If this is a browser application and you are worried about security, you may already have some kind of authentication mechanism (cookies, sessions, something). All this is available from WCF services (I assume that you are using webHttpBinding or basicHttpBinding?) Through the WebOperationContext.Current.IncomingRequest property . You can check / check the cookie (or something else) from your service code or write a pass-through MessageInspector to apply the check to all methods of the service behavior. WCF services can also be integrated with traditional ASP.NET authentication (forms, etc.) if you host this service with a compatibility flag . The browser application logs in normally, and your service can use credentials / token / something else.