Labsco
auth0 logo

go-jwt-middleware

37

by auth0 · part of auth0/agent-skills

Use when securing Go HTTP API endpoints with JWT Bearer token validation, scope/permission checks, or stateless auth. Integrates…

🔥🔥🔥🔥✓ VerifiedFreeAdvanced setup
🧩 One of 7 skills in the auth0/agent-skills package — works on its own, and pairs well with its siblings.

Use when securing Go HTTP API endpoints with JWT Bearer token validation, scope/permission checks, or stateless auth. Integrates…

Inspect the full instructions your agent will receiveExpand

This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.

by auth0

Use when securing Go HTTP API endpoints with JWT Bearer token validation, scope/permission checks, or stateless auth. Integrates… npx skills add https://github.com/auth0/agent-skills --skill go-jwt-middleware Download ZIPGitHub37

Go JWT Middleware Integration

Protect Go HTTP API endpoints with JWT access token validation using github.com/auth0/go-jwt-middleware/v3.

Agent instruction: Before providing SDK setup instructions, fetch the latest release version by running:

Copy & paste — that's it
gh api repos/auth0/go-jwt-middleware/releases/latest --jq '.tag_name'

Use the returned version in all dependency lines instead of any hardcoded version below.

When NOT to Use

  • Go server-rendered web applications - Use go-auth0 for session-based web apps

  • Single Page Applications - Use auth0-react, auth0-vue, or auth0-angular for client-side auth

  • Mobile applications - Use auth0-swift, auth0-android, or auth0-react-native

  • Non-Go backends - Use auth0-aspnetcore-api for .NET, express-jwt for Node.js

Scope-Based Authorization

See Integration Guide for defining and enforcing scope and permission policies.

DPoP Support

Built-in proof-of-possession token binding per RFC 9449. See Integration Guide for configuration.

Related Skills

  • auth0-quickstart - Basic Auth0 setup

  • auth0-mfa - Add Multi-Factor Authentication

Quick Reference

Configuration Options:

  • validator.WithKeyFunc(provider.KeyFunc) - JWKS key function for signature verification (required)

  • validator.WithAlgorithm(validator.RS256) - Expected signing algorithm (required)

  • validator.WithIssuer(url) - Token issuer URL with trailing slash (required)

  • validator.WithAudience(aud) - API Identifier from Auth0 API settings (required)

  • validator.WithCustomClaims(fn) - Factory for custom claims struct

  • validator.WithAllowedClockSkew(d) - Clock skew tolerance

Claims Access:

  • jwtmiddleware.GetClaims[*validator.ValidatedClaims](r.Context()) - Type-safe claims retrieval

  • claims.RegisteredClaims.Subject - User ID (sub)

  • claims.CustomClaims.(*CustomClaims).Scope - Space-separated scopes

  • claims.CustomClaims.(*CustomClaims).Permissions - Permission strings

Common Use Cases:

Detailed Documentation

  • Setup Guide - Auth0 CLI setup, environment configuration

  • Integration Guide - Scope policies, DPoP, framework adapters, error handling

  • API Reference - Complete configuration options and validator/middleware reference

References