Security Overview

See the Authentication and Authorization docs to learn about Authentication in ServiceStack which is encompassed by the high-level Overview:

Authentication Overview

ServiceStack uses a standard HTTP Session implementation which uses an Auth Repository to persist users and a Caching Provider to store Authenticated User Sessions:

Session Based Authentication

Once Authentication is established Session Cookies are used to reference a Users typed Authenticated User Session:

Session Requests

ServiceStack also supports Auth Providers that "Authenticate per request" where both Authentication and Validation are performed within the same request:

Auth with Request Auth Providers

Auth Providers

ServiceStack's built-in Auth Providers fall into 3 main categories:

Credentials Auth Providers

If using ServiceStack to manage your Apps entire Authentication and persistence of Users you would use one of the available Auth Repositories and authenticate against one of the following Auth Providers:

Provider Class Name Route Description
Credentials CredentialsAuthProvider /auth/credentials Standard Authentication using Username/Password
Basic Auth BasicAuthProvider HTTP Basic Auth Username/Password sent via HTTP Basic Auth
Digest Auth DigestAuthProvider HTTP Digest Auth Username/Password hash via HTTP Digest Auth

OAuth Providers

The following OAuth Providers are built into ServiceStack and can be used in both ASP.NET Core and .NET Framework Apps:

Provider Class Name Route Create OAuth App Link
Facebook FacebookAuthProvider /auth/facebook
Twitter TwitterAuthProvider /auth/twitter
Google GoogleAuthProvider /auth/google
GitHub GithubAuthProvider /auth/github
Microsoft MicrosoftGraphAuthProvider /auth/microsoftgraph
LinkedIn LinkedInAuthProvider /auth/linkedin
Yammer YammerAuthProvider /auth/yammer
Yandex YandexAuthProvider /auth/yandex
VK VkAuthProvider /auth/vkcom
Odnoklassniki OdnoklassnikiAuthProvider /auth/odnoklassniki

More information about how OAuth providers works, see the video tutorial below.

IAuthWithRequest Auth Providers

The following Auth Providers all implement IAuthWithRequest and "Authenticate per-request":

Provider Class Name Auth Method Description
JWT JwtAuthProvider Bearer Token Stateless Auth Provider using JSON Web Tokens
API Keys ApiKeyAuthProvider Bearer Token Allow 3rd Parties access to authenticate without a password
Basic Auth BasicAuthProvider Basic Auth Authentication using HTTP Basic Auth
Digest Auth DigestAuthProvider Digest Auth Authentication using HTTP Digest Auth

Other special Auth Providers that Authenticate per-request:

  • Windows Auth in AspNetWindowsAuthProvider - Authentication using Windows Auth built into ASP.NET.
  • Claims Auth in NetCoreIdentityAuthProvider - Pass through Auth Provider that delegates to ASP.NET Core Identity Auth or Identity Server.

Additional documentation for specific Auth Providers:

ASP.NET Core Project Templates with integrated Auth

World Validation

See the annotated World Validation Docs for a detailed walks through and showcases the implementation of how the most popular Server HTML rendered approaches and Client UI rendered technologies use the same Authentication and Registration Services.

Live Demos

To illustrate Authentication integration with ServiceStack, see the authentication-enabled Live Demos below:

.NET Core


.NET Framework


See the Session docs for more info about customizing Sessions and handling different Session and Auth events.

Restricting Services

See the Restricting Services docs for learning how to control the Visibility and Access restrictions on any service using the [Restrict] attribute.

Community Resources