Authorizing REST service using an API key

It’s quite common to use an API key as a means to authorize a REST service. The first step is to add a message handler in the Application_Start event of Global.asax:

protected void Application_Start()
GlobalConfiguration.Configuration.MessageHandlers.Add(new AuthorizationHeaderHandler());

The AuthorizationHandler.cs file is contained in the App_Start folder. On initialization the apiKey and apiKeyEnabled setting are read from the the WebApp AppSettings. If apiKeyEnabled=true and the client doesn’t want to get the metadata (Swagger), then the apiKey is retrieved from the X-Apikey header and compared with the value in the AppSettings. That’s basically it.

using Microsoft.Azure;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Security.Claims;
using System.Threading;
using System.Threading.Tasks;
using System.Web;

namespace Client.Entities._4PSTrigger.App_Start
public class AuthorizationHeaderHandler : DelegatingHandler
private static string _apiKey;
private static bool _apiKeyEnabled;

public AuthorizationHeaderHandler()
if (string.IsNullOrEmpty(_apiKey))
_apiKey = CloudConfigurationManager.GetSetting(“apikey”).ToUpperInvariant();
_apiKeyEnabled = Convert.ToBoolean(CloudConfigurationManager.GetSetting(“apikeyenabled”));
protected override Task<HttpResponseMessage> SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
if (!request.RequestUri.AbsoluteUri.ToLowerInvariant().Contains(“swagger”) && _apiKeyEnabled)
IEnumerable<string> apiKeyHeaderValues = null;
if (request.Headers.TryGetValues(“X-ApiKey”, out apiKeyHeaderValues))
var apiKeyHeaderValue = apiKeyHeaderValues.First();

//Set ClaimSet
var username = (apiKeyHeaderValue == _apiKey ? “ApiManagement” : “OtherUser”);

var usernameClaim = new Claim(ClaimTypes.Name, username);
var identity = new ClaimsIdentity(new[] { usernameClaim }, “ApiKey”);
var principal = new ClaimsPrincipal(identity);

Thread.CurrentPrincipal = principal;
var response = request.CreateErrorResponse(HttpStatusCode.Forbidden, ” { Error : Api-Key is missing} “);

var tsc = new TaskCompletionSource<HttpResponseMessage>();
tsc.SetResult(response); // Also sets the task state to “RanToCompletion”
return tsc.Task;
return base.SendAsync(request, cancellationToken);