I am implementing the simple web service that grants access via usual login and api login with some token. I have googled a bit for good solution but found it for asp.net mvc 5 application only (original article - Secure ASP.NET Web API using API Key Authentication – HMAC Authentication).
So it is something that helps me to do the same stuff for asp.net core that I am using for my web services.
First of all, I went through great workshop related to the various new pieces in ASP.NET Core Authorization - AspNetAuthorizationWorkshop. Also, check out the great article about Filters.