Designing Secure REST APIs with C# and JSON Web Tokens
Keywords:
REST API security, ASP.NET Core, authentication, authorization, token governance, cryptographic algorithmsAbstract
The security of contemporary distributed systems relies heavily on effective authentication practices, particularly as organizations expand their use of cloud-native and service-oriented architectures. JSON Web Tokens (JWT) have become a widely adopted solution for stateless authentication due to their portability, scalability, and cross-platform flexibility. However, empirical studies and industry reports consistently reveal that JWT implementations remain vulnerable when misconfigured, exposed to weak cryptographic practices, or integrated without adequate lifecycle controls. This study examines the secure design of REST APIs implemented in C# using ASP.NET Core, focusing on the correct application of JWT for authentication and authorization. Through a structured review of peer-reviewed literature and established security standards, the research identifies prevailing challenges in token signing, storage, revocation, and mitigation of token-based attacks. A prototype REST API is developed to evaluate the performance and security behaviour of alternative cryptographic algorithms and revocation methods within the .NET environment. The findings indicate that secure JWT usage requires not only the selection of robust algorithms but also the consistent enforcement of token governance policies and defensive implementation techniques. The study contributes a practical and evidence-based design framework for developers seeking to implement secure authentication in C# environments. The research concludes by outlining emerging gaps and recommending future directions, including improved revocation mechanisms and exploration of alternative token formats.
Downloads
References
M. Jones, J. Bradley, and N. Sakimura, "Json web token (jwt)," 2070-1721, 2015.
L. V. Jánoky, J. Levendovszky, and P. Ekler, "An analysis on the revoking mechanisms for JSON Web Tokens," International Journal of Distributed Sensor Networks, vol. 14, no. 9, p. 1550147718801535, 2018.
Y. Sheffer, D. Hardt, and M. Jones, "JSON web token best current practices," RFC 8725, 2020.
A. Rahmatulloh, R. Gunawan, and F. Nursuwars, "Performance comparison of signed algorithms on JSON Web Token," in IOP Conference Series: Materials Science and Engineering, 2019, vol. 550, no. 1: IOP Publishing, p. 012023.
P. Mestre, R. Madureira, P. Melo-Pinto, and C. Serodio, "Securing RESTful Web Services using Multiple JSON Web Tokens," in Proc. World Congress on Engineering 2017, 2017, pp. 418-23.
A. Bucko, K. Vishi, B. Krasniqi, and B. Rexha, "Enhancing jwt authentication and authorization in web applications based on user behavior history," Computers, vol. 12, no. 4, p. 78, 2023.
N. Balamani and A. Parvathi, "International Journal of Innovative Research in Science, Engineering and Technology."
Z. Mousavi, C. Islam, M. A. Babar, A. Abuadbba, and K. Moore, "Detecting misuse of security APIs: A systematic review," ACM Computing Surveys, vol. 57, no. 12, pp. 1-39, 2025.
A. Freeman, Pro Asp. net core MVC. Apress, 2016.
A. Kamruzzaman, K. Thakur, and M. L. Ali, "Cybersecurity threats using application programming interface (API)," in 2024 International conference on computing, internet of things and microwave systems (ICCIMS), 2024: IEEE, pp. 1-6.
