On This Page

Okta ASP.NET Core Web API Quickstart

If you want a full, working example, head over to the ASP.NET Core Samples repository.

Create a new project

If you don't already have an ASP.NET Core project, create one using dotnet new mvc or the ASP.NET Core Web Application template in Visual Studio. Choose No Authentication if necessary.

Install these packages in the new project:

Configure the middleware

Make sure you have these using statements at the top of your Startup.cs file:

using Okta.AspNetCore;

Add the following code anywhere in your ConfigureServices method, and add your Okta configuration:

Note: https://{yourOktaDomain} is different from your admin URL. Don’t include -admin in the value. When you copy your Okta domain from the Developer Console, you can find the correct value in the upper-right corner of the dashboard.

services.AddAuthentication(options =>
    options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
    options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
    options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
.AddOktaWebApi(new OktaWebApiOptions()
    OktaDomain = "https://${yourOktaDomain}"

// ... the rest of ConfigureServices

Then, in the Configure method, add this line above the UseMvc line:


Additional middleware configuration

The OktaMvcOptions class configures the Okta middleware. You can see all the available options in the project's README on GitHub. Once you have the middleware working, you can place the Okta configuration in appsettings.json and reference it with the Configuration pattern:

OktaDomain = Configuration["Okta:OktaDomain"]

Protect application resources

Use the [Authorize] attribute on controllers or actions to require an authenticated user. For example, you could create an /api/messages route in a new controller that returns secret messages if a valid token is present:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

public class MessagesController : Controller
    public JsonResult Get()
        var principal = HttpContext.User.Identity as ClaimsIdentity;

        var login = principal.Claims
            .SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier)

        return Json(new
            messages = new dynamic[]
                new { Date = DateTime.Now, Text = "I am a Robot." },
                new { Date = DateTime.Now, Text = "Hello, world!" },

That's it!

The Okta middleware automatically validates tokens and populates HttpContext.User with a limited set of user information.

If you want to do more with the user, you can use the Okta .NET SDK to get or update the user's details stored in Okta.

Note: If your client application is running on a different server (or port) than your ASP.NET Core server, you'll need to add CORS middleware to the pipeline as well. Check out our resource server sample which is pre-configured with an open CORS policy to make it easy to test with frontend projects!