Edit on GitHub

Security Overview


See the Authentication and Authorization docs to learn about Authentication in ServiceStack which is encompassed by the high-level Overview:

Authentication Overview

ServiceStack uses a standard HTTP Session implementation which uses an Auth Repository to persist users and a Caching Provider to store Authenticated User Sessions:

Session Based Authentication

Once Authentication is established Session Cookies are used to reference a Users typed Authenticated User Session:

Session Requests

ServiceStack also supports Auth Providers that “Authenticate per request” where both Authentication and Validation are performed within the same request:

Auth with Request Auth Providers

Auth Providers

ServiceStack’s built-in Auth Providers fall into 3 main categories:

Credentials Auth Providers

If using ServiceStack to manage your Apps entire Authentication and persistence of Users you would use one of the available Auth Repositories and authenticate against one of the following Auth Providers:

Provider Class Name Route Description
Credentials CredentialsAuthProvider /auth/credentials Standard Authentication using Username/Password
Basic Auth BasicAuthProvider HTTP Basic Auth Username/Password sent via HTTP Basic Auth
Digest Auth DigestAuthProvider HTTP Digest Auth Username/Password hash via HTTP Digest Auth

OAuth Providers

The following OAuth Providers are built into ServiceStack and can be used in both ASP.NET Core and .NET Framework Apps:

Provider Class Name Route Create OAuth App Link
Facebook FacebookAuthProvider /auth/facebook developers.facebook.com/apps
Twitter TwitterAuthProvider /auth/twitter dev.twitter.com/apps
Google GoogleAuthProvider /auth/google console.developers.google.com
GitHub GithubAuthProvider /auth/github github.com/settings/applications/new
Microsoft MicrosoftGraphAuthProvider /auth/microsoftgraph apps.dev.microsoft.com
LinkedIn LinkedInAuthProvider /auth/linkedin www.linkedin.com/secure/developer
Yammer YammerAuthProvider /auth/yammer www.yammer.com/client_applications
Yandex YandexAuthProvider /auth/yandex oauth.yandex.ru/client/new
VK VkAuthProvider /auth/vkcom vk.com/editapp?act=create
Odnoklassniki OdnoklassnikiAuthProvider /auth/odnoklassniki www.odnoklassniki.ru/devaccess

IAuthWithRequest Auth Providers

The following Auth Providers all implement IAuthWithRequest and “Authenticate per-request”:

Provider Class Name Auth Method Description
JWT JwtAuthProvider Bearer Token Stateless Auth Provider using JSON Web Tokens
API Keys ApiKeyAuthProvider Bearer Token Allow 3rd Parties access to authenticate without a password
Basic Auth BasicAuthProvider Basic Auth Authentication using HTTP Basic Auth
Digest Auth DigestAuthProvider Digest Auth Authentication using HTTP Digest Auth

Other special Auth Providers that Authenticate per-request:

Additional documentation for specific Auth Providers:

ASP.NET Core Project Templates with integrated Auth

World Validation

See the annotated World Validation Docs for a detailed walks through and showcases the implementation of how the most popular Server HTML rendered approaches and Client UI rendered technologies use the same Authentication and Registration Services.

Live Demos

To illustrate Authentication integration with ServiceStack, see the authentication-enabled Live Demos below:

.NET Core


.NET Framework


See the Session docs for more info about customizing Sessions and handling different Session and Auth events.

Restricting Services

See the Restricting Services docs for learning how to control the Visibility and Access restrictions on any service using the [Restrict] attribute.

Community Resources