← Back to Skills Marketplace
auth0

Auth0 ASP.NET Core API

by Auth0 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
78
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install auth0-aspnetcore-api
Description
Use when securing ASP.NET Core Web API endpoints with JWT Bearer token validation, scope/permission checks, or stateless auth - integrates Auth0.AspNetCore.A...
README (SKILL.md)

Auth0 ASP.NET Core Web API Integration

Protect ASP.NET Core Web API endpoints with JWT access token validation using Auth0.AspNetCore.Authentication.Api.

Prerequisites

  • .NET 8.0 SDK or higher
  • Auth0 API configured (not Application - must be API resource)
  • If you don't have Auth0 set up yet, use the auth0-quickstart skill first

When NOT to Use

  • Server-rendered web applications - Use session-based auth (Auth0.AspNetCore.Authentication) for MVC/Razor Pages apps
  • Single Page Applications - Use auth0-react, auth0-vue, or auth0-angular for client-side auth
  • Mobile applications - Use auth0-react-native for React Native/Expo
  • Blazor WebAssembly - Requires different auth approach (OIDC client-side)

Quick Start Workflow

1. Install SDK

dotnet add package Auth0.AspNetCore.Authentication.Api

2. Create Auth0 API

You need an API (not Application) in Auth0.

STOP — ask the user before proceeding.

Ask exactly this question and wait for their answer before doing anything else:

"How would you like to create the Auth0 API resource?

  1. Automated — I'll run Auth0 CLI scripts that create the resource and write the exact values to your appsettings.json automatically.
  2. Manual — You create the API yourself in the Auth0 Dashboard (or via auth0 apis create) and provide me the Domain and Audience.

Which do you prefer? (1 = Automated / 2 = Manual)"

Do NOT proceed to any setup steps until the user has answered. Do NOT default to manual.

If the user chose Automated, follow the Setup Guide for complete CLI scripts. The automated path writes appsettings.json for you — skip Step 3 below and proceed directly to Step 4.

If the user chose Manual, follow the Setup Guide (Manual Setup section) for full instructions including User Secrets and environment variable options. Then continue with Step 3 below.

Quick reference for manual API creation:

# Using Auth0 CLI
auth0 apis create \
  --name "My ASP.NET Core API" \
  --identifier https://my-api.example.com

Or create manually in Auth0 Dashboard → Applications → APIs

3. Configure appsettings.json

{
  "Auth0": {
    "Domain": "your-tenant.auth0.com",
    "Audience": "https://my-api.example.com"
  }
}

Important: Domain must NOT include https://. The library constructs the authority URL automatically.

4. Configure Program.cs

var builder = WebApplication.CreateBuilder(args);

// Register Auth0 JWT validation
builder.Services.AddAuth0ApiAuthentication(options =>
{
    options.Domain = builder.Configuration["Auth0:Domain"];
    options.JwtBearerOptions = new JwtBearerOptions
    {
        Audience = builder.Configuration["Auth0:Audience"]
    };
});

builder.Services.AddAuthorization();

var app = builder.Build();

// Middleware order matters: authentication before authorization
app.UseAuthentication();
app.UseAuthorization();

// Add your endpoints here (see Step 5)
app.MapGet("/api/public", () => Results.Ok(new { message = "Public" }));

app.Run();

5. Protect Endpoints

Minimal API:

// Public endpoint - no authentication
app.MapGet("/api/public", () => Results.Ok(new { message = "Hello from a public endpoint!" }));

// Protected endpoint - requires valid JWT
app.MapGet("/api/private", (HttpContext ctx) =>
{
    var userId = ctx.User.FindFirst("sub")?.Value;
    return Results.Ok(new { message = "Hello from a protected endpoint!", userId });
}).RequireAuthorization();

Controller-based:

[ApiController]
[Route("api")]
public class MessagesController : ControllerBase
{
    [HttpGet("public")]
    public IActionResult Public() =>
        Ok(new { message = "Hello from a public endpoint!" });

    [Authorize]
    [HttpGet("private")]
    public IActionResult Private() =>
        Ok(new { message = "Hello from a protected endpoint!", userId = User.FindFirst("sub")?.Value });
}

6. Test API

Test public endpoint:

curl http://localhost:5000/api/public

Test protected endpoint (requires access token):

curl http://localhost:5000/api/private \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Get a test token via Client Credentials flow or Auth0 Dashboard → APIs → Test tab.

Common Mistakes

Mistake Fix
Domain includes https:// Use your-tenant.auth0.com format only - no scheme prefix
Audience doesn't match API Identifier Must exactly match the API Identifier set in Auth0 Dashboard
Created Application instead of API in Auth0 Must create API resource in Auth0 Dashboard → Applications → APIs
Wrong middleware order UseAuthentication() must come before UseAuthorization()
Using ID token instead of access token Must use access token for API auth, not ID token
HTTPS certificate errors locally Run dotnet dev-certs https --trust

Scope-Based Authorization

See Integration Guide for defining and enforcing scope policies.

