This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 70%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
Hi ,
How to secure web api in asp.net c#
i want to secure the web api for offboarding and crossboarding users.
Example-offboarding : we have created one api, so we want to secure those api. suppose if a employee has left the organization and he knows the API url and API parameter, so in this case how to secure the api.
Example-Crossboarding : we have created one api, so we want to secure those api. suppose if a employee is in the same organization but he moved from one team to another team and he knows the API url and API parameter, so in this case how to secure the api.
Web API is secured using tokens. Tokens come form a token server. It is uncommon for a person to have a token. Usually an application has the token. Plus tokens do not live forever.
https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-web-api-aspnet-core-protect-api
https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/01-authorization
If a user left an organization and can still login to an application, Well, that means someone did not remove the user's account. The same applies to a user that moves to another team. Someone needs to update the user's account. In my opinion, this is more of a procedural issue than programmatic.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
Hi @Deshmukh, Ashish,
You can review Authentication and Authorization in ASP.NET Web API to learn more:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
I assume your referring to an appid and secret. this should not be know by users or stored in code. at run time a verified access token should be used to fetch the values. Azure key vault or similar is a good place to store these secrets.