Passing tokens from your Blazor client to your secure backend API requires a clean, automated strategy.
The standard way to secure public APIs. Your Blazor app sends the token in the Authorization: Bearer <token> header. Use a custom DelegatingHandler for your HttpClient to automatically attach the token to every outgoing request. This keeps your UI components clean of security boilerplate.
If your Blazor app is running in Azure (App Service or Static Web Apps), you should use **Managed Identity**. This allows your app to authenticate with other Azure services (like Key Vault or SQL Database) WITHOUT needing to store any secrets or connection strings in your code. Azure handles the rotation and security of the identity for you.
Q: "Where should I store the JWT?"
Architect Answer: "In Blazor WASM, use **LocalStorage** or an **Http-Only Cookie**. Cookies are more secure because they are protected from XSS attacks. If you use LocalStorage, you must be extremely vigilant about XSS vulnerabilities. In Blazor Server, the token should stay on the server side (in a cookie) and never be sent to the browser at all."