Skip to content
ArrowLabs Auth

Getting started (.NET)

ArrowLabs.Auth.Client is the .NET client for the platform — JWT bearer validation, an OAuth client, and a hosted event consumer for ASP.NET Core. Targets net10.0.

Install

Section titled “Install”
Terminal window
dotnet add package ArrowLabs.Auth.Client

Protect an API

Section titled “Protect an API”

Register the scheme and add the standard auth middleware. AddArrowLabsAuth configures ASP.NET Core’s JWT bearer handler with Authority = BaseUrl — it discovers the OpenID metadata, resolves the JWKS endpoint, and handles key fetch/caching/rotation. Tokens are validated offline (RS256 only, plus iss/aud/exp).

using System.Security.Claims;
using ArrowLabs.Auth.Client;


var builder = WebApplication.CreateBuilder(args);


builder.Services.AddArrowLabsAuth(options =>
{
    options.BaseUrl = "https://api.arrowlabs.co.uk"; // your auth API base URL
    options.Audience = "your-client-id";             // the aud your tokens are minted for
});
builder.Services.AddAuthorization();


var app = builder.Build();


app.UseAuthentication();
app.UseAuthorization();


app.MapGet("/me", (ClaimsPrincipal user) => new
{
    userId = user.GetUserId(),
    org = user.GetOrgSlug(),
    roles = user.GetRoles(),
}).RequireAuthorization();


app.Run();

Local development

Section titled “Local development”

Against a non-HTTPS auth API, allow plain-HTTP metadata:

builder.Services.AddArrowLabsAuth(options =>
{
    options.BaseUrl = "http://localhost:5116";
    options.Audience = "your-client-id";
    options.RequireHttpsMetadata = false; // ONLY for local dev
});

Authorization & claims

Section titled “Authorization & claims”

Standard [Authorize] works out of the box; roles map from the roles claim:

[Authorize]                       // any authenticated caller
[Authorize(Roles = "admin")]      // requires the "admin" role
public class ReportsController : ControllerBase { }

Typed ClaimsPrincipal extensions read the platform claims so you don’t hand-parse strings:

string?               userId    = User.GetUserId();    // sub
string?               orgId     = User.GetOrgId();      // org_id
string?               orgSlug   = User.GetOrgSlug();    // org
string?               email     = User.GetEmail();      // email
IReadOnlyList<string> roles     = User.GetRoles();      // roles (empty if none)
IReadOnlyList<string> appAccess = User.GetAppAccess();  // app_access (empty if none)

User.Identity.Name is the user id (the sub claim).

Next steps

Section titled “Next steps”
  • Running the OAuth flow server-side? → OAuth client
  • Consuming platform events? → Events