Asp.NET Core 2.0 WebApi JWT Authentication with Identity & MySQL

Recently I was configuring JWT authentication using Asp.NET Core 2.0 but with the latest update from 1.0 to 2.0, there was no tutorial or documentation, so I’m sharing.

In this post, we will use Entity Framework Core with MySQL, and Identity with JWT. So, it will be a little long post.

If you don’t know what is JWT, check this introduction.


The source project is available at github:

Let’s create a new project for our WebApiJwt example project:

# mkdir WebApiJwt

# cd WebApiJwt

# dotnet new webapi

Our project will be created in a few secs.

First, we will start with connecting MySQL to our application, but before that open the project using your preferred IDE, I’ll use Rider since I’m on a Mac OS.

Step 1

Create a database named webapijwt in MySQL.

Step 2

Add Entity Framework Core and MySQL dependencies, our new .csproj file will look like this:

Step 3

Create a directory named Entities in our project and create ApplicationDbContext.cs file in it:

This basically extends IdentityDbContext and we don’t have to create manually necessary tables in our database.

Step 4

Configure our ApplicationDbContext in Startup.cs file, it will look like this:

Now, when you run the application you will see these tables are created automatically:

Image for post
Image for post

Step 5

Now our Identity should work. Let’s configure JWT authentication

In ConfigureServices() method, add jwt stuff after adding identity, so new Startup file is:

We used Configuration[“JwtIssuer”] and Configuration[“JwtKey”] when adding JWT, so let’s add these key & values to appsettings.json:

"JwtIssuer": "",
"JwtExpireDays": 30

Step 6

Create a controller named AccountController for authentication that will contain /Account/Login and /Account/Register endpoints. It will produce JWT tokens using our GenerateJwtToken(…) method when login and register operation succeed:

Step 7

Lets test our Register method using curl:

Now, it should response something like that:


The returned token should be stored by your client application and will send all requests with HTTP header Authorization:

Authorization: Bearer eyJhbGciOiJI…

This is up to you how you store your token. For example, in Android you may save it in SharedPreferences and assign to HTTP requests or you can use localStorage with the web.

Step 8

Create a protected are for only signed in users using Authorize attribute:

public async Task<object> Protected()
return "Protected area";

When you do a GET request without a correct token, you will get an HTTP 401 error. But if you do a correct request, it will work as expected:


In this tutorial, we configured Entity Framework Core with Identity and added JWT Authentication using Asp.NET Core 2.0 Web Api. I also used dependency injection for example when creating AccountController.

Shameless plug: follow me on twitter and check my new project Landly (a landing page generator). Also, I promise I will start tweeting. :)

Written by

Software Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store