Identity Validator - Quick Start

Maturity: Stable

This module is stable and recommended for production use.

Which module do I need?

• Identity Validator (this guide): Your API already receives JWTs and only needs validation.
• Identity Broker: You need login UI + secure cookie sessions for a browser app (BFF). Identity Broker Overview

See also: Identity Validator Overview for packages, OIDC/ JWT options, and Node.js examples.

Get JWT authentication working in your .NET API in under 5 minutes with the simplest local JWT setup.

Complete Data Isolation

Primus Identity Validator runs entirely within your application. No tokens, user data, or credentials are ever transmitted to Primus servers. All JWT validation happens locally using your configured identity providers' public keys.

View Example on GitHub

---

1. Install Package

dotnet add package PrimusSaaS.Identity.Validator   # NuGet

---

2. Add Using Statement

using Microsoft.AspNetCore.Authorization;
using PrimusSaaS.Identity.Validator;
using PrimusSaaS.Identity.Validator.Diagnostics;

---

3. Register in Program.cs

Minimal setup (local JWT only):

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddPrimusIdentity(opts =>
    builder.Configuration.GetSection("PrimusIdentity").Bind(opts));
builder.Services.AddAuthorization();
builder.Services.AddHttpClient();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();

var app = builder.Build();

if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

app.UseAuthentication();
app.UseAuthorization();

// Diagnostics endpoint (dev only)
app.MapPrimusIdentityDiagnostics();

app.MapGet("/public", () => "public ok");
app.MapGet("/secure", [Authorize] () => "secure ok")
   .RequireAuthorization();

app.Run();

---

4. Configure appsettings.json (local dev)

Keep secrets in User Secrets/Key Vault-not in source control.

{
  "PrimusIdentity": {
    "RequireHttpsMetadata": true,
    "ValidateLifetime": true,
    "ClockSkew": "00:05:00",
    "Issuers": [
      {
        "Name": "LocalDev",
        "Type": "Jwt",
        "Issuer": "https://localhost:5001",
        "Secret": "your-32-character-minimum-secret-key-here-1234",
        "Audiences": ["api://local-dev"]
      }
    ],
    "Diagnostics": {
      "EnableDetailedErrors": true,
      "IncludeTokenHintsInChallenges": true,
      "IncludeDebugHeaders": true,
      "LogTokenRejectionReasons": true,
      "MaxRecentFailures": 50,
      "AutoDetectDevelopment": true
    }
  }
}

---

5. Test It

# Start your API
dotnet run

# Test unprotected endpoint
curl http://localhost:xxxx/public

# Test protected endpoint (will return 401 without token)
curl http://localhost:xxxx/secure

# Test with token
curl http://localhost:xxxx/secure -H "Authorization: Bearer YOUR-JWT-TOKEN"

---

That's It!

You now have JWT authentication working locally. Your API:

• Validates JWT tokens signed with your local dev secret
• Returns 401 for invalid/missing tokens
• Works with standard [Authorize]
• Ships with a dev-only diagnostics endpoint (/primus/diagnostics) that never returns secrets

---

Next Steps

Want to...	See Guide
Use Auth0 with full setup	Auth0 Integration ->
Use Azure AD with full setup	Azure AD Integration ->
Use Local JWT for development	Local JWT Guide ->
Combine multiple issuers	Multi-Issuer Setup ->