DPoP Support

Built-in proof-of-possession token binding per RFC 9449. See Integration Guide for configuration.

Related Skills

  • auth0-quickstart - Basic Auth0 setup
  • auth0-mfa - Add Multi-Factor Authentication

Quick Reference

Configuration Options:

  • options.Domain - Auth0 tenant domain, no https:// prefix (required)
  • options.JwtBearerOptions.Audience - API Identifier from Auth0 API settings (required)
  • options.JwtBearerOptions - Full access to underlying Microsoft JWT Bearer options

User Claims:

  • ctx.User.FindFirst("sub")?.Value - User ID (subject)
  • ctx.User.FindFirst("scope")?.Value - Space-separated scopes
  • ctx.User.FindAll("scope") - All scope claims

Common Use Cases:

  • Protect Minimal API routes → .RequireAuthorization() (see Step 5)
  • Protect controller actions → [Authorize] attribute (see Step 5)
  • Scope enforcement → Integration Guide
  • DPoP token binding → Integration Guide
  • Advanced JWT Bearer config → API Reference

Detailed Documentation

  • Setup Guide - Auth0 CLI setup, environment configuration
  • Integration Guide - Scope policies, DPoP, controller patterns, error handling
  • API Reference - Complete configuration options and extension methods

References

Usage Guidance
This skill appears coherent and focused on configuring Auth0 for ASP.NET Core APIs. Before using the automated path, confirm you want the Auth0 CLI to log in and create API resources and to write values into your appsettings.json (review and commit/backup changes). Prefer the manual path if you want to create the API and paste Domain/Audience yourself. Never paste or share long-lived client_secrets unless needed for a specific token exchange, and verify you trust the source (check the official Auth0 docs or the NuGet package for Auth0.AspNetCore.Authentication.Api) before running CLI commands that authenticate to your tenant.
Capability Analysis
Type: OpenClaw Skill Name: auth0-aspnetcore-api Version: 1.0.0 The skill bundle provides legitimate instructions and code samples for integrating Auth0 authentication into ASP.NET Core Web APIs using the official 'Auth0.AspNetCore.Authentication.Api' package. It includes a structured workflow in SKILL.md that explicitly requires the agent to wait for user consent before executing CLI commands or modifying configuration files, and the provided code snippets follow standard security practices for JWT validation and scope-based authorization.
Capability Tags
requires-oauth-tokenrequires-sensitive-credentials
Capability Assessment
Purpose & Capability
Name/description (Auth0 ASP.NET Core API) match the SKILL.md and reference docs: instructions focus on installing the Auth0 SDK, creating an Auth0 API resource, configuring Domain/Audience, adding middleware, and enforcing scopes. No unrelated services, binaries, or credentials are requested.
Instruction Scope
Runtime instructions stay on-topic: package installation, Program.cs changes, appsettings.json or environment variable configuration, and optional use of the Auth0 CLI. The skill explicitly requires asking the user before running the automated path. The automated path may run CLI commands and write values to appsettings.json (expected for setup) but does not instruct reading unrelated files or exfiltrating data.
Install Mechanism
This is an instruction-only skill (no install spec). The only installs it suggests are normal developer tooling (dotnet add package, optional Auth0 CLI). Nothing is downloaded from untrusted URLs or installed silently by the skill itself.
Credentials
No required environment variables or credentials are declared. The docs show standard options (Auth0__Domain, Auth0__Audience, and examples that mention client_id/client_secret for token retrieval), which are proportional to obtaining test tokens and configuring the SDK.
Persistence & Privilege
always:false (no forced inclusion). The skill suggests commands that may modify the project's appsettings.json if you choose the automated path, but it explicitly instructs to ask the user first. Autonomous invocation is allowed by platform default but not combined with other concerning privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install auth0-aspnetcore-api
  3. After installation, invoke the skill by name or use /auth0-aspnetcore-api
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
auth0-aspnetcore-api 1.0.0 initial release - Guides users through protecting ASP.NET Core Web API endpoints using Auth0 JWT access token validation. - Supports both Automated and Manual Auth0 API resource setup flows (with user prompt). - Covers configuration steps for appsettings.json and Program.cs, including middleware ordering. - Provides documented examples for both Minimal API and Controller-based route protection. - Includes troubleshooting steps for common setup mistakes and usage tips for scope enforcement and DPoP. - Links to detailed integration, setup, and API reference guides.
Metadata
Slug auth0-aspnetcore-api
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Auth0 ASP.NET Core API?

Use when securing ASP.NET Core Web API endpoints with JWT Bearer token validation, scope/permission checks, or stateless auth - integrates Auth0.AspNetCore.A... It is an AI Agent Skill for Claude Code / OpenClaw, with 78 downloads so far.

How do I install Auth0 ASP.NET Core API?

Run "/install auth0-aspnetcore-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Auth0 ASP.NET Core API free?

Yes, Auth0 ASP.NET Core API is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Auth0 ASP.NET Core API support?

Auth0 ASP.NET Core API is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Auth0 ASP.NET Core API?

It is built and maintained by Auth0 (@auth0); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments