Authdog

Go

Last updated Jul 11, 2026
View as Markdown

The Authdog Go SDK validates sessions in Go services. It ships Gin middleware out of the box and framework-agnostic primitives for net/http, chi, and Echo. For the model behind it, see Backend requests.

Install

Bash
go get github.com/authdog/web-sdk/packages/go@latest
Go
import authdog "github.com/authdog/web-sdk/packages/go"

Requires Go 1.25. The Gin bindings depend on github.com/gin-gonic/gin.

Configure

Create the client once with your environment's public key (pk_...). It's validated at startup, so a bad key errors immediately:

Go
ad, err := authdog.New(authdog.Config{
    PublicKey: os.Getenv("PK_AUTHDOG"),
})
if err != nil {
    log.Fatal(err)
}

Config also accepts FetchUser *bool (opt out of the userinfo call) and a custom HTTPClient. For self-hosted identity, allowlist hosts with the AUTHDOG_ALLOWED_IDENTITY_HOSTS environment variable.

Attach and protect (Gin)

AttachSession() is a non-blocking middleware that stores the resolved session; read it with authdog.FromGin(c). RequireAuth() is the guard — it aborts with 401 {"error":"Unauthorized"}:

Go
r := gin.Default()
r.Use(ad.AttachSession())

r.GET("/me", ad.RequireAuth(), func(c *gin.Context) {
    c.JSON(http.StatusOK, authdog.FromGin(c).User)
})

r.GET("/logout", ad.Logout)
r.Run(":3000")

The session Context has the shape:

Go
type Context struct {
    Token           string
    User            any
    IsAuthenticated bool
    UserInfo        *UserInfoResponse
}

Resolving a session tells you who the caller is — pair it with your environment's authorization model to decide what they can do.

Other routers

For net/http, chi, or Echo, compose the framework-agnostic core directly: ValidateAndParsePublicKey, GetSessionToken, FetchUserData, IsAuthenticatedUserInfo, and SanitizeRedirectPath.

Service-to-service

Machine-to-machine callers send their token as Authorization: Bearer <token>; it resolves on the same path as a browser session. See Backend requests.

Next steps