An authentication filter in Web API must implement the System.Web.Http.Filters.IAuthenticationFilter interface. The interface contains a AllowMultiple property of Boolean type that indicates that more than one instance of the attribute can be specified for a single program element. It has two methods, namely AuthenticateAsync to validate credentials in the request and ChallengeAsync to attach an authentication challenge to the response, if required.

As the filter can be decorated to the controllers and actions, we also need to inherit from System.Attribute.

Before executing an action in a Web API controller, it first builds a list of authentication filters that are configured globally, at controller level ...