.NET 10, Prev 7: Avoid cookie login redirects for known API endpoints #35894
Description
Create a new topic so it can be referenced from several others
Based on:
#35824 (comment)
Consider this metadat for the new topic, Title, suggested location (see uid):
title: API endpoint authentication behavior in ASP.NET Core
author: wadepickett
description: Learn how ASP.NET Core 10 and later handles authentication failures for API endpoints using cookie authentication.
ms.author: wpickett
ms.date: 08/06/2025
uid: security/authentication/api-endpoint-auth
Consider an include file:
File path and name: includes/api-endpoint-auth.md
File contents draft:
Important
Starting with ASP.NET Core 10, known API endpoints no longer redirect to login pages when using cookie authentication. Instead, they return 401/403 status codes. For details, see xref:security/authentication/api-endpoint-auth.
Consider updating the following topics with the include note:
- security/authentication/cookie.md
- web-api/index.md
- fundamentals/minimal-apis/responses.md
- signalr/authn-and-authz.md
Placement instructions for the include references:
When adding the include note, do not place it at the very top or bottom of the file. Instead:
- Insert it directly after the main introductory/contextual paragraphs and before the first major heading or section (such as a list of return types or the start of configuration instructions).
- If the file has a section specifically about authentication, responses, or API behavior, place the include at the start of that section.
- Ensure the include appears naturally in the reading flow, so readers first see the topic’s intent/context, then get alerted about the new authentication behavior.
- If unsure where to insert, prefer placement after any "not latest version" banners and after the first paragraph(s) introducing the main topic but before any technical details or code samples.