The Authdog Go SDK validates sessions in Go services. It ships Gin middleware out of the box and framework-agnostic primitives for net/http, chi, and Echo. For the model behind it, see Backend requests.
Install
go get github.com/authdog/web-sdk/packages/go@latestimport authdog "github.com/authdog/web-sdk/packages/go"Requires Go 1.25. The Gin bindings depend on github.com/gin-gonic/gin.
Configure
Create the client once with your environment's public key (pk_...). It's validated at startup, so a bad key errors immediately:
ad, err := authdog.New(authdog.Config{
PublicKey: os.Getenv("PK_AUTHDOG"),
})
if err != nil {
log.Fatal(err)
}Config also accepts FetchUser *bool (opt out of the userinfo call) and a custom HTTPClient. For self-hosted identity, allowlist hosts with the AUTHDOG_ALLOWED_IDENTITY_HOSTS environment variable.
Attach and protect (Gin)
AttachSession() is a non-blocking middleware that stores the resolved session; read it with authdog.FromGin(c). RequireAuth() is the guard — it aborts with 401 {"error":"Unauthorized"}:
r := gin.Default()
r.Use(ad.AttachSession())
r.GET("/me", ad.RequireAuth(), func(c *gin.Context) {
c.JSON(http.StatusOK, authdog.FromGin(c).User)
})
r.GET("/logout", ad.Logout)
r.Run(":3000")The session Context has the shape:
type Context struct {
Token string
User any
IsAuthenticated bool
UserInfo *UserInfoResponse
}Resolving a session tells you who the caller is — pair it with your environment's authorization model to decide what they can do.
Other routers
For net/http, chi, or Echo, compose the framework-agnostic core directly: ValidateAndParsePublicKey, GetSessionToken, FetchUserData, IsAuthenticatedUserInfo, and SanitizeRedirectPath.
Service-to-service
Machine-to-machine callers send their token as Authorization: Bearer <token>; it resolves on the same path as a browser session. See Backend requests.
Next steps
- Backend requests — the verification model across every backend SDK.
- Calling the REST API — read users and organizations once a request is authenticated.