You don't want strangers listening to your real-time private messages. Securing a SignalR Hub is very similar to securing a Web API.
Just like an MVC Controller, you can place [Authorize] on your Hub class or specific Hub methods. This forces SignalR to check the user's identity before allowing them to connect or call a method.
WebSockets don't support custom headers in the initial handshake in some browsers. To solve this, SignalR passes the JWT token in a **Query String** (?access_token=...). On the server, you must configure the JWT Bearer options to read the token from the query string instead of the Authorization header.
Q: "Can I use external auth like Google with SignalR?"
Architect Answer: "YES. Since SignalR uses the same authentication middleware as the rest of ASP.NET Core, any logged-in user (via Cookies or JWT) will be automatically recognized by the Hub. Their Context.User property will be fully populated with all their claims, exactly like in a standard API request."