Tutorials Blazor Architecture & Enterprise Patterns

Securing APIs: JWT and Managed Identity in Blazor

On this page

The Secure Network

Passing tokens from your Blazor client to your secure backend API requires a clean, automated strategy.

1. JWT Bearer Tokens

The standard way to secure public APIs. Your Blazor app sends the token in the Authorization: Bearer <token> header. Use a custom DelegatingHandler for your HttpClient to automatically attach the token to every outgoing request. This keeps your UI components clean of security boilerplate.

2. Managed Identity

If your Blazor app is running in Azure (App Service or Static Web Apps), you should use **Managed Identity**. This allows your app to authenticate with other Azure services (like Key Vault or SQL Database) WITHOUT needing to store any secrets or connection strings in your code. Azure handles the rotation and security of the identity for you.

3. Architect Insight

Q: "Where should I store the JWT?"

Architect Answer: "In Blazor WASM, use **LocalStorage** or an **Http-Only Cookie**. Cookies are more secure because they are protected from XSS attacks. If you use LocalStorage, you must be extremely vigilant about XSS vulnerabilities. In Blazor Server, the token should stay on the server side (in a cookie) and never be sent to the browser at all."

Questions on this lesson 0

Sign in to ask a question or upvote helpful answers.

No questions yet — be the first to ask!

Blazor Architecture & Enterprise Patterns
Course syllabus
1. Blazor Foundations
2. Component Architecture
3. Data & State Management
4. SignalR & Interactivity
5. Security & Data Protection
6. Advanced Performance
7. Testing & CI/CD
8. The Blazor Architect's Case Study
Toolliyo Assistant
Ask about tutorials, ebooks, training, pricing, mentor services, and support. I use public site content only—not admin or internal tools.

care@toolliyo.com

Need callback? Share your details