Configuration

ASP.NET JWT Auth reads the Auth section from appsettings.json. The section is bound to AuthSettings during AddApiAuth, and AddJwtBearerAuthentication reads the same section when it configures JWT bearer validation.

json

{
    "Auth": {
        "Issuer": "https://auth.example.com",
        "Secret": "replace-with-a-long-random-secret",
        "Hours": 1,
        "RefreshTokenDays": 30,
        "LocalhostApp": "localhost",
        "Hosts": {
            "api.example.com": "api",
            "admin.example.com": "admin"
        }
    }
}

Fields

Issuer: string
The exact issuer value expected in incoming JWT access tokens.

Secret: string
The symmetric signing secret used to validate incoming JWTs. Use a long secret and keep it outside source control for real environments.

Hours: int
The access-token lifetime in hours. The package exposes this value through AuthSettings; token creation code can use it when issuing access tokens.

RefreshTokenDays: int
The refresh-token cookie lifetime in days. Pass this value to SetRefreshTokenCookie when writing the refresh-token cookie.

LocalhostApp: string?
The application audience to use when a request arrives on localhost.
Default: null

Hosts: Dictionary<string, string>
Map of request host names to application audience names. During token validation, the package resolves the current host to an app name and requires the JWT audience to contain that app.
Default: []

Configuration ​

Fields

Configuration