SignalR makes real-time communication in .NET applications simple. You can send live data, notifications, and streaming updates to clients with minimal code.

By default, SignalR hubs are accessible to all clients. Clients can connect, call hub methods, and receive messages without authentication.

In production, you may need to know who is connecting to your hub, what they are allowed to do, and how to reject unauthorized access.

JWT authentication is the standard for securing SignalR hubs in any environment, including browsers. It works with WebSockets, Server-Sent Events, and Long Polling transports.

In this post, we will explore:

• Why SignalR Needs Authentication
• Setting Up JWT Authentication for SignalR
• How to Stream Events with SignalR for a Given User
• Role-Based Authorization on Hub Methods
• Connecting from a JavaScript Client
• Connecting from a .NET Client
• Security Best Practices for SignalR

Let's dive in.

SignalR uses multiple transport protocols to maintain real-time connections: WebSockets, Server-Sent Events, and Long Polling.

By default, any client can connect to a SignalR hub and call its methods.

This creates several problems in production:

• No user identity - You can't tell who is connected or send messages to specific users.
• No access control - Anyone can call any hub method, including admin operations.
• No audit trail - You can't log which users performed which actions.
• Security exposure - Sensitive data could be streamed to unauthorized clients.

Why JWT and not Cookies?

Cookies work well for browser-based apps where users log in through a web form.

But JWT tokens are the better choice when:

• Your clients are mobile apps, desktop apps, or SPAs.
• You need cross-platform authentication.
• Your API and frontend run on different domains.
• You're building microservices that need stateless authentication.

There is one important detail about how tokens are handled in SignalR connections. In standard REST APIs, the client sends the JWT token in the Authorization HTTP header. But SignalR can't always do this.

When using WebSockets or Server-Sent Events in a browser, the browser API does not allow setting custom headers. Instead, the token is sent as a query string parameter: ?access_token=<token>.

This means you need extra configuration on the server to read the token from the query string. We will cover this setup in the next section.

For a deeper dive into authentication and authorization in ASP.NET Core, read my article on Authentication and Authorization Best Practices.

Let's build the backend for the stock price streaming application.

In Modern .NET versions, you no longer need to install the SignalR NuGet package. SignalR is now included in the ASP.NET Core Web SDK.

Here is how you can configure SignalR in your project:

csharp
1builder.Services.AddSignalR();
2
3var app = builder.Build();
4
5app.UseAuthentication();
6app.UseAuthorization();
7
8// Map the SignalR hub
9app.MapHub<StockPriceHub>("/hubs/stocks");

We need to configure JWT bearer authentication and add the OnMessageReceived event handler that extracts the token from the query string for SignalR connections:

csharp
1builder.Services.AddAuthentication(options =>
2{
3    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
4    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
5})
6.AddJwtBearer(options =>
7{
8    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(authConfig.Key));
9
10    options.TokenValidationParameters = new TokenValidationParameters
11    {
12        ValidateIssuer = true,
13        ValidateAudience = true,
14        ValidateLifetime = true,
15        ValidateIssuerSigningKey = true,
16        ValidIssuer = authConfig.Issuer,
17        ValidAudience = authConfig.Audience,
18        IssuerSigningKey = key
19    };
20
21    options.Events = new JwtBearerEvents
22    {
23        OnMessageReceived = context =>
24        {
25            var accessToken = context.Request.Query["access_token"];
26
27            var path = context.HttpContext.Request.Path;
28            
29            if (!string.IsNullOrEmpty(accessToken) &&
30                path.StartsWithSegments("/hubs"))
31            {
32                context.Token = accessToken;
33            }
34
35            return Task.CompletedTask;
36        }
37    };
38});

When a browser connects to a SignalR hub via WebSockets or SSE, it can't send the Authorization header. The JavaScript client sends the token as ?access_token=<token>.

The OnMessageReceived event fires before the JWT middleware validates the token.

Token extraction is limited to paths starting with /hubs. This avoids reading tokens from query strings on other endpoints.

Now let's build the SignalR hub that streams stock prices to authenticated users. Users can subscribe to specific stock symbols and receive updates only for the stocks they care about.

Let's go step by step.

Step 1: Create the SignalR Hub

Start by creating a hub class that requires authentication. The [Authorize] attribute requires every connection to present a valid JWT.

