Go SDK for AuthGate. Requires Go 1.25+.
go get github.com/go-authgate/sdk-go| Package | Description |
|---|---|
| credstore | Secure credential storage with OS keyring integration and file-based fallback |
| oauth | OAuth 2.0 token client (Device Code, Auth Code, Client Credentials, Refresh, Revoke, Introspect, UserInfo) |
| discovery | OIDC auto-discovery from /.well-known/openid-configuration with caching |
| authflow | CLI flow orchestration (Device Code polling, Auth Code + PKCE, auto-refresh TokenSource with persistent storage) |
| middleware | net/http Bearer token validation middleware (online: tokeninfo / introspection per request) |
| jwksauth | net/http Bearer token validation middleware (offline: cached JWKS, single + multi-issuer) |
| clientcreds | Thread-safe Client Credentials token source with auto-cache, HTTPClient() and RoundTripper() for M2M |
credstore (storage) discovery (OIDC endpoint URLs)
| \ |
| \ v
| +----> oauth <---+
| / | \
| / | \
v v v v
+------> authflow middleware clientcreds
jwksauth — standalone (wraps coreos/go-oidc); no dependency on the OAuth client stackmiddleware and jwksauth solve the same problem (validate an incoming
Authorization: Bearer … header) with different trade-offs:
| Concern | jwksauth (offline JWKS) |
middleware (online endpoint) |
|---|---|---|
| Per-request round-trips | None (signature math only) | One per request (tokeninfo/introspect) |
| Verification latency | Microseconds | 10–50 ms + auth-server tail |
| Revocation visibility | After exp of the access token |
Instant |
| Survives auth-server outage | Yes (after first JWKS fetch) | No |
| Opaque (non-JWT) tokens | Not supported | Supported |
| Multi-issuer support | Built-in (MultiVerifier) |
One client per issuer |
# Run tests
make test
# Run linter
make lint
# Format code
make fmtSee the LICENSE file for details.