Tutorials SignalR & Real-Time .NET Applications

Authentication & Authorization in SignalR

On this page

Securing the Stream

You don't want strangers listening to your real-time private messages. Securing a SignalR Hub is very similar to securing a Web API.

1. Adding the [Authorize] Attribute

Just like an MVC Controller, you can place [Authorize] on your Hub class or specific Hub methods. This forces SignalR to check the user's identity before allowing them to connect or call a method.

2. JWT in WebSockets

WebSockets don't support custom headers in the initial handshake in some browsers. To solve this, SignalR passes the JWT token in a **Query String** (?access_token=...). On the server, you must configure the JWT Bearer options to read the token from the query string instead of the Authorization header.

3. Architect Insight

Q: "Can I use external auth like Google with SignalR?"

Architect Answer: "YES. Since SignalR uses the same authentication middleware as the rest of ASP.NET Core, any logged-in user (via Cookies or JWT) will be automatically recognized by the Hub. Their Context.User property will be fully populated with all their claims, exactly like in a standard API request."

Questions on this lesson 0

Sign in to ask a question or upvote helpful answers.

No questions yet — be the first to ask!

SignalR & Real-Time .NET Applications
Course syllabus
1. SignalR Core
2. Managing Users & Groups
3. Scaling SignalR
4. Advanced Communication
Toolliyo Assistant
Ask about tutorials, ebooks, training, pricing, mentor services, and support. I use public site content only—not admin or internal tools.

care@toolliyo.com

Need callback? Share your details