JWT Tokens in Golang: A Developer's Guide to Secure APIs-Golang-php.cn

Home

Backend Development

Golang

JWT Tokens in Golang: A Developer's Guide to Secure APIs

Mary-Kate Olsen

Jan 14, 2025 pm 08:06 PM

JWT Tokens in Golang: A Developer’s Guide to Secure APIs

Introduction

In modern web development, secure and scalable authentication is crucial. JSON Web Tokens (JWT) have become the standard way to achieve this goal. In this blog post, we will explore what JWT is, how it works, and how to implement it in Golang.

What is JWT?

JSON Web Token (JWT) is a compact, URL-safe way of representing claims for securely transmitting claims between two parties. It is commonly used to authenticate and authorize users in APIs and distributed systems.

Structure of JWT

A JWT consists of three parts separated by dots (.):

<code>Header.Payload.Signature</code>

Example:

<code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.reGQzG3OKdoIMWLDKOZ4TICJit3EW69cQE72E2CfzRE</code>

Each part is:

Header: Specifies the token type (JWT) and signature algorithm (HS256).

<code>{
  "alg": "HS256",
  "typ": "JWT"
}</code>

Payload: Contains claims (user data such as ID, role or name).

<code>{
    "sub": "1234567890",
    "name": "John Doe",
    "admin": true,
    "iat": 1516239022
}</code>

Signature: Uses a cryptographic signing process to ensure the integrity of the token. Let’s explore this in detail.

How to create a signature:

Connect the encoded Header and Payload:
<code>  base64UrlEncode(header) + "." + base64UrlEncode(payload)</code>
Sign the result:

Use a cryptographic signature algorithm (e.g., HMACSHA256, RS256) using a secret key or private key.

Additional signature: The final JWT becomes
<code>  header.payload.signature</code>

How JWT works

The client sends login credentials to the server.
If valid, the server will generate the JWT and return it to the client.
Client stores JWT (e.g. in localStorage or cookie).
For every request, the client includes the JWT in the Authorization header: Authorization: Bearer
The server validates the JWT on every request.
- Recalculate the signature using the received Header and Payload.
- Compare the recalculated signature with the received signature.

Implementing JWT in Golang

Golang developers can leverage the excellent golang-jwt/jwt library to handle JWT. This library provides powerful functionality for creating, signing, and validating JWTs. You can find it here.

However, managing JWTs often requires repetitive tasks such as configuring signing methods, parsing tokens, and validating claims. To simplify this, I wrote a custom package to wrap the functionality of golang-jwt. You can view my package here. Here is an example of how to use my custom JWT package.

package main

import (
    "context"
    "fmt"
    "log"
    "time"

    "github.com/golang-jwt/jwt/v5"
    jwtutil "github.com/kittipat1413/go-common/util/jwt"
)

type MyCustomClaims struct {
    jwt.RegisteredClaims
    UserID string `json:"uid"`
}

func main() {
    ctx := context.Background()
    signingKey := []byte("super-secret-key")
    manager, err := jwtutil.NewJWTManager(jwtutil.HS256, signingKey)
    if err != nil {
        log.Fatalf("Failed to create JWTManager: %v", err)
    }

    // Prepare custom claims
    claims := &MyCustomClaims{
        RegisteredClaims: jwt.RegisteredClaims{
            ExpiresAt: jwt.NewNumericDate(time.Now().Add(15 * time.Minute)),
            Issuer:    "example-HS256",
            Subject:   "example-subject",
        },
        UserID: "abc123",
    }

    // Create the token
    tokenStringHS256, err := manager.CreateToken(ctx, claims)
    if err != nil {
        log.Fatalf("Failed to create token: %v", err)
    }
    fmt.Println("Generated Token:", tokenStringHS256)

    // Validate the token
    parsedClaims := &MyCustomClaims{}
    err = manager.ParseAndValidateToken(ctx, tokenStringHS256, parsedClaims)
    if err != nil {
        log.Fatalf("Failed to validate token: %v", err)
    }

    fmt.Printf("Token is valid! UserID: %s, Issuer: %s\n", parsedClaims.UserID, parsedClaims.Issuer)
}

You can browse the full implementation and documentation of my package on GitHub: here.

JWT Best Practices

Use HTTPS: Always transfer tokens over a secure channel.
Set expiration time: Include reasonable exp to limit token abuse.
Protect your keys: Store your keys securely using environment variables or a key manager.
Avoid using sensitive data in the payload: Include only non-critical information.
Use refresh token: Pair a JWT with a refresh token to extend the session securely.

Conclusion ?

JWT is a powerful tool for secure, stateless authentication. The signature ensures the integrity and authenticity of the token, making JWT ideal for APIs and distributed systems. Using libraries like jwt-go you can easily implement JWT in your Golang project.

☕ Support my work ☕

If you like my work, please consider buying me a coffee! Your support helps me continue to create valuable content and share knowledge. ☕

The above is the detailed content of JWT Tokens in Golang: A Developer's Guide to Secure APIs. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Golang: The Go Programming Language ExplainedApr 10, 2025 am 11:18 AM

The core features of Go include garbage collection, static linking and concurrency support. 1. The concurrency model of Go language realizes efficient concurrent programming through goroutine and channel. 2. Interfaces and polymorphisms are implemented through interface methods, so that different types can be processed in a unified manner. 3. The basic usage demonstrates the efficiency of function definition and call. 4. In advanced usage, slices provide powerful functions of dynamic resizing. 5. Common errors such as race conditions can be detected and resolved through getest-race. 6. Performance optimization Reuse objects through sync.Pool to reduce garbage collection pressure.

Golang's Purpose: Building Efficient and Scalable SystemsApr 09, 2025 pm 05:17 PM

Go language performs well in building efficient and scalable systems. Its advantages include: 1. High performance: compiled into machine code, fast running speed; 2. Concurrent programming: simplify multitasking through goroutines and channels; 3. Simplicity: concise syntax, reducing learning and maintenance costs; 4. Cross-platform: supports cross-platform compilation, easy deployment.

Why do the results of ORDER BY statements in SQL sorting sometimes seem random?Apr 02, 2025 pm 05:24 PM

Confused about the sorting of SQL query results. In the process of learning SQL, you often encounter some confusing problems. Recently, the author is reading "MICK-SQL Basics"...

Is technology stack convergence just a process of technology stack selection?Apr 02, 2025 pm 05:21 PM

The relationship between technology stack convergence and technology selection In software development, the selection and management of technology stacks are a very critical issue. Recently, some readers have proposed...

Will improper use of Golang mutex cause 'fatal error: sync: unlock of unlocked mutex' error? How to avoid this problem?Apr 02, 2025 pm 05:18 PM

Golang ...

How to use reflection comparison and handle the differences between three structures in Go?Apr 02, 2025 pm 05:15 PM

How to compare and handle three structures in Go language. In Go programming, it is sometimes necessary to compare the differences between two structures and apply these differences to the...

How to view globally installed packages in Go?Apr 02, 2025 pm 05:12 PM

How to view globally installed packages in Go? In the process of developing with Go language, go often uses...

What should I do if the custom structure labels in GoLand are not displayed?Apr 02, 2025 pm 05:09 PM

What should I do if the custom structure labels in GoLand are not displayed? When using GoLand for Go language development, many developers will encounter custom structure tags...

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

1 weeks agoByDDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

WWE 2K25: How To Unlock Everything In MyRise

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),