Setting up JWT Authentication


  • DNN Platform
  • Evoq Content
  • Evoq Engage



You need a host/superuser account to be able to perform the steps outlined in this article. Hosts have full permissions to all sites in the DNN instance.  



  1. Install the DNN JWT Auth Handler.

    1. Go to Host > Settings (gear icon) > Extensions.

      Host > Extensions

    2. In the Available Extensions tab, expand the Providers section and search for DNN JWT Auth Handler, then click Install.

      Available Extensions > Providers > DNN JWT Auth Handler > Install

      • The JWTAuth line is added inside the <messageHandlers/> tag in your web.config file, as shown below: 

                <!-- other message handlers -->
                <add name="JWTAuth" type="Dnn.AuthServices.Jwt.Auth.JwtAuthMessageHandler, Dnn.AuthServices.Jwt" enabled="false" defaultInclude="false" forceSSL="true"/>
  2. (Optional) Enable JWT authentication for all Web API requests.

      1. Access the web.config file.

      2. Search for the newly-added JWTAuth line inside the <messageHandlers/> section.

      3. Change JWTAuth's enabled and defaultInclude attributes to true.

        <add name="JWTAuth" type="Dnn.AuthServices.Jwt.Auth.JwtAuthMessageHandler, Dnn.AuthServices.Jwt" enabled="true" defaultInclude="true" forceSSL="true" />

    Tip (Developers): To enable JWT authentication for your specific Web API, add the following attribute to the controller class:
    [DnnAuthorize(AuthTypes = "JWT")].

  3. (Optional) Enable Cross-Origin Resource Sharing (CORS) to allow requests from remote JavaScript clients.

    CORS is only required if the access to the Web API is through a web browser. Native mobile or desktop apps do not require CORS.

    Warning: Enabling CORS allows external sites to access your site, making it vulnerable to XSS attacks.

      1. Access the web.config file.

      2. In your web.config file, add the following access control lines inside the <customHeaders/> section:

        <add name="Access-Control-Allow-Origin" value="*" /> 
        <add name="Access-Control-Allow-Headers" value="accept, accept-language, content-type, accept, authorization, moduleid, tabid, x-dnn-moniker" /> 
        <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, HEAD, OPTIONS" />
  4. (Optional) Developers: Enable additional logging for advanced debugging, testing, or troubleshooting.

      1. Access the DotNetNuke.log4net.config file.

      2. In your DotNetNuke.log4net.config file, add the following logger lines after the </root> closing tag:

        <!-- The following is required to troubleshoot provider registration issues. -->
            <logger name="DotNetNuke.Web.Api.Auth">
                <level value="TRACE" />
        <!-- The following is required to troubleshoot failing Web API calls. -->
            <logger name="DotNetNuke.Dnn.AuthServices.Jwt">
                <level value="TRACE" />


Parent Topic

Related Information


Back to top



Please sign in to leave a comment.