Authorizing Client Web Application APIs

The C# Client Library allows Client Web Applications to configure a list of accepted keys by setting environment variables on the server(s) hosting an ASP.NET Core web app so that keys can be changed without any downtime. Any environment variable on a host server(s) that starts with "ExtensionToken" will be considered a valid API key by the ExtensionAuthorize attribute. Learn more about changing keys by reading Managing API Keys.


Authorization is done automatically for some methods

If you are using the generic AddHook or AddMerchant extension methods in Startup.cs to create a Process Hook or Merchant then authentication is automatically added to the controllers generated at runtime.


Using the Client Extension?

These environment variables can be set on the host servers in the Deployment Options modal. Learn more by reading Deploying A Build Version

ExtensionAuthorize Attribute

Use the [ExtensionAuthorize] attribute from the DirectScale.Disco.Extension.Middleware namespace to add authorization to controllers in Client Web Applications.


How It Works

For API Requests:

  • This attribute checks the Authorization header of incoming requests for a Bearer Token that matches a valid API Key as described above.

For Pages:

  • This attribute checks the query string for the "pageToken" value and calls the Extension ValidateToken API to authenticate the token.

See an example of how to use the [ExtensionAuthorize] attribute in the code snipping below.

using DirectScale.Disco.Extension.Middleware;
using Microsoft.AspNetCore.Mvc;
using System;

namespace ACMEClientExtension.Controllers.Example
    public class ExampleController : ControllerBase
        public async Task<ActionResult> TestEndpoint()
          retrun Ok("Hello World!");