.NET 10 issues with OpenApi

Question

.NET 10 issues with OpenApi

Thomas Borby Lancestremère 60

Hello

I created an ASP.NET Core Web Api project with the version of .NET 10 , to utilize Swagger with authentication

I created the project to test my API endpoints with authentication and out of the blue I found this stange issue, where I couldn't utilized authorize with the generated token?

Usually this code should work for just that purpose:

builder.Services.AddSwaggerGen(setup =>
{
    setup.SwaggerDoc("v1", new Microsoft.OpenApi.Models.OpenApiInfo
    {
        Title = "API test project",
        Version = "v1",
        Description = "API with JWT authentication – use Authorize button to insert token"
    });

    // JWT Bearer definition
    var jwtSecurityScheme = new Microsoft.OpenApi.Models.OpenApiSecurityScheme
    {
        Scheme = "bearer",
        BearerFormat = "JWT",
        Name = "Authorization",
        In = Microsoft.OpenApi.Models.ParameterLocation.Header,
        Type = Microsoft.OpenApi.Models.SecuritySchemeType.Http,
        Description = "Insert your JWT token here with 'Bearer ' in front",
        Reference = new Microsoft.OpenApi.Models.OpenApiReference
        {
            Id = JwtBearerDefaults.AuthenticationScheme,
            Type = Microsoft.OpenApi.Models.ReferenceType.SecurityScheme
        }
    };

    setup.AddSecurityDefinition(jwtSecurityScheme.Reference.Id, jwtSecurityScheme);

    setup.AddSecurityRequirement(new Microsoft.OpenApi.Models.OpenApiSecurityRequirement
    {
        { jwtSecurityScheme, Array.Empty<string>() }
    });
});

It works in .NET 9, but somehow not in .NET 10?

I get errors about "The type or namespace name 'Models' does not exist in the namespace 'Microsoft.OpenApi'", where Models is missing from the OpenApi package?

I tried to included it by "using Microsoft.OpenApi.Models" in the namespace, but it only gives errors?

I don't know if it's a bug in the .NET 10 or if you have just changed the way to utilize OpenApi?

I've searched and asked people and chatbots, but with no solution...

If you know the cause to this issue, I'd apreciate it if you could text me back with the followed solution :-)

Best regards

Thomas

Jack Dang (WICLOUD CORPORATION) 16,115 Reputation points Microsoft External Staff Moderator

2026-03-27T10:20:32.79+00:00

Hi @Thomas Borby Lancestremère ,

I would need more time to look into the issue, I will get back to you as soon as possible. Thanks for your patience.
SurferOnWww 5,921 Reputation points

2026-03-28T01:52:28.1+00:00

It works in .NET 9, but somehow not in .NET 10?

I understand that "not" means even the Swagger UI is not shown.

How did you create the Web API project? Did you use the ASP.NET Core Web API template of Visual Studio 2026 with the target framework .NET 10 to create the project? If you did so the project includes the NuGet package Microsoft.AspNetCore.OpenApi.

If the above is OK please check if the Swashbuckle.AspNetCore.SwaggerUI NuGet package is installed and the Program.cs is set to enable the saggwer-ui middleware.

Launch the app and navigate to https://localhost:<port>/swagger. You will be able to see the Swagger UI if the above are OK. Please confirm.
Thomas Borby Lancestremère 60 Reputation points

2026-03-30T10:02:51.0266667+00:00
Yeah, that's right. I Created the project by using the ASP.NET Core Web API template on Visual Studio 2026.

I set it to use latest version .NET 10 instead and noticed the changes for using that method to obtain the token. When I created the project, it already had the package Microsoft.AspNetCore.OpenApi, which caused a few issues, but those were easy to solve. Swashbuckle.AspNetCore.SwaggerUI NuGet package

The "Swashbuckle.AspNetCore." NuGet package also includes "SwaggerUI", so once I installed it, everything worked fine.

app.UseAuthentication(); app.UseAuthorization(); if (app.Environment.IsDevelopment()) { app.UseSwagger(); app.UseSwaggerUI(options => { options.SwaggerEndpoint("/swagger/v1/swagger.json", "API v1"); options.RoutePrefix = string.Empty; }); } app.MapControllers(); app.Run();

With this setup, I can confirm that Swagger is launched correctly in Program.cs

Answer accepted by question author

2 additional answers

Your answer

Jack Dang (WICLOUD CORPORATION) 16,115 Reputation points Microsoft External Staff Moderator

2026-03-27T10:20:32.79+00:00

Hi @Thomas Borby Lancestremère ,

I would need more time to look into the issue, I will get back to you as soon as possible. Thanks for your patience.
SurferOnWww 5,921 Reputation points

2026-03-28T01:52:28.1+00:00

It works in .NET 9, but somehow not in .NET 10?

