--- sidebar_position: 15 sidebar_label: 'Example: Validating tokens (.NET)' --- # Validating tokens (.NET) This article contains an example on how to perform validation of JWT tokens in a custom API in .NET. This is just to be seen as a getting-started. Please read current official documentation for up-to-date security perspectives related to methods used. :::warning **Don't build your own validation logic unless you absolutely have to and have deep knowledge of security and of the standards used.** For many situations, there will be a built-in way, or approach popular in your community, to handle validation of tokens. The example in this article uses the build-int functionality in .NET, and does not implement its own security validation. A list of some libraries that can be used can be found on [jwt.io/libraries](https://jwt.io/libraries). Refer to the documentation of the specific library selected for more details on JWT tokens, security considerations and how to validate the token. ::: ## 1. Register and configure the JWT token validation First, register the JWT token validation and configure the validation parameters. This example uses functionality built-in to .NET. For which exact parameters to set for your situation, please find and read recommendations on this from trusted sources. ```csharp var builder = WebApplication.CreateBuilder(args) builder.Services.AddAuthentication().AddJwtBearer(options => { options.Audience = "mytenantid:mysystemintegrationname"; options.Authority = myTrustedIssuer; var p = options.TokenValidationParameters; p.ValidateAudience = true; p.ValidateIssuer = true; p.ValidateIssuerSigningKey = true; ... // set other validation options // (several others are recommended to be set to have a secure validation, please // read up on the token validation parameters and determine which settings your // situation needs) }); ``` :::note The audience name and trusted issuer in the above code is described in the article on [Validating Access Tokens](./validating-access-tokens.md). ::: ## 2. Register authorization policies The example below register two authorization policies. These can then be reused by using the same policy name when setting up the endpoint. ```csharp builder.Services.AddAuthorizationBuilder() .AddPolicy("MyAdminPolicyName", p => { p.RequireAuthenticatedUser(); p.RequireClaim("mytenantid:mysystemintegrationname", "myadminpermissionname"); }) .AddPolicy("MyUserPolicyName", p => { p.RequireAuthenticatedUser(); p.RequireClaim("mytenantid:mysystemintegrationname", "myuserpermissionname"); }); ``` ## 3. Add the UseAuthentication and UseAuthorization middlewares Authentication and Authorization is not performed unless the middlewares for this are registered. ```csharp var app = builder.Build(); ... // other middlewares which should be configured before the authentication/authorization app.UseAuthentication(); app.UseAuthorization(); ... // other middlewares which should be configured after the authentication/authorization ``` ## 4. Configure your endpoint to use the registered policy Finally, ensure your policy is executed by adding it on your endpoint (or your endpoint group). ```csharp app.MapGet("/my-endpoint", async (ClaimsPrincipal user) => { // Your endpoint logic here. You can use the information in the user parameter to see information from the provided and validated token }).RequireAuthorization("MyUserPolicyName"); ```