Registering API Keys in Swagger Return 401 Response

I am using the following code to require anyone registering to have a proper role:

string[] roles = new string[] { “Admin”, “SuperAdmin”, “User” };
typeof(RegisterService).AddAttributes(new AuthenticateAttribute());
typeof(RegisterService).AddAttributes(new RequiredRoleAttribute(ApplyTo.All, roles));

When I attempt to register a new user I am prompted to enter a username and password.


I enter a valid username and an “Admin” API Key for the password.
However, I keep getting a 401 (unauthorized) response.
Please help.

Hi @atrader100,

The use of RequiredRoleAttribute will mean that anyone trying to use the RegisterService will be required to have Admin, SuperAdmin and User roles, not just one of the roles, but all three. See source here.

If you can share more what you are trying to achieve, I might be able to suggest a better way.

Is the RegisterService the default one for new users? Are you trying to restrict the registration of new users to only be done by other users? Any more info would be appreciated. Thanks.

I have re-tried based on what you suggested.
I entered a username and password with all 3 roles.
The registration screens clears and reappears for me to try again, and I am still getting the 401 response.
Basically, I have a swagger page that has operations that require users to provide a valid API key in the headers.
This all works. However, when I want to issue a new API Key I have to comment out the following code and run in dev mode to get a new user (with API Keys) registered.

The Registration service requires authentication as seen in my screenshot:

Is there a special way the username and password has to be entered?

The built in registration service will likely not be a good fit for what you are trying to do, that is, create new users on behalf of other people. This service (without required authentication) is generally used to allow new users to self service register a new account, which, if configured, their account will also come with a valid API key which you can expose to just their account via an authenticated service (that they can login)

If you want an ‘admin only’ create a new user on behalf of somebody else and fetch their API key to share, I would create your own dedicated service for this use and restrict it to Admin or whatever single role is applicable. You could still lock down the existing Register service or not register it at all. Alternatively locking down routes to require specific roles that you can assign as a manual/automated process. Eg users would get an API key but still wouldn’t be authorized to access services until the role was assigned.

What registration screen? the built in Swagger? Something you’ve built? If you’re trying to use the Swagger UI, you can use the Authorize button at the top right before making the requests, which will require a valid API key.


Since you are getting a Basic Auth challenge, it is likely you have a BasicAuth provider also registered, and possible that the challenge is coming after a redirect. Without the ability to reproduce, I can only make suggestions based on assumptions. If you can put together a minimum reproduction of the issue in a GitHub repository and share it (removing any sensitive information), I’ll be happy to have a look at it.

Also, a good tool to test endpoints is Postman, this at least will help with the ability to provide exact details of request + response + path which will give a lot more context to the issue.

If you want to create new Users as another User you can do this with ServiceStack Studio using AdminUsersFeature which enables the following Admin Users APIs which you could also call programmatically without using Studio UI.

You’ll need to download the latest v5.11.1 on MyGet which adds support for generating API Keys for Created Users.