public override void OnAuthorization(HttpActionContext actionContext) { var accessKey = FetchFromHeader(actionContext); if (accessKey == null) { actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized); return; } var apiKey = ApiKeyService.FindByAccessKey(accessKey); if (apiKey == null) { actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized); return; } if (!apiKey.isActive) { actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized); return; } if (AdminRestricted && !apiKey.isAdmin) { actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized); return; } var identity = new ClaimsIdentity(new List <Claim> { new Claim(ClaimTypes.Sid, "" + apiKey.Id), new Claim(ClaimTypes.UserData, apiKey.isAdmin ? "Admin" : "User") }); IPrincipal user = new ClaimsPrincipal(identity); actionContext.RequestContext.Principal = user; base.OnAuthorization(actionContext); }