Adding a custom header to the swagger UI for API authentication

If you need to add a custom HTTP header such as x-api-key to your API calls and want to include this while using the swagger API, you can use the code below and add it to your program.cs file in a .NET Core application to get it working.

builder.Services.AddSwaggerGen(c =>
        c.AddSecurityDefinition("ApiKey", new OpenApiSecurityScheme
            Description = "The API Key to access the API",
            Type = SecuritySchemeType.ApiKey,
            Name = "x-api-key",
            In = ParameterLocation.Header,
            Scheme = "ApiKeyScheme"
        var scheme = new OpenApiSecurityScheme
            Reference = new OpenApiReference
                Type = ReferenceType.SecurityScheme,
                Id = "ApiKey"
            In = ParameterLocation.Header
        var requirement = new OpenApiSecurityRequirement
            {scheme, new List<string>() }

On the swagger UI, you will then see an Authorize button that when clicked, allows you to enter the header value and it will be included in your requests.

Full code sample on GitHub -

Need a developer, architect or manager? I am available - email me at [email protected]

Implementing API Key Authentication in ASP.NET Core

Recently I was watching Nick Chapsas on YouTube and his tutorial on Implementing API Key Authentication in ASP.NET Core.  He did a very nice job of explaining how to add checking for a HTTP Header value to authenticate calls to your web api.  He touched on adding support for minimal endpoints in .NET core by creating a filter.  Specifically, a class ApiKeyEndpointFilter that will return TypedResults.Unauthorized if the x-api-key is missing or invalid.  This return type does not support a custom unauthorized message.  In order to accomplish that, a new class is needed that implements IResult and IStatusCodeHttpResult.  The class signature looks like: UnauthorizedHttpObjectResult : IResult, IStatusCodeHttpResult

Once you implement, you can then use the following approach to use the filter:

return new UnauthorizedHttpObjectResult("API Key missing"); 

app.MapGet("/", () => "Welcome mini!")

My full solution is available on GitHub:

See UnauthorizedHttpObjectResult.cs for the code needed to return a custom message. 

Tags: unauthorized http objectresult TypedResults with custom message

Need a developer, architect or manager? I am available - email me at [email protected]