Require authentication

In many APIs, all endpoints require authentication. In others, there may be a mix of protected and unprotected (anonymous) endpoints. These examples show you how to do both.

Require authentication for a specific route

If you want the user to only have access to a route if they are signed in, require authentication for just those routes.

• ASP.NET
• ASP.NET Core 2.x
• ASP.NET Core 3.x
• Go
• Node Express
• PHP
• Spring Boot

Use the [Authorize] attribute on controllers or actions to require a signed-in user:

public class MessagesController : Controller
{
    [Route("~/api/messages")]
    [Authorize]
    [HttpGet]
    public IHttpActionResult Get()
    {
        return Json(new
        {
            messages = new dynamic[]
            {
                new { date = DateTime.Now, text = "This endpoint is protected." },
                new { date = DateTime.Now, text = "Hello, world!" },
            },
        });
    }
}

Require authentication for everything

For some applications, you may want to require the user to be authenticated for all routes.

• ASP.NET
• ASP.NET Core 2.x
• ASP.NET Core 3.x
• Go
• Node Express
• PHP
• Spring Boot

To require authentication for all actions you can register a new filter with the Authorize attribute. Update the Register method in the WebApiConfig.cs file with the following code:

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        //...
        config.Filters.Add(new AuthorizeAttribute());
    }
}

Or you can opt to create a BaseProtectedController and make all of your controllers inherit from it:

[Authorize]
public abstract class BaseProtectedController : Controller
{
    //...
}

For those actions/controllers that need to be accessible for non-authenticated users, you have to decorate them with the AllowAnonymous attribute.

Next: Configure CORS