Without a valid token, the client receives a 401 Unauthorized response and the connection is rejected.

csharp
1[Authorize]
2public class StockPriceHub(
3    StockService stockService,
4    ILogger<StockPriceHub> logger) : Hub
5{
6    // Track subscriptions per connection
7    private static readonly ConcurrentDictionary<string, HashSet<string>> Subscriptions = new();
8    
9    public override Task OnConnectedAsync()
10    {
11        var userId = Context.User?.FindFirst(ClaimTypes.Email)?.Value ?? "unknown";
12        logger.LogInformation("User '{User}' connected with ConnectionId: {ConnectionId}",
13            userId, Context.ConnectionId);
14    
15        Subscriptions[Context.ConnectionId] = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
16    
17        return base.OnConnectedAsync();
18    }
19    
20    public override Task OnDisconnectedAsync(Exception? exception)
21    {
22        var userId = Context.User?.FindFirst(ClaimTypes.Email)?.Value ?? "unknown";
23        logger.LogInformation("User '{User}' disconnected. ConnectionId: {ConnectionId}",
24            userId, Context.ConnectionId);
25    
26        Subscriptions.Remove(Context.ConnectionId);
27    
28        return base.OnDisconnectedAsync(exception);
29    }
30}

The static Subscriptions dictionary tracks which stock symbols each connected client is subscribed to, keyed by ConnectionId.

Here we override OnConnectedAsync and OnDisconnectedAsync to track when users connect and disconnect. When a user connects, we create an empty subscription set for their connection. When they disconnect, we clean up their subscriptions.

Inside any hub method, you can access the authenticated user through Context.User. This gives you access to all JWT claims, including email, roles, and custom claims.

Just like in ASP .NET Core Controllers and Minimal APIs

Step 2: Subscribe and Unsubscribe to Stock Symbols

Clients call these methods to choose which stock symbols they want to receive. The subscription state is stored in the static dictionary keyed by ConnectionId.

csharp
1public async Task Subscribe(string symbol)
2{
3    var normalizedSymbol = symbol.ToUpperInvariant();
4    var availableSymbols = StockService.GetAvailableSymbols();
5
6    if (!availableSymbols.Contains(normalizedSymbol))
7    {
8        await Clients.Caller.SendAsync("Error",
9            $"Symbol '{symbol}' is not available. Available symbols: {string.Join(", ", availableSymbols)}");
10        return;
11    }
12
13    if (Subscriptions.TryGetValue(Context.ConnectionId, out var symbols))
14    {
15        symbols.Add(normalizedSymbol);
16    }
17
18    var userId = Context.User?.FindFirst(ClaimTypes.Email)?.Value;
19    logger.LogInformation("User '{User}' subscribed to {Symbol}", userId, normalizedSymbol);
20
21    await Clients.Caller.SendAsync("Subscribed", normalizedSymbol);
22}
23
24public async Task Unsubscribe(string symbol)
25{
26    var normalizedSymbol = symbol.ToUpperInvariant();
27
28    if (Subscriptions.TryGetValue(Context.ConnectionId, out var symbols))
29    {
30        symbols.Remove(normalizedSymbol);
31    }
32
33    var userId = Context.User?.FindFirst(ClaimTypes.Email)?.Value;
34    logger.LogInformation("User '{User}' unsubscribed from {Symbol}", userId, normalizedSymbol);
35
36    await Clients.Caller.SendAsync("Unsubscribed", normalizedSymbol);
37}

We validate the symbol against available stocks and notify the caller with Clients.Caller.SendAsync. If the symbol is invalid, we send an error message back to the caller.

Step 3: Stream Stock Prices

SignalR supports server-to-client streaming. You can call the connected clients in the SignalR hub to send stock prices as they are generated.

And you can use the IAsyncEnumerable<T> implementation, which enables server-to-client streaming.

The client starts the stream and receives stock prices as they are generated.

csharp
1public async IAsyncEnumerable<StockPriceEvent> StreamStockPrices(
2    [EnumeratorCancellation] CancellationToken cancellationToken)
3{
4    HashSet<string> subscribedSymbols = Subscriptions.TryGetValue(Context.ConnectionId, 
5        out var symbols)
6        ? new HashSet<string>(symbols, StringComparer.OrdinalIgnoreCase)
7        : new HashSet<string>(StringComparer.OrdinalIgnoreCase);
8
9    var userId = Context.User?.FindFirst(ClaimTypes.Email)?.Value;
10    
11    await foreach (var stockPrice in stockService.StreamPrices(subscribedSymbols, cancellationToken))
12    {
13        yield return stockPrice;
14    }
15}

The method reads the current subscription state and passes it to the StockService. If the user hasn't subscribed to any specific symbols, they receive all stock prices.

The StockService generates simulated stock prices. It's registered as a Singleton because all connected clients share the same price feed.

The [Authorize] attribute on the hub class ensures all users must be authenticated. But you can also apply different authorization policies to individual hub methods.

This is useful when certain actions should be restricted to administrators, such as viewing all connected users or resetting subscriptions.

