Stop Re-Entering Your Token in Swagger UI: EnablePersistAuthorization in ASP.NET Core

Introduction

Today, while adding an authentication improvement to one of our private APIs, I came across EnablePersistAuthorization. Honestly, I had no idea it existed, and surprisingly, I find it quite useful for local development and debugging environments.

If you’ve ever worked with Swagger UI on a protected API, you know the pain: you open the Authorize dialog, paste your JWT token, start testing endpoints, and then… you refresh the page. The token is gone. You have to paste it again. And again. And again.

Well, it turns out there’s a simple fix for this that has been available in Swashbuckle for a while now. Let me show you.

The Problem

By default, Swagger UI does not persist your authorization data. Every time you reload the page, the token is cleared and you need to re-authenticate. This might sound like a minor inconvenience, but when you’re actively debugging an API and refreshing constantly, it becomes genuinely annoying.

The Solution: EnablePersistAuthorization

Swashbuckle for ASP.NET Core exposes a simple method called EnablePersistAuthorization(). When enabled, Swagger UI stores your authorization data (Bearer tokens, API keys, etc.) in the browser’s localStorage. This means your tokens survive page refreshes and even browser restarts.

Here’s how to enable it:

			
// Program.cs
if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI(c =>
    {
        c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API v1");
        c.EnablePersistAuthorization();  // This is the magic line
    });
}

		

That’s it. One line. After adding this, when you click Authorize in Swagger UI and enter your token, it will still be there after refreshing the page.

A Complete Example with Bearer JWT

If your API uses JWT authentication, here’s a full setup that works nicely with EnablePersistAuthorization:

			
// Configure Swagger generation
builder.Services.AddSwaggerGen(c =>
{
    c.SwaggerDoc("v1", new OpenApiInfo { Title = "My API", Version = "v1" });
    // Define the Bearer security scheme
    c.AddSecurityDefinition("bearer", new OpenApiSecurityScheme
    {
        Type = SecuritySchemeType.Http,
        Scheme = "bearer",
        BearerFormat = "JWT",
        Description = "Enter your JWT token below."
    });
    // Apply it globally to all endpoints
    c.AddSecurityRequirement(new OpenApiSecurityRequirement
    {
        {
            new OpenApiSecurityScheme
            {
                Reference = new OpenApiReference
                {
                    Type = ReferenceType.SecurityScheme,
                    Id = "bearer"
                }
            },
            Array.Empty<string>()
        }
    });
});
// Configure Swagger UI with persist authorization
if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI(c =>
    {
        c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API v1");
        c.EnablePersistAuthorization();
    });
}

		

After this setup, the Authorize dialog in Swagger UI will show a clean Bearer input field, and your token will persist across refreshes.

Good to Know

A few things worth keeping in mind:

Development only: Keep Swagger UI behind an environment check (IsDevelopment()). You don’t want to expose it in production.
localStorage: The token is stored in localStorage under the key authorized. If it doesn’t seem to work, clear your browser cache first (Ctrl+Shift+R) — especially if you just added this option to an existing project.
Multiple schemes: If you have both Bearer and API Key authentication, both will be persisted. Each scheme is stored independently.
Security: Since tokens are stored in localStorage, this is perfectly fine for local development but should never be enabled in production environments.

Conclusion

EnablePersistAuthorization is one of those small quality-of-life improvements that you don’t know you need until you try it. It won’t change your architecture or improve your code quality, but it will save you a few seconds (and a bit of frustration) every time you refresh Swagger UI during development.

If you’re using Swashbuckle in ASP.NET Core, give it a try. Your future self will thank you.

References

Swashbuckle.AspNetCore – GitHub Repository — Official Swashbuckle source code, where EnablePersistAuthorization is defined.
Swagger UI Configuration – persistAuthorization — Official Swagger UI docs explaining the persistAuthorization option.
Implement Authorization for Swagger in ASP.NET Core – InfoWorld — Practical guide on setting up JWT and API Key authentication in Swagger UI.