The Authdog Go SDK validates sessions in Go services. It ships Gin middleware out of the box and framework-agnostic primitives for `net/http`, chi, and Echo. For the model behind it, see [Backend requests](/docs/backend).

## Install

```bash
go get github.com/authdog/web-sdk/packages/go@latest
```

```go
import authdog "github.com/authdog/web-sdk/packages/go"
```

Requires Go 1.25. The Gin bindings depend on `github.com/gin-gonic/gin`.

## Configure

Create the client once with your environment's **public key** (`pk_...`). It's validated at startup, so a bad key errors immediately:

```go
ad, err := authdog.New(authdog.Config{
    PublicKey: os.Getenv("PK_AUTHDOG"),
})
if err != nil {
    log.Fatal(err)
}
```

`Config` also accepts `FetchUser *bool` (opt out of the `userinfo` call) and a custom `HTTPClient`. For self-hosted identity, allowlist hosts with the `AUTHDOG_ALLOWED_IDENTITY_HOSTS` environment variable.

## Attach and protect (Gin)

`AttachSession()` is a non-blocking middleware that stores the resolved session; read it with `authdog.FromGin(c)`. `RequireAuth()` is the guard — it aborts with `401 {"error":"Unauthorized"}`:

```go
r := gin.Default()
r.Use(ad.AttachSession())

r.GET("/me", ad.RequireAuth(), func(c *gin.Context) {
    c.JSON(http.StatusOK, authdog.FromGin(c).User)
})

r.GET("/logout", ad.Logout)
r.Run(":3000")
```

The session `Context` has the shape:

```go
type Context struct {
    Token           string
    User            any
    IsAuthenticated bool
    UserInfo        *UserInfoResponse
}
```

Resolving a session tells you *who* the caller is — pair it with your environment's [authorization](/docs/concepts/authorization) model to decide *what* they can do.

## Other routers

For `net/http`, chi, or Echo, compose the framework-agnostic core directly: `ValidateAndParsePublicKey`, `GetSessionToken`, `FetchUserData`, `IsAuthenticatedUserInfo`, and `SanitizeRedirectPath`.

## Service-to-service

Machine-to-machine callers send their token as `Authorization: Bearer <token>`; it resolves on the same path as a browser session. See [Backend requests](/docs/backend#service-to-service-m2m).

## Next steps

- [Backend requests](/docs/backend) — the verification model across every backend SDK.
- [Calling the REST API](/docs/api) — read users and organizations once a request is authenticated.