I understand that "not" means even the Swagger UI is not shown.

How did you create the Web API project? Did you use the ASP.NET Core Web API template of Visual Studio 2026 with the target framework .NET 10 to create the project? If you did so the project includes the NuGet package Microsoft.AspNetCore.OpenApi.

If the above is OK please check if the Swashbuckle.AspNetCore.SwaggerUI NuGet package is installed and the Program.cs is set to enable the saggwer-ui middleware.

Launch the app and navigate to https://localhost:<port>/swagger. You will be able to see the Swagger UI if the above are OK. Please confirm.
Thomas Borby Lancestremère 60 Reputation points

2026-03-30T10:02:51.0266667+00:00

Yeah, that's right. I Created the project by using the ASP.NET Core Web API template on Visual Studio 2026.

I set it to use latest version .NET 10 instead and noticed the changes for using that method to obtain the token. When I created the project, it already had the package Microsoft.AspNetCore.OpenApi, which caused a few issues, but those were easy to solve. Swashbuckle.AspNetCore.SwaggerUI NuGet package

The "Swashbuckle.AspNetCore." NuGet package also includes "SwaggerUI", so once I installed it, everything worked fine.

app.UseAuthentication(); app.UseAuthorization(); if (app.Environment.IsDevelopment()) { app.UseSwagger(); app.UseSwaggerUI(options => { options.SwaggerEndpoint("/swagger/v1/swagger.json", "API v1"); options.RoutePrefix = string.Empty; }); } app.MapControllers(); app.Run();

With this setup, I can confirm that Swagger is launched correctly in Program.cs

Answer 1

If you want to use Swashbuckle 10.x (not 9.x) and Microsoft.AspNetCore.OpenApi 10.x;

enter image description here

In Swashbuckle 10.x, the method for adding Security Requirements has changed to a "Transformer". Therefore, the Program.cs should be as follows:

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using Microsoft.OpenApi;
using System.Text;

namespace WebApi2
{
    public class Program
    {
        public static void Main(string[] args)
        {
            var builder = WebApplication.CreateBuilder(args);

            builder.Services.AddControllers();

            builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuer = true,
                        ValidateAudience = true,
                        ValidateLifetime = true,
                        ValidateIssuerSigningKey = true,
                        ValidIssuer = builder.Configuration["Jwt:Issuer"],
                        ValidAudience = builder.Configuration["Jwt:Issuer"],
                        IssuerSigningKey = new SymmetricSecurityKey(
                            Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]!))
                    };
                });

            builder.Services.AddAuthorization();

            // New Security API for Swashbuckle 10.x
            builder.Services.AddSwaggerGen(options =>
            {
                options.SwaggerDoc("v1", new OpenApiInfo
                {
                    Title = "My Web API",
                    Version = "v1"
                });

                options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
                {
                    Name = "Authorization",
                    Type = SecuritySchemeType.Http,
                    Scheme = "bearer",
                    BearerFormat = "JWT",
                    In = ParameterLocation.Header,
                    Description = "Please enter token"
                });

                // Security Requirement（use Transformer）
                options.AddSecurityRequirement(document =>
                    new OpenApiSecurityRequirement
                    {
                        [new OpenApiSecuritySchemeReference("Bearer", document)] = []
                    });
            });

            var app = builder.Build();

            if (app.Environment.IsDevelopment())
            {
                app.UseSwagger();
                app.UseSwaggerUI(o => o.SwaggerEndpoint("/swagger/v1/swagger.json", "v1"));
            }

            app.UseHttpsRedirection();

            app.UseAuthentication();
            app.UseAuthorization();

            app.MapControllers();

            app.Run();
        }
    }
}

The same result can be obtained.

enter image description here

Thomas Borby Lancestremère 60 Reputation points

2026-03-30T10:03:38.88+00:00

Okay, I didn't know about that approach for using a Transformer to include Security Requirements - very interesting!

It's true that it gives the same result with the "Authorize" button using the generated token

Thank you for that detail :-)

Answer 2

Jack Dang (WICLOUD CORPORATION) 16,115 Microsoft External Staff Moderator

Hi @Thomas Borby Lancestremère ,

Thanks for reaching out.

From your description, the issue is not with your JWT or Swagger configuration itself, but with a change in the OpenAPI/Swashbuckle packages when moving to .NET 10.

