Enable token authentication for Dapr requests

When Dapr is enabled for your application in Azure Container Apps, it injects the environment variable APP_API_TOKEN into your app's container. Dapr includes the same token in all requests sent to your app, as either:

  • An HTTP header (dapr-api-token)
  • A gRPC metadata option (dapr-api-token[0])

The token is randomly generated and unique per each app and app revision. It can also change at any time. Your application should read the token from the APP_API_TOKEN environment variable when it starts up to ensure that it's using the correct token.

You can use this token to authenticate that calls coming into your application are actually coming from the Dapr sidecar, even when listening on public endpoints.

  1. The daprd container reads and injects it into each call made from Dapr to your application.
  2. Your application can then use that token to validate that the request is coming from Dapr.

Prerequisites

Dapr-enabled Azure Container App

Authenticate requests from Dapr

If you're using a Dapr SDK, you can use the Dapr authentication methods provided in the open-source SDK repositories.

Once added to your project, the Dapr SDKs validates the token in all incoming requests from Dapr, rejecting calls that don't include the correct token. You don't need to perform any other action.

Incoming requests that don't include the token, or include an incorrect token, are rejected automatically.

Next steps

Learn more about the Dapr integration with Azure Container Apps.