.NET 10 is here — faster, smarter, and more powerful. What are you waiting for? Upgrade your skills today with us!
← Back to Blogs
.NETNov 19, 2025
.NET 10 JWT Authentication

JWT Json Web Token in .NET 10 (ASP.NET Core)

👤 Rohan Kumawat⏱️ 9 min read

What is JWT Token Authorization?

JWT (JSON Web Token) Authorization is a secure method to authenticate users by generating digitally signed tokens. In .NET 10, JWT helps protect APIs by issuing a token after a successful login and validating it on every request.

How JWT Works in .NET 10

1. User logs in with valid credentials.
2. API verifies credentials and generates a JWT token.
3. Client sends token in header: Bearer <token>.
4. API validates the token using secret key.
5. Authorization is granted based on user claims.

Step 1: Install Required NuGet Package

Install JWT bearer authentication package:

dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

Step 2: Add JWT Settings in appsettings.json

Add key, issuer, and token expiry settings:

{ "Jwt": { "Key": "THIS_IS_SECRET_KEY_CHANGE_IT", "Issuer": "F2BStack", "Audience": "F2BStackUsers", "ExpiresInMinutes": 60 } }

Step 3: Configure JWT in Program.cs

Configure JWT token validation in .NET 10 minimal API:

var builder = WebApplication.CreateBuilder(args); var jwtSettings = builder.Configuration.GetSection("Jwt"); var key = Encoding.UTF8.GetBytes(jwtSettings["Key"]); builder.Services.AddAuthentication("Bearer") .AddJwtBearer("Bearer", options => { options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidateAudience = true, ValidateLifetime = true, ValidateIssuerSigningKey = true, ValidIssuer = jwtSettings["Issuer"], ValidAudience = jwtSettings["Audience"], IssuerSigningKey = new SymmetricSecurityKey(key) }; }); builder.Services.AddAuthorization(); var app = builder.Build(); app.UseAuthentication(); app.UseAuthorization(); app.MapGet("/", () => "JWT Auth Ready!"); app.Run();

Step 4: Generate JWT Token (Login API)

This endpoint generates a JWT token when login is successful:

app.MapPost("/login", (UserLogin login, IConfiguration config) => { if (login.Username == "admin" && login.Password == "12345") { var jwt = GenerateJwtToken(login.Username, config); return Results.Ok(new { token = jwt }); } return Results.Unauthorized(); }); string GenerateJwtToken(string username, IConfiguration config) { var jwtSettings = config.GetSection("Jwt"); var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSettings["Key"])); var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256); var claims = new[] { new Claim(JwtRegisteredClaimNames.Sub, username), new Claim(ClaimTypes.Role, "Admin") }; var token = new JwtSecurityToken( issuer: jwtSettings["Issuer"], audience: jwtSettings["Audience"], claims: claims, expires: DateTime.UtcNow.AddMinutes(Convert.ToDouble(jwtSettings["ExpiresInMinutes"])), signingCredentials: creds ); return new JwtSecurityTokenHandler().WriteToken(token); } record UserLogin(string Username, string Password);

Step 5: Protect API Routes

Use authorization to protect secure endpoints:

app.MapGet("/secure-data", () => "This is protected!") .RequireAuthorization();

Step 6: Testing JWT Authentication

1. Hit /login to get token.
2. Copy token value.
3. Add this header in Postman or Angular/React:

Authorization: Bearer YOUR_JWT_TOKEN

Advantages of JWT Authorization

• Stateless and scalable
• No session storage needed
• Fast and secure using HMAC SHA-256
• Easily supports microservices
• Supports role-based authorization
• Works across Web, Mobile, and Desktop apps