Your code is using types from Microsoft.OpenApi.Models, which worked in earlier versions (such as with Swashbuckle 9.x in .NET 9). In Swashbuckle.AspNetCore 10.x, those OpenAPI types were moved to the Microsoft.OpenApi namespace, which is why you’re now seeing the error that Models does not exist.

Another thing to be aware of is that the .NET 10 Web API template may include Microsoft.AspNetCore.OpenApi by default. This isn’t an issue by itself, but problems can occur if it’s mixed with Swashbuckle-based configuration like AddSwaggerGen.

To fix the issue, I suggest two options depending on how you want to proceed.

If you want to keep your current code as-is, the simplest approach is:

Remove Microsoft.AspNetCore.OpenApi if you’re not using it
Install a compatible version of Swashbuckle, for example:
```
  Swashbuckle.AspNetCore 9.0.6
```
Keep using:
```
  using Microsoft.OpenApi.Models;
```

After that, rebuild and navigate to /swagger. The Authorize button should work as expected again.

If you prefer to stay on Swashbuckle 10.x, then you’ll need to update your code to use the new namespace:

using Microsoft.OpenApi;

and ensure your configuration aligns with that version, without mixing it with the built-in OpenAPI setup.

Hope this helps! If my answer was helpful, I would greatly appreciate it if you could follow the instructions here so others with the same problem can benefit as well.

Thomas Borby Lancestremère 60 Reputation points

2026-03-30T10:03:57.0533333+00:00

Hi @Jack Dang (WICLOUD CORPORATION) It's true the issue will orcur if I use Microsoft.AspNetCore.OpenApi together with the Swashbuckle package in the AddSwaggerton method. This caused me to remove Microsoft.AspNetCore.OpenApi from my API project and just use the Swashbuckle.AspNetCore NuGet package instead

For now, I'll stick with Swashbuckle 10.x and the new namespace using Microsoft.OpenApi; .

Thank you for the feedback :-)
Jack Dang (WICLOUD CORPORATION) 16,115 Reputation points Microsoft External Staff Moderator

2026-03-30T10:07:50.1033333+00:00

Hi @Thomas Borby Lancestremère ,

If my answer was helpful, I would greatly appreciate it if you could follow the instructions here so others with the same problem can benefit as well.
Thomas Borby Lancestremère 60 Reputation points

2026-03-30T10:08:32.8833333+00:00

Hi @Jack Dang (WICLOUD CORPORATION)

It’s true the issue occurs if I use Microsoft.AspNetCore.OpenApi together with the Swashbuckle package in the AddSwaggerGen method. This caused me to remove Microsoft.AspNetCore.OpenApi from my API project and just use the Swashbuckle.AspNetCore NuGet package instead.

For now, I’ll stick with Swashbuckle 10.x and the new namespace using Microsoft.OpenApi; .

Thank you for the feedback :-)

Answer 3

It works in .NET 9, but somehow not in .NET 10?

Please see the statement in the following github article. The statement means that Microsoft.OpenApi.Models is not available in Swashbuckle 10.x.

Migrating to Swashbuckle.AspNetCore v10

"Update any using directives that reference types from the Microsoft.OpenApi.Models namespace to use the new namespace Microsoft.OpenApi."

Swashbuckle 9.x include the Microsoft.OpenApi.Models. That's why "It works in .NET 9."

Therefore, try using the Swashbuckle 9.x. Do not use the Micosoft.AspNerCore.OpenApi to avoid possible conflict if any.

Shown below is working sample:

(1) Install SwaskBukle.AspNetCore 9.0.6. Uninstall Microsoft.OpenApi.Models if any.

enter image description here

(2) Program.cs

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using Microsoft.OpenApi.Models;
using System.Text;

namespace WebApi
{
    public class Program
    {
        public static void Main(string[] args)
        {
            var builder = WebApplication.CreateBuilder(args);

            // Add services to the container.

            builder.Services.AddControllers();

            // Resister authentication services with JWT Bearer
            builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuer = true,
                        ValidateAudience = true,
                        ValidateLifetime = true,
                        ValidateIssuerSigningKey = true,
                        ValidIssuer = builder.Configuration["Jwt:Issuer"],
                        ValidAudience = builder.Configuration["Jwt:Issuer"],
                        IssuerSigningKey = new SymmetricSecurityKey(
                            Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]!))
                    };
                });

            // Register authorization services
            builder.Services.AddAuthorization();

            // Swagger / OpenAPI (Swashbuckle) with Bearer auth
            builder.Services.AddSwaggerGen(options =>
            {
                options.SwaggerDoc("v1", new OpenApiInfo
                {
                    Title = "My Web API",
                    Version = "v1"
                });

                options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
                {
                    Name = "Authorization",

