Introduction
In modern web development, secure and scalable authentication is crucial. JSON Web Tokens (JWT) have become the standard way to achieve this goal. In this blog post, we will explore what JWT is, how it works, and how to implement it in Golang.
What is JWT?
JSON Web Token (JWT) is a compact, URL-safe way of representing claims for securely transmitting claims between two parties. It is commonly used to authenticate and authorize users in APIs and distributed systems.
Structure of JWT
A JWT consists of three parts separated by dots (.):
<code>Header.Payload.Signature</code>
Example:
<code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.reGQzG3OKdoIMWLDKOZ4TICJit3EW69cQE72E2CfzRE</code>
Each part is:
- Header: Specifies the token type (JWT) and signature algorithm (HS256).
<code>{
"alg": "HS256",
"typ": "JWT"
}</code>
- Payload: Contains claims (user data such as ID, role or name).
<code>{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022
}</code>
- Signature: Uses a cryptographic signing process to ensure the integrity of the token. Let’s explore this in detail.
How to create a signature:
- Connect the encoded Header and Payload:
<code> base64UrlEncode(header) + "." + base64UrlEncode(payload)</code>
- Sign the result:
- Use a cryptographic signature algorithm (e.g., HMACSHA256, RS256) using a secret key or private key.
- Additional signature: The final JWT becomes
<code> header.payload.signature</code>
How JWT works
- The client sends login credentials to the server.
- If valid, the server will generate the JWT and return it to the client.
- Client stores JWT (e.g. in localStorage or cookie).
- For every request, the client includes the JWT in the Authorization header: Authorization: Bearer
- The server validates the JWT on every request.
- Recalculate the signature using the received Header and Payload.
- Compare the recalculated signature with the received signature.
Implementing JWT in Golang
Golang developers can leverage the excellent golang-jwt/jwt library to handle JWT. This library provides powerful functionality for creating, signing, and validating JWTs. You can find it here.
However, managing JWTs often requires repetitive tasks such as configuring signing methods, parsing tokens, and validating claims. To simplify this, I wrote a custom package to wrap the functionality of golang-jwt. You can view my package here. Here is an example of how to use my custom JWT package.
package main
import (
"context"
"fmt"
"log"
"time"
"github.com/golang-jwt/jwt/v5"
jwtutil "github.com/kittipat1413/go-common/util/jwt"
)
type MyCustomClaims struct {
jwt.RegisteredClaims
UserID string `json:"uid"`
}
func main() {
ctx := context.Background()
signingKey := []byte("super-secret-key")
manager, err := jwtutil.NewJWTManager(jwtutil.HS256, signingKey)
if err != nil {
log.Fatalf("Failed to create JWTManager: %v", err)
}
// Prepare custom claims
claims := &MyCustomClaims{
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(time.Now().Add(15 * time.Minute)),
Issuer: "example-HS256",
Subject: "example-subject",
},
UserID: "abc123",
}
// Create the token
tokenStringHS256, err := manager.CreateToken(ctx, claims)
if err != nil {
log.Fatalf("Failed to create token: %v", err)
}
fmt.Println("Generated Token:", tokenStringHS256)
// Validate the token
parsedClaims := &MyCustomClaims{}
err = manager.ParseAndValidateToken(ctx, tokenStringHS256, parsedClaims)
if err != nil {
log.Fatalf("Failed to validate token: %v", err)
}
fmt.Printf("Token is valid! UserID: %s, Issuer: %s\n", parsedClaims.UserID, parsedClaims.Issuer)
}You can browse the full implementation and documentation of my package on GitHub: here.
JWT Best Practices
- Use HTTPS: Always transfer tokens over a secure channel.
- Set expiration time: Include reasonable exp to limit token abuse.
- Protect your keys: Store your keys securely using environment variables or a key manager.
- Avoid using sensitive data in the payload: Include only non-critical information.
- Use refresh token: Pair a JWT with a refresh token to extend the session securely.
