Microsoft > .Net Core >> Ocelot API Gateway Views : 13830
JWT Token Auth using Ocelot
Rate This Article :

JWT Token Authentication and Ocelot API Gateway


This Article explains about the JWT Token authentication and the implementation of JWT token validation in Ocelot Gateway API. Implementing authentication in Gateway API will further extends authentication to its downstream APIs, which in turn does not require adding authentication to each and every downstream APIs.

JWT Token Authentication

JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Format of JWT Token:

  • Header
  • Payload
  • Signature


Header contains the Token type and the signing algorithm used for signing credentials (Key).


Payload contains the claims that can be registered claim or custom claim. Here claims are considered as entity to hold the information which needs to be transmitted to the other party/API.

Example of Registered claims areiss (issuer), exp (expiration time), sub (subject), aud(audience)

Issuer: The API in which the token is generated

Audience: The Recipients of the token

The Header and payload are Base64Url encoded to form the second part of the JSON Web Token.



The signature part will be created with the encoded header, the encoded payload, a secret, the algorithm specified in the header, and signed with the signing credentials.



  base64UrlEncode (header) + "." +




Encoded token:





  "alg": "HS256",

  "typ": "JWT"




  "UserName": "Jeff",

  "Role": "Admin",

  "exp": 1601063043,

  "iss": "AWTUser",

  "aud": "AWTUser"



JWT Implementation

Code for token generation which need to be implemented when user logs in:

var authSigningKey = newSymmetricSecurityKey(Encoding.UTF8.GetBytes("SecureKeyRequiredforvalidationAdmin"));

var authClaims = new[]


new Claim("UserName", UserName),

new Claim("Role", Role)


var token = new JwtSecurityToken(

                issuer: "https://localhost:4416",

                audience: "https://localhost:4433/GatewayAPI",

                expires: DateTime.Now.AddDays(1),

                claims: authClaims,

signingCredentials:new Microsoft.IdentityModel.Tokens.SigningCredentials(authSigningKey, SecurityAlgorithms.HmacSha256)



Authentication through gateway:

In the below implementation of API authentication with JWT token is integrated in API Gateway (using Ocelot)

In the above screenshot the authentication is implemented in API Gateway (Startup.cs), where the secure key is validated.

Restricting Access to API after secure key validation can be done with Claims added to JWT Token

Using Ocelot we can add claim requirements in Ocelot.Json file for API routing as explained in below screenshot:

If more information needs to be sent to Downstream API , it can be done by adding the claims from token to the headers using "AddHeadersToRequest".

About Author
Total Posts 1
Comment this article
Email Address* (Will not be shown on this website.)
Enter Image Text*
View All Comments
Comments not posted yet!! Please post your comments on this article.
  Privacy   Terms Of Use   Contact Us
© 2016 Developerin.Net. All rights reserved.
Trademarks and Article Images mentioned in this site may belongs to Microsoft and other respective trademark owners.
Articles, Tutorials and all other content offered here is for educational purpose only and its author copyrights.