public override void OnAuthorization(HttpActionContext actionContext) { var keyData = GetAuthParamsFromRequest(actionContext.Request); if (keyData == null) { AuthParamsNotFound(actionContext); return; } // Constructing svc as local var. If we make it a class instance var it will be cached in // this attribute and become a singleton, which means the dbcontext connection and its // cache will live on too. In real code you might do some service location IOC stuff here. var apiKeySvc = new ApiKeyService(new ApplicationDbContext()); var apiKey = apiKeySvc.GetById(keyData.ApiKey, keyData.OwnerId); if (apiKey == null) { ApiKeyNotFoundOrNotAuthorized(actionContext); return; } if (apiKey.HasAnyPermission(_permissions) == false) { ApiKeyNotFoundOrNotAuthorized(actionContext); return; } base.OnAuthorization(actionContext); }