                    // Use baerer token authorization header
                    Type = SecuritySchemeType.Http,

                    Scheme = "Bearer",
                    BearerFormat = "JWT",
                    In = ParameterLocation.Header,
                    Description = "Please enter token",
                });

                options.AddSecurityRequirement(new OpenApiSecurityRequirement
                {
                    {
                        new OpenApiSecurityScheme
                        {
                            Reference = new OpenApiReference
                            {
                                Type = ReferenceType.SecurityScheme,
                                Id = "Bearer"
                            }
                        },
                        new List<string>()
                    }
                });
            });

            var app = builder.Build();

            if (app.Environment.IsDevelopment())
            {
                app.UseSwagger();

                // Enabling Swagger UI
                app.UseSwaggerUI(options =>
                {
                    options.SwaggerEndpoint("/swagger/v1/swagger.json", "v1");
                });
            }

            app.UseHttpsRedirection();

            // Enable authentication and authorization middleware
            app.UseAuthentication();

            app.UseAuthorization();

            app.MapControllers();

            app.Run();
        }
    }
}

(3) Result

Initial display

Note that [Authorize] button appears as expected.

enter image description here

Windows to input token

This is shown on [Authorize] button click.

enter image description here

Thomas Borby Lancestremère 60 Reputation points

2026-03-30T10:04:49.0933333+00:00

Yeah, that makes sense. The issue happens if Microsoft.AspNetCore.OpenApi (or Microsoft.AspNetCore.Models) is used with Swashbuckle 10.x.

I removed Microsoft.AspNetCore.OpenApi and now stick with Swashbuckle 10.x and the new namespace Microsoft.OpenApi.

Everything works fine, and the "Authorize" button behaves as expected. Thanks for sharing the article - it really helped a lot :-)
SurferOnWww 5,921 Reputation points

2026-03-31T01:58:53.52+00:00

I removed Microsoft.AspNetCore.OpenApi and now stick with Swashbuckle 10.x and the new namespace Microsoft.OpenApi. Everything works fine, and the "Authorize" button behaves as expected.

Did you include the Security Requirement? If you use the code in my answer above, it will not pass the complier.

CS0117 'OpenApiSecurityScheme' does not contain a definition for 'Reference' CS0246 The type or namespace name 'OpenApiReference' could not be found

If you remove the code for the Security Requirement to avoid compile error, be aware that Swagger does not send the JWT.

Answer 4

Instead of using SwaggerGen + SwaggerUI as previously mentioned, it seems better to install SwaggerUI (UI only) in addition to the default Microsoft.AspNetCore.OpenApi, and then use a transformer to customize the OpenAPI documentation to display the [Authorize] button.

Shown below is sample:

Program.cd

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.OpenApi;
using Microsoft.IdentityModel.Tokens;
using Microsoft.OpenApi;
using System.Text;
 
namespace WebApi3
{
    public class Program
    {
        public static void Main(string[] args)
        {
            var builder = WebApplication.CreateBuilder(args);
 
            builder.Services.AddControllers();
 
            // JWT Authentication
            builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuer = true,
                        ValidateAudience = true,
                        ValidateLifetime = true,
                        ValidateIssuerSigningKey = true,
                        ValidIssuer = builder.Configuration["Jwt:Issuer"],
                        ValidAudience = builder.Configuration["Jwt:Issuer"],
                        IssuerSigningKey = new SymmetricSecurityKey(
                            Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]!))
                    };
                });
 
            builder.Services.AddAuthorization();
 
            // Transformer for OpenAPI document
            builder.Services.AddOpenApi(options =>
            {
                options.AddDocumentTransformer((document, context, cancellationToken) =>
                {
                    document.Info = new OpenApiInfo
                    {
                        Title = "ASP.NET Core Web API",
                        Version = "v1",
                        Description = "ASP.NET Core Web API with JWT authentication. " +
                            "Target Framework is .NET 10. " +
                            "Built‑in OpenAPI + SwaggerUI are used."
                    };
 
                    // Add Security Scheme (JWT Bearer）
                    document.Components ??= new OpenApiComponents();
                    document.Components.SecuritySchemes ??=
                        new Dictionary<string, IOpenApiSecurityScheme>();
                    document.Components.SecuritySchemes.Add("Bearer",
                        new OpenApiSecurityScheme
                        {
                            Type = SecuritySchemeType.Http,
                            Scheme = "bearer",
                            BearerFormat = "JWT",
                            Description = "Please enter token"
                        });
 
