Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
How this skill is triggered — by the user, by Claude, or both
Slash command
/auth0:auth0-aspnetcore-apiThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Protect ASP.NET Core Web API endpoints with JWT access token validation using Auth0.AspNetCore.Authentication.Api.
Guides ASP.NET Core authentication and authorization with JWT bearer tokens, OpenID Connect, ASP.NET Identity, policies, roles, claims, and API keys. For login, endpoint protection, and auth rules.
Adds login, logout, and user profile to ASP.NET Core MVC, Razor Pages, or Blazor Server apps using Auth0.AspNetCore.Authentication with cookie-based authentication.
Implementing API auth. Identity, OAuth/OIDC, JWT bearer, passkeys (WebAuthn), CORS, rate limiting.
Share bugs, ideas, or general feedback.
Protect ASP.NET Core Web API endpoints with JWT access token validation using Auth0.AspNetCore.Authentication.Api.
auth0-quickstart skill firstauth0-react, auth0-vue, or auth0-angular for client-side authauth0-react-native for React Native/Expodotnet add package Auth0.AspNetCore.Authentication.Api
You need an API (not Application) in Auth0.
STOP — ask the user before proceeding.
Ask exactly this question and wait for their answer before doing anything else:
"How would you like to create the Auth0 API resource?
- Automated — I'll run Auth0 CLI scripts that create the resource and write the exact values to your appsettings.json automatically.
- Manual — You create the API yourself in the Auth0 Dashboard (or via
auth0 apis create) and provide me the Domain and Audience.Which do you prefer? (1 = Automated / 2 = Manual)"
Do NOT proceed to any setup steps until the user has answered. Do NOT default to manual.
If the user chose Automated, follow the Setup Guide for complete CLI scripts. The automated path writes appsettings.json for you — skip Step 3 below and proceed directly to Step 4.
If the user chose Manual, follow the Setup Guide (Manual Setup section) for full instructions including User Secrets and environment variable options. Then continue with Step 3 below.
Quick reference for manual API creation:
# Using Auth0 CLI
auth0 apis create \
--name "My ASP.NET Core API" \
--identifier https://my-api.example.com
Or create manually in Auth0 Dashboard → Applications → APIs
{
"Auth0": {
"Domain": "your-tenant.auth0.com",
"Audience": "https://my-api.example.com"
}
}
Important: Domain must NOT include https://. The library constructs the authority URL automatically.
var builder = WebApplication.CreateBuilder(args);
// Register Auth0 JWT validation
builder.Services.AddAuth0ApiAuthentication(options =>
{
options.Domain = builder.Configuration["Auth0:Domain"];
options.JwtBearerOptions = new JwtBearerOptions
{
Audience = builder.Configuration["Auth0:Audience"]
};
});
builder.Services.AddAuthorization();
var app = builder.Build();
// Middleware order matters: authentication before authorization
app.UseAuthentication();
app.UseAuthorization();
// Add your endpoints here (see Step 5)
app.MapGet("/api/public", () => Results.Ok(new { message = "Public" }));
app.Run();
Minimal API:
// Public endpoint - no authentication
app.MapGet("/api/public", () => Results.Ok(new { message = "Hello from a public endpoint!" }));
// Protected endpoint - requires valid JWT
app.MapGet("/api/private", (HttpContext ctx) =>
{
var userId = ctx.User.FindFirst("sub")?.Value;
return Results.Ok(new { message = "Hello from a protected endpoint!", userId });
}).RequireAuthorization();
Controller-based:
[ApiController]
[Route("api")]
public class MessagesController : ControllerBase
{
[HttpGet("public")]
public IActionResult Public() =>
Ok(new { message = "Hello from a public endpoint!" });
[Authorize]
[HttpGet("private")]
public IActionResult Private() =>
Ok(new { message = "Hello from a protected endpoint!", userId = User.FindFirst("sub")?.Value });
}
Test public endpoint:
curl http://localhost:5000/api/public
Test protected endpoint (requires access token):
curl http://localhost:5000/api/private \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Get a test token via Client Credentials flow or Auth0 Dashboard → APIs → Test tab.
| Mistake | Fix |
|---|---|
Domain includes https:// | Use your-tenant.auth0.com format only - no scheme prefix |
| Audience doesn't match API Identifier | Must exactly match the API Identifier set in Auth0 Dashboard |
| Created Application instead of API in Auth0 | Must create API resource in Auth0 Dashboard → Applications → APIs |
| Wrong middleware order | UseAuthentication() must come before UseAuthorization() |
| Using ID token instead of access token | Must use access token for API auth, not ID token |
| HTTPS certificate errors locally | Run dotnet dev-certs https --trust |
See Integration Guide for defining and enforcing scope policies.
Built-in proof-of-possession token binding per RFC 9449. See Integration Guide for configuration.
auth0-quickstart - Basic Auth0 setupauth0-mfa - Add Multi-Factor Authenticationauth0-cli - Manage Auth0 resources from the terminalConfiguration Options:
options.Domain - Auth0 tenant domain, no https:// prefix (required)options.JwtBearerOptions.Audience - API Identifier from Auth0 API settings (required)options.JwtBearerOptions - Full access to underlying Microsoft JWT Bearer optionsUser Claims:
ctx.User.FindFirst("sub")?.Value - User ID (subject)ctx.User.FindFirst("scope")?.Value - Space-separated scopesctx.User.FindAll("scope") - All scope claimsCommon Use Cases:
.RequireAuthorization() (see Step 5)[Authorize] attribute (see Step 5)