMNaXHkgTLwp9KMeKrvwFvEkfrY96qFFSQLtyms4iGy5VDKNfR1O0A8s4BUCT_EimvGJf838um3ylwmUzvdPGyhCZphskkcLEcLNx87K2OdU_tj7ZiyrAxhVrbHiihVkzWNhI-doHVpFKG1tFJoD07Ri4aR4CxrtT63pi6NaBu4tPihQeVmE9Oi5gdWjk39Xl-lC0t3PxbQH22liLQOJK4J9ID2czPHkq3_d7ho_iy8rDcG5Ze_6Xj0u7YAVJeha-cjjlMr-tKK3nng89-OrWeajRR4vZIl9qgwArQhWNH3mmOCoW_uf7jcIl6u7BLy1RhovJXBUh-btBE6vPGTFXxp03VAsyut1NdXcm0svXzGJKz5rFoWLupkHKtabRba9-Qa0f

Issuing the GET request should now be successful

And that is all that is required to secure an API endpoint.

Leave a comment