Let's add admin-only methods to our hub:

csharp
1[Authorize("Admin")]
2public async Task BroadcastMessage(string message)
3{
4    var adminEmail = Context.User?.FindFirst(ClaimTypes.Email)?.Value;
5    logger.LogInformation("Admin '{Admin}' broadcasting message: {Message}", adminEmail, message);
6
7    await Clients.All.SendAsync("SystemMessage", message);
8}
9
10[Authorize("Admin")]
11public int GetConnectedUsersCount()
12{
13    return Subscriptions.Count;
14}

The BroadcastMessage method sends a system message to all connected clients. The GetConnectedUsersCount method returns the number of currently connected users.

Both methods use [Authorize("Admin")], which requires the user to have the Admin role in their JWT token.

We configured this policy in Program.cs:

csharp
1builder.Services.AddAuthorization(options =>
2{
3    options.AddPolicy("Admin", policy => policy.RequireRole("Admin"));
4});

You can also use claims-based authorization in your hub methods. It works the same as in Controllers and Minimal APIs.

What happens when a non-admin calls these methods?

If a user without the Admin role tries to call BroadcastMessage or GetConnectedUsersCount, SignalR returns an error to the caller. The connection stays open, but the specific method call is rejected.

You can check roles and claims directly in your hub method code:

csharp
1public async Task SomeMethod()
2{
3    var email = Context.User?.FindFirst(ClaimTypes.Email)?.Value;
4    var isAdmin = Context.User?.IsInRole("Admin") ?? false;
5    var userId = Context.User?.FindFirst(ClaimTypes.NameIdentifier)?.Value;
6
7    if (isAdmin)
8    {
9        // Admin-specific logic
10    }
11}

This approach gives you more flexibility when authorization logic is more complex than what role-based policies can handle.

Let's connect to our secured SignalR hub from a JavaScript client.

First, you need the SignalR JavaScript client library. You can install it via npm or use a CDN:

bash
1npm install @microsoft/signalr

Step 1: Get a JWT Token

Before connecting to the hub, the client needs to authenticate and get a JWT token from the login endpoint:

javascript
1const API_URL = 'http://localhost:5000';
2let token = null;
3
4async function login(email, password) {
5    const response = await fetch(`${API_URL}/api/login`, {
6        method: 'POST',
7        headers: { 'Content-Type': 'application/json' },
8        body: JSON.stringify({ email, password })
9    });
10
11    if (response.ok) {
12        const data = await response.json();
13        token = data.token;
14    }
15}

The token is stored in a variable and will be passed to SignalR in the next step.

Step 2: Connect to the Hub with accessTokenFactory

The accessTokenFactory option is a function that returns the JWT token. SignalR calls it before every HTTP request, including the initial WebSocket handshake.

javascript
1let connection = new signalR.HubConnectionBuilder()
2    .withUrl(`${API_URL}/hubs/stocks`, {
3        accessTokenFactory: () => token
4    })
5    .withAutomaticReconnect()
6    .configureLogging(signalR.LogLevel.Information)
7    .build();
8
9await connection.start();

The withAutomaticReconnect() method tells SignalR to automatically reconnect when the connection drops. On each reconnect, SignalR calls the accessTokenFactory again to get a fresh token.

If the token has expired, you can refresh it inside the factory function:

javascript
1accessTokenFactory: async () => {
2    if (isTokenExpired(token)) {
3        token = await refreshToken();
4    }
5    return token;
6}

Step 3: Listen for Hub Events

Register handlers for messages the hub sends to the client. These correspond to the Clients.Caller.SendAsync(...) calls in our hub:

javascript
1connection.on('Subscribed', (symbol) => {
2    console.log('Subscribed to:', symbol);
3});
4
5connection.on('Unsubscribed', (symbol) => {
6    console.log('Unsubscribed from:', symbol);
7});
8
9connection.on('SystemMessage', (message) => {
10    console.log('System:', message);
11});
12
13connection.on('Error', (message) => {
14    console.error('Hub error:', message);
15});
16
17connection.onclose(() => {
18    console.log('Disconnected from hub');
19});

Step 4: Call Hub Methods

Use invoke to call methods on the hub. These are the same methods we defined in StockPriceHub:

javascript
1// Get available stock symbols
2const symbols = await connection.invoke('GetAvailableSymbols');
3console.log('Available symbols:', symbols);
4
5// Subscribe to specific stocks
6await connection.invoke('Subscribe', 'MSFT');
7await connection.invoke('Subscribe', 'AAPL');
8
9// Unsubscribe from a stock
10await connection.invoke('Unsubscribe', 'AAPL');

Step 5: Start a Stream

Call the hub's streaming method using connection.stream(). Each time the server yields a new StockPriceEvent, the next callback fires:

javascript
1const subscription = connection.stream('StreamStockPrices')
2    .subscribe({
3        next: (event) => {
4            console.log(`${event.symbol}: $${event.price} at ${event.timestamp}`);
5        },
6        error: (err) => {
7            console.error('Stream error:', err);
8        },
9        complete: () => {
10            console.log('Stream completed');
11        }
12    });
13
14// To stop streaming later:
15subscription.dispose();

The stream stays open until the client calls dispose() or the connection drops.