Conclusion ?
JWT is a powerful tool for secure, stateless authentication. The signature ensures the integrity and authenticity of the token, making JWT ideal for APIs and distributed systems. Using libraries like jwt-go you can easily implement JWT in your Golang project.
☕ Support my work ☕
If you like my work, please consider buying me a coffee! Your support helps me continue to create valuable content and share knowledge. ☕
The above is the detailed content of JWT Tokens in Golang: A Developer's Guide to Secure APIs. For more information, please follow other related articles on the PHP Chinese website!
Testing Code that Relies on init Functions in GoMay 03, 2025 am 12:20 AMWhentestingGocodewithinitfunctions,useexplicitsetupfunctionsorseparatetestfilestoavoiddependencyoninitfunctionsideeffects.1)Useexplicitsetupfunctionstocontrolglobalvariableinitialization.2)Createseparatetestfilestobypassinitfunctionsandsetupthetesten
Comparing Go's Error Handling Approach to Other LanguagesMay 03, 2025 am 12:20 AMGo'serrorhandlingreturnserrorsasvalues,unlikeJavaandPythonwhichuseexceptions.1)Go'smethodensuresexpliciterrorhandling,promotingrobustcodebutincreasingverbosity.2)JavaandPython'sexceptionsallowforcleanercodebutcanleadtooverlookederrorsifnotmanagedcare
Best Practices for Designing Effective Interfaces in GoMay 03, 2025 am 12:18 AMAneffectiveinterfaceinGoisminimal,clear,andpromotesloosecoupling.1)Minimizetheinterfaceforflexibilityandeaseofimplementation.2)Useinterfacesforabstractiontoswapimplementationswithoutchangingcallingcode.3)Designfortestabilitybyusinginterfacestomockdep
Centralized Error Handling Strategies in GoMay 03, 2025 am 12:17 AMCentralized error handling can improve the readability and maintainability of code in Go language. Its implementation methods and advantages include: 1. Separate error handling logic from business logic and simplify code. 2. Ensure the consistency of error handling by centrally handling. 3. Use defer and recover to capture and process panics to enhance program robustness.
Alternatives to init Functions for Package Initialization in GoMay 03, 2025 am 12:17 AMInGo,alternativestoinitfunctionsincludecustominitializationfunctionsandsingletons.1)Custominitializationfunctionsallowexplicitcontroloverwheninitializationoccurs,usefulfordelayedorconditionalsetups.2)Singletonsensureone-timeinitializationinconcurrent
Type Assertions and Type Switches with Go InterfacesMay 02, 2025 am 12:20 AMGohandlesinterfacesandtypeassertionseffectively,enhancingcodeflexibilityandrobustness.1)Typeassertionsallowruntimetypechecking,asseenwiththeShapeinterfaceandCircletype.2)Typeswitcheshandlemultipletypesefficiently,usefulforvariousshapesimplementingthe
Using errors.Is and errors.As for Error Inspection in GoMay 02, 2025 am 12:11 AMGo language error handling becomes more flexible and readable through errors.Is and errors.As functions. 1.errors.Is is used to check whether the error is the same as the specified error and is suitable for the processing of the error chain. 2.errors.As can not only check the error type, but also convert the error to a specific type, which is convenient for extracting error information. Using these functions can simplify error handling logic, but pay attention to the correct delivery of error chains and avoid excessive dependence to prevent code complexity.
Performance Tuning in Go: Optimizing Your ApplicationsMay 02, 2025 am 12:06 AMTomakeGoapplicationsrunfasterandmoreefficiently,useprofilingtools,leverageconcurrency,andmanagememoryeffectively.1)UsepprofforCPUandmemoryprofilingtoidentifybottlenecks.2)Utilizegoroutinesandchannelstoparallelizetasksandimproveperformance.3)Implement
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SublimeText3 Chinese version
Chinese version, very easy to use
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
