You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: aspnetcore/security/authentication/api-endpoint-auth.md
+22-41Lines changed: 22 additions & 41 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,61 +9,42 @@ ms.date: 08/06/2025
9
9
uid: security/authentication/api-endpoint-auth
10
10
---
11
11
12
+
---
13
+
title: API endpoint authentication behavior in ASP.NET Core
14
+
author: wadepickett
15
+
description todescription: Learn how ASP.NET Core handles authentication failures for API endpoints using cookie authentication.
16
+
ai-usage: ai-assisted
17
+
monikerRange: '>= aspnetcore-10.0'
18
+
ms.author: wpickett
19
+
ms.date: 08/06/2025
20
+
uid: security/authentication/api-endpoint-auth
21
+
---
22
+
12
23
# API endpoint authentication behavior in ASP.NET Core
13
24
14
25
:::moniker range=">= aspnetcore-10.0"
15
26
16
-
When using cookie authentication, API endpoints return the appropriate HTTP status codes (such as 401 or 403) for authentication failures instead of redirecting unauthenticated requests to login pages. This behavior, which is more suitable for programmatic API access, was introduced in ASP.NET Core in .NET 10.
17
-
18
-
## The problem
27
+
When using cookie authentication, API endpoints return appropriate HTTP status codes—such as 401 (Unauthorized) or 403 (Forbidden)—when authentication fails. This approach avoids redirecting unauthenticated requests login pages, which is more suitable for programmatic access scenarios like API clients. This behavior was introduced starting with ASP.NET Core in .NET 10.
19
28
20
-
In previous versions of ASP.NET Core, when using cookie authentication, all unauthenticated requests would trigger a redirect to the configured login page. This behavior was problematic for API endpoints because:
29
+
## How ASP.NET Core identifies API endpoints
21
30
22
-
- API clients don't expect HTML login pages
23
-
- Redirects return 302 status codes instead of proper 401/403 codes
24
-
- API clients need clear HTTP status codes to handle authentication failures appropriately
31
+
ASP.NET Core automatically applies this behavior to endpoints it recognizes as API-related, including:
25
32
26
-
## The solution in ASP.NET Core 10
27
-
28
-
ASP.NET Core 10 automatically detects known API endpoints and modifies the authentication behavior:
29
-
30
-
-**Web pages**: Continue to redirect to login pages as before
31
-
-**API endpoints**: Return appropriate 401 (Unauthorized) or 403 (Forbidden) status codes without redirects
32
-
33
-
## Which endpoints are considered API endpoints?
34
-
35
-
The framework automatically identifies the following as API endpoints:
36
-
37
-
- Controllers decorated with `[ApiController]` attribute
33
+
- Controllers decorated with the `[ApiController]` attribute
38
34
- Minimal API endpoints registered with `MapGet`, `MapPost`, `MapPut`, `MapDelete`, etc.
39
35
- Endpoints that explicitly request JSON responses
40
36
- SignalR hubs and endpoints
41
37
42
-
## Behavior differences
43
-
44
-
### Before ASP.NET Core 10
38
+
## Default behavior and customization
45
39
46
-
```http
47
-
GET /api/secure-data HTTP/1.1
48
-
Host: example.com
40
+
By default, ASP.NET Core applies cookie authentication logic based on the endpoint type:
If you need to override the automatic detection for specific endpoints, you can use the `[Authorize]` attribute with specific authentication schemes or implement custom authentication handlers.
59
+
If you need to override the automatic detection for specific endpoints, use the `[Authorize]` attribute with specific authentication schemes or implement custom authentication handlers.
79
60
80
61
## Migration considerations
81
62
@@ -106,4 +87,4 @@ public async Task UnauthorizedApiRequest_Returns401()
0 commit comments