在ASP.NET Core Web API中，可以使用JWT令牌来实现身份验证和授权。JWT令牌由三部分组成：头部、载荷和签名。

1.在Startup文件中配置身份验证和授权服务。添加以下代码：

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
 .AddJwtBearer(options =>
 {
     options.TokenValidationParameters = new TokenValidationParameters
     {
         ValidateIssuer = true,
         ValidateAudience = true,
         ValidateLifetime = true,
         ValidateIssuerSigningKey = true,
         ValidIssuer = Configuration["Jwt:Issuer"],
         ValidAudience = Configuration["Jwt:Issuer"],
         IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
     };
 });

services.AddAuthorization(options =>
 {
     options.AddPolicy("Admin", policy => policy.RequireClaim("Role", "Admin"));
 });

2. 在控制器上的方法或类的顶部添加授权标识符：

使用[Authorize]标识符来标记需要授权的控制器或方法。如以下例子：

[Authorize]
[ApiController]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{
   ...
}

[Authorize(Policy = "Admin")]
[HttpPost("admin")]
public IActionResult AdminOnly()
{
   ...
}

3. 创建一个Claims类，该类包含用户的角色属性

public class Claims : IdentityUser
{
   public ICollection UserRoles { get; set; }
}

public class UserRole : IdentityUserRole
{
   public Role Role { get; set; }
}

public class Role : IdentityRole
{
}

4. 在控制器的构造函数中注入UserManager和RoleManager服务

private readonly UserManager _userManager;
private readonly RoleManager _roleManager;

public WeatherForecastController(UserManager userManager, RoleManager roleManager)
{
   _userManager = userManager;
   _roleManager = roleManager;
}

5. 使用以下代码将角色授予用户