On This Page

Okta ASP.NET Web API Quickstart

If you want a full, working example, head over to the ASP.NET examples and follow the README instructions.

Create a new Web API project

If you don't already have a Web API project, create a new ASP.NET (.NET Framework) project and choose the Web API template. Choose No Authentication.

Install required packages

First, install these packages with NuGet:

Configure the middleware

If you don't already have a Startup.cs file (OWIN Startup class), create one by right-clicking on your project and choosing Add > OWIN Startup Class.

Make sure you have these using statements at the top of your Startup.cs file:

using Microsoft.Owin;
using Okta.AspNet;
using Owin;
using System.Configuration;

Add the following code to your Configuration method:

Note: https://{yourOktaDomain} is different from your admin URL. Don’t include -admin in the value. When you copy your Okta domain from the Developer Console, you can find the correct value in the upper-right corner of the dashboard.

public void Configuration(IAppBuilder app)
    app.UseOktaWebApi(new OktaWebApiOptions()
        OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],

Additional middleware configuration

The OktaWebApiOptions class configures the Okta middleware. You can see all the available options in the Okta ASP.NET middleware GitHub.

Configure the project

Open the Web.config file and add your Okta configuration to the <appSettings> section. Check out the Okta ASP.NET middleware GitHub to see more details about this step.

Protect application resources

Use the [Authorize] attribute on API controllers or actions to require an authenticated user. For example, create an /api/messages route in a new API controller that returns secret messages if a token is present:

using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Web.Http;

public class MessagesController : ApiController
    public IHttpActionResult Get()
        var principal = RequestContext.Principal.Identity as ClaimsIdentity;

        var login = principal.Claims
            .SingleOrDefault(c => c.Type == System.IdentityModel.Claims.ClaimTypes.NameIdentifier)

        return Json(new
            messages = new dynamic[]
                new { date = DateTime.Now, text = "I am a Robot." },
                new { date = DateTime.Now, text = "Hello, world!" },

That's it!

The Okta middleware automatically validates tokens and populates HttpContext.User with a limited set of user information.

If you want to do more with the user, you can use the Okta .NET SDK to get or update the user's details stored in Okta.

Note: If your client application is running on a different server (or port) than your ASP.NET Core server, you'll need to add CORS middleware to the pipeline as well. Check out our resource server sample which is pre-configured with an open CORS policy to make it easy to test with frontend projects!