GoKit’sDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/AndresGT/GoKit/llms.txt
Use this file to discover all available pages before exploring further.
hash package gives you production-ready password hashing out of the box. It supports both bcrypt (the default) and Argon2id, validates password length automatically, detects which algorithm was used on verification so you can migrate algorithms gradually, and provides cryptographically secure token generation for flows like password resets and email verification.
Import
Algorithm type and constants
TheAlgorithm type selects the hashing algorithm used for new passwords. Two constants are defined:
Config.Algorithm when calling Configure. The default is AlgBcrypt.
Overview
The package ships with safe defaults so you can start hashing without any configuration. When you callVerify, the algorithm is detected automatically from the hash’s prefix — meaning you can switch your app from bcrypt to Argon2id without invalidating any stored hashes. Existing bcrypt hashes keep working, and new hashes are written in Argon2id format.
bcrypt
The default algorithm. Fast, widely supported, and appropriate for most applications. Configure the work factor with
BcryptCost.Argon2id
The modern standard. More resistant to GPU and ASIC brute-force attacks. Recommended for security-critical systems.
Core API
hash.Hash
- Password is empty
- Password is shorter than
MinLength(default: 8 characters) - Password is longer than
MaxLength(default: 128 characters)
hash.Verify
| Hash prefix | Algorithm detected |
|---|---|
$2a$, $2b$, $2y$ | bcrypt |
$argon2id$ | Argon2id |
hash.NeedsRehash
true if a bcrypt hash was produced at a lower cost factor than the one currently configured. This lets you silently upgrade password security at login time, without forcing users to reset their passwords.
Returns true for hashes with an unknown algorithm format as well.
NeedsRehash always returns false for Argon2id hashes — parameter comparison for Argon2 is not yet implemented. If you switch Argon2 parameters and need to detect stale hashes, compare the parameters embedded in the hash string manually.hash.GenerateSecureToken
hash.GenerateRandomToken
GenerateSecureToken but lets you specify the number of random bytes. A length of 0 or negative returns an error.
Configuration
Callhash.Configure once at startup (e.g. in main or an init function) to change the algorithm or tune parameters. Any fields left as zero values fall back to their defaults.
Configure sets global state protected by a sync.RWMutex. It is safe to call from any goroutine, but calling it after the application has started serving requests will immediately affect all subsequent Hash calls.Config fields
Which algorithm to use for new hashes. Either
hash.AlgBcrypt or hash.AlgArgon2. Does not affect verification of existing hashes.The bcrypt work factor. Higher values are slower but more resistant to brute force. Valid range is
bcrypt.MinCost (4) to bcrypt.MaxCost (31).Minimum password length in Unicode code points.
Hash returns an error for passwords shorter than this.Maximum password length in Unicode code points.
Hash returns an error for passwords longer than this.Parameters for Argon2id hashing. Only used when
Algorithm is hash.AlgArgon2.Argon2Params fields
Memory usage in KiB. Higher values increase resistance to parallel attacks.
Number of passes (time cost). Increase to trade CPU time for greater resistance.
Number of parallel threads. Should match your CPU core count or be set conservatively.
Random salt size in bytes. 16 bytes (128 bits) is the recommended minimum.
Output hash size in bytes. 32 bytes (256 bits) provides a strong output.
Example: Switch to Argon2id
hash.Hash produces $argon2id$... strings. Existing bcrypt hashes stored in your database still verify correctly because Verify detects the algorithm automatically.
Example: Increase bcrypt cost
Example: Rehash on login
UseNeedsRehash during login to transparently upgrade stored hashes when you raise the cost factor — no password resets required.
Security notes
Configure is global and affects every subsequent call to Hash. Call it once at application startup before serving any requests. If you need per-request or per-handler algorithm control, manage your own Config values and call the underlying bcrypt/argon2 functions directly.