Earlier today, I was struggling a bit to get a .NET Core application’s authentication mechanism to behave appropriately for both MVC (view) and API (ajax/json) requests. In .NET Core 2.x, handling this is not as straight-forward as it could be, but it’s doable. Effectively, we want a user requesting a view through a normal browser request to get an authentication challenge / login page, but we want API requests to receive a 401 response and end it there. Under normal circumstances, though, both types of requests would receive the login page.
More Link