.NET 7 , minimal api with JWT token


I have been able to create a session with Stytch ( frontend blazor / backend .net 7 ). This using the magic link workflow.

When I pass the ‘Bearer’ token into the header. I am unable to read the claims on the endpoint.

Is there some of documentation howto setup the .NET api so I can use the claims ?

I also have fetched the secret from Stytch. But I am not sure what value of the secret responds to take ?

When will the .NET sdk will be available ?


Hey Filip – thanks for posting!

To make sure I understand correctly, when you say that you’re unable to read the claims, are you referring to the custom_claims object on the Stytch session JWT that you’re passing to your .NET backend?

Would you also mind expanding on your question about the Stytch secret? Are you referring to the Stytch API secret key, or something else? What are you trying to do with the secret?

We don’t have any near-term plans to build a .NET SDK, but I’ll raise that as a feature request with our team for future consideration!


So I am writing a rest API. I have a Get endpoint with attribute [Authorize]. I have done all JwtBearer config in the startup of the api.

   services.AddAuthentication(options =>
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        options =>
                var settings = Configuration.GetSection("Authentication").Get<AuthenticationSettings>();

                var key = Base64UrlEncoder.DecodeBytes(settings.Key);

                //options.Authority = "https://stytch.com/";
                options.ClaimsIssuer = "stytch.com/project-test-3e6f03c0-b67d-4e68-aab4-c07087c0205f";
                options.Audience = "project-test-3e6f03c0-b67d-4e68-aab4-c07087c0205f";
                options.SaveToken = true;
                options.RequireHttpsMetadata = false;

                options.TokenValidationParameters = new TokenValidationParameters()
                    ValidateIssuer = false,
                    ValidateAudience = false,
                    ValidateLifetime =  false,
                    ValidateIssuerSigningKey = false,
                    ValidIssuer = "stytch.com/project-test-3e6f03c0-b67d-4e68-aab4-c07087c0205f", /* settings.Schemes.Bearer.ValidIssuer,*/
                    ValidAudience = "project-test-3e6f03c0-b67d-4e68-aab4-c07087c0205f",                                      /* settings.Schemes.Bearer.ValidAudiences.FirstOrDefault(),*/
                    IssuerSigningKey = new SymmetricSecurityKey(key),

Now I get "Bearer error=“invalid_token”, error_description=“The signature key was not found” when I try to call the endpoint with Postman. I have added a bearertoken.

Do I need to pass the options.Authority (red)? Ifso with what value ?

Is it correct that i pass a IssuerSigningKey (red) with the “x5c” value that is in the jwtks responds ?

Thanks in advance !

Hey Filip,

Got it - thanks for providing that context and code snippet!

What’s the value of key in that code snippet? Is it the URL of our Get JWKS endpoint, or the value returned?

Looking through the docs for TokenValidationParameters(), it looks like the SecurityKey class set in the IssuerSigningKey parameter can be derived from an instance of the JsonWebKey Class. Depending on the answer to the above, would you mind trying to call our Get JWKS endpoint directly and creating an instance of JsonWebKey from the JSON returned, and passing a derived SecurityKey instance (from the JsonWebKey created) into the IssuerSigningKey parameter?