                    // Add Security Requirement
                    document.Security ??= new List<OpenApiSecurityRequirement>();
                    document.Security.Add(
                        new OpenApiSecurityRequirement
                        {
                            [new OpenApiSecuritySchemeReference("Bearer", document)] = []
                        }
                    );
 
                    return Task.CompletedTask;
                });
            });
 
            var app = builder.Build();
 
            if (app.Environment.IsDevelopment())
            {
                app.MapOpenApi();
                app.UseSwaggerUI(options =>
                {
                    options.SwaggerEndpoint("/openapi/v1.json", "v1");
                });
            }
 
            app.UseHttpsRedirection();
 
            app.UseAuthentication();
            app.UseAuthorization();
 
            app.MapControllers();
 
            app.Run();
 
        }
    }
}

Answer 5

In .NET 10 the issue is not with JWT or Swagger itself, but with how OpenAPI/Swagger support is wired and which packages/namespaces are available.

Key points for .NET 10:

Microsoft.OpenApi.Models comes from Swashbuckle
- The Microsoft.OpenApi.Models types (such as OpenApiSecurityScheme, OpenApiSecurityRequirement, etc.) are provided by the Swashbuckle/OpenAPI libraries, not by ASP.NET Core itself.
- In .NET 9 and later, ASP.NET Core added built‑in OpenAPI support and stopped including Swashbuckle by default in new project templates.
- If the project targets .NET 10 and only uses the built‑in OpenAPI pipeline, the Microsoft.OpenApi.Models namespace will not be available unless Swashbuckle (or another OpenAPI library) is explicitly added.
Why the code works in .NET 9 but not in .NET 10
- In earlier templates (ASP.NET Core 8 and before), Swashbuckle was commonly included or assumed in samples, so Microsoft.OpenApi.Models was present.
- In .NET 9+ the recommended approach is the built‑in OpenAPI support; Swashbuckle is no longer included by default. The same applies when moving to .NET 10.
- As a result, code that directly uses Microsoft.OpenApi.Models will fail to compile in a new .NET 10 project unless Swashbuckle is added manually.
How to fix the compile error

There are two main options:

Option A – Continue using Swashbuckle-style configuration

If the goal is to keep using the AddSwaggerGen pattern exactly as shown:

Add the Swashbuckle package to the .NET 10 project (for example, Swashbuckle.AspNetCore).
Ensure the using Microsoft.OpenApi.Models; directive is present.
Keep the existing AddSwaggerGen configuration, adjusting only for any Swashbuckle v10 changes (for example, delegate-based security requirement configuration as described in the Q&A context).

This restores the Microsoft.OpenApi.Models namespace and allows the JWT security scheme configuration to compile and run as before.

Option B – Use the built‑in OpenAPI support in ASP.NET Core 9+

In .NET 9 and later, ASP.NET Core includes built‑in OpenAPI support that replaces Swashbuckle as the default. The recommended path is:

Use the built‑in OpenAPI document generation pipeline instead of Swashbuckle for the OpenAPI document.
If interactive testing via Swagger UI is still desired, follow the guidance in Use the generated OpenAPI documents to host Swagger UI against the built‑in OpenAPI document.
Configure authentication/authorization at the API level (JWT bearer, policies, etc.) and secure Swagger endpoints as needed using MapSwagger().RequireAuthorization.

This approach avoids direct dependency on Microsoft.OpenApi.Models and aligns with the new built‑in OpenAPI pipeline.

Securing Swagger in .NET 10

Regardless of whether Swashbuckle or the built‑in OpenAPI support is used, securing Swagger endpoints in .NET 10 follows the same pattern as in the current docs:

Call MapSwagger().RequireAuthorization() to protect the Swagger/OpenAPI endpoints.
Use a valid JWT bearer token when calling the Swagger JSON or UI, for example via Curl:

curl -i -H "Authorization: Bearer {TOKEN}" https://localhost:{PORT}/swagger/v1/swagger.json

Summary of the cause and solution

Cause: New .NET 10 project uses the built‑in OpenAPI pipeline and does not include Swashbuckle, so Microsoft.OpenApi.Models is missing.
Solution:
- Either add Swashbuckle back to the project and keep using Microsoft.OpenApi.Models and AddSwaggerGen, or
- Migrate to the built‑in OpenAPI support and configure security using the new pipeline and MapSwagger().RequireAuthorization.

Once Swashbuckle is explicitly referenced (Option A) or the configuration is updated to the built‑in OpenAPI model (Option B), the compile errors disappear and JWT‑protected endpoints can again be tested via Swagger UI.

References:

Share via

.NET 10 issues with OpenApi

2 additional answers

Your answer