If you need to connect to the hub from a .NET application, such as a console app, a background service, or another microservice, you can install the following package:

bash
1dotnet add package Microsoft.AspNetCore.SignalR.Client

Here is a brief example:

csharp
1using Microsoft.AspNetCore.SignalR.Client;
2
3var token = "your-jwt-token-here"; // Obtained from the login endpoint
4
5var connection = new HubConnectionBuilder()
6    .WithUrl("https://localhost:5001/hubs/stocks", options =>
7    {
8        options.AccessTokenProvider = () => Task.FromResult(token)!;
9    })
10    .WithAutomaticReconnect()
11    .Build();
12
13// Listen for system messages
14connection.On<string>("SystemMessage", message =>
15{
16    Console.WriteLine($"System: {message}");
17});
18
19// Connect
20await connection.StartAsync();
21Console.WriteLine("Connected to hub");
22
23// Subscribe to a stock
24await connection.InvokeAsync("Subscribe", "MSFT");
25
26// Start streaming
27var stream = connection.StreamAsync<StockPriceEvent>("StreamStockPrices");
28
29await foreach (var price in stream)
30{
31    Console.WriteLine($"{price.Symbol}: ${price.Price} at {price.Timestamp:HH:mm:ss}");
32}
33
34record StockPriceEvent(string Id, string Symbol, decimal Price, DateTime Timestamp);

The .NET client can send the token in the HTTP Authorization header, so it does not need the query string workaround.

When deploying SignalR with JWT authentication to production, there are several security considerations you should address.

1. Access Token Logging

When using WebSockets or Server-Sent Events, the browser sends the access token as a query string parameter.

Many web servers log the full URL for each request, including query string values. ASP.NET Core logs request URLs at the Information level by default.

This means your JWT tokens could end up in your log files, which is a security risk.

To prevent this, configure the Microsoft.AspNetCore.Hosting logger to Warning level or above:

json
1{
2  "Logging": {
3    "LogLevel": {
4      "Default": "Information",
5      "Microsoft.AspNetCore.Hosting": "Warning",
6      "Microsoft.AspNetCore.Routing": "Warning"
7    }
8  }
9}

This suppresses the request-level logging that includes query strings.

2. Always Use HTTPS

Since the access token is transmitted in the query string, you must use HTTPS to encrypt the connection. Without HTTPS, anyone on the network can see the token in plain text.

In production, always enforce HTTPS:

csharp
1app.UseHttpsRedirection();

3. Configure CORS Properly

SignalR requires specific CORS settings. Allow only your known frontend origins:

csharp
1builder.Services.AddCors(options =>
2{
3    options.AddPolicy("AllowFrontend", policy =>
4    {
5        policy
6            .WithOrigins("https://yourfrontend.com")
7            .AllowAnyHeader()
8            .AllowAnyMethod()
9            .AllowCredentials();
10    });
11});

Never use AllowAnyOrigin() in production. CORS protections do not apply to WebSocket connections, so always validate origins for your specific use case.

4. Token Expiration and Connection Lifetime

JWT validation happens only when the connection is established. Once a WebSocket connection is open, the server does not re-validate the token.

This means a user with an expired token can remain connected until the connection drops.

To handle this, you can configure CloseOnAuthenticationExpiration in your hub options:

csharp
1app.MapHub<StockPriceHub>("/hubs/stocks", options =>
2{
3    options.CloseOnAuthenticationExpiration = true;
4});

This setting closes the connection when the authentication token expires.

On the client side, use accessTokenFactory to return a fresh token on reconnect:

javascript
1accessTokenFactory: async () => {
2    if (isTokenExpired(token)) {
3        token = await refreshToken();
4    }
5    return token;
6}

5. Don't Expose ConnectionId

The ConnectionId is an internal identifier for each connection. Exposing it to clients or other systems can allow impersonation attacks on older versions of SignalR.

In ASP.NET Core 3.0 and later, a separate ConnectionToken is used internally, making ConnectionId less sensitive. However, it's still best practice to avoid exposing it in your hub methods or API responses.

6. Limit Message Sizes

SignalR uses per-connection buffers. By default, the maximum message size is 32 KB. You can adjust this based on your needs:

csharp
1builder.Services.AddSignalR(options =>
2{
3    options.MaximumReceiveMessageSize = 64 * 1024; // 64 KB
4});

Keep message sizes small to prevent memory exhaustion from malicious clients.

Hope you find this newsletter useful. See you next time.