GoKit’sDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/AndresGT/GoKit/llms.txt
Use this file to discover all available pages before exploring further.
jwt package provides a complete token lifecycle for Go APIs: generate HS256-signed access tokens and refresh tokens, validate them with strict security checks (signature, expiry, not-before, issuer, and algorithm), and issue new token pairs from a valid refresh token — all with a thread-safe global configuration that you set once at startup.
Import
Configuration
jwt.Configure must be called once before any other function in this package — typically in main or an init function. It sets the signing secrets, token durations, issuer string, and signing method globally.
Config fields
HMAC signing key for access tokens. Minimum 32 characters. Panics on
Configure if missing or too short. Store this in an environment variable — never hard-code it in source.Separate HMAC signing key for refresh tokens. If omitted, defaults to
Secret. Using a distinct value means a compromised access token secret does not automatically compromise refresh tokens.How long access tokens remain valid after issuance. Common production values:
15 * time.Minute to 1 * time.Hour.How long refresh tokens remain valid. Refresh tokens are long-lived by design; rotate them on every use.
A string embedded in every token as the
iss claim and validated on every Validate / ValidateRefreshToken call. Set this to your application or service name.The JWT signing algorithm. Defaults to
jwt.SigningMethodHS256. GoKit validates that the algorithm in each incoming token matches this value, preventing algorithm-switching attacks.Complete configure example
Claims and TokenPair types
Every token GoKit generates embeds these custom claims alongside the standard JWT registered claims:RegisteredClaims carries Issuer, Subject (set to UserID.String()), ExpiresAt, IssuedAt, NotBefore, and a unique ID (JWT ID) per token.
The TokenPair type is returned by functions that generate both tokens at once:
ExpiresAt reflects the access token’s expiry time and is convenient for telling clients when to refresh.
Generating tokens
jwt.Generate
Configure has not been called.
jwt.GenerateWithExtra
Generate but embeds additional key-value pairs into the extra claim. Use this for non-sensitive metadata like plan tier or email address that downstream services need without a separate lookup.
jwt.GeneratePair
jwt.GenerateRefreshToken
RefreshSecret. Useful when you want to issue a new refresh token independently without regenerating an access token.
jwt.MustGenerate
Generate and panics if it returns an error. Only use in tests or init functions where a failure is truly unrecoverable and you want a hard crash instead of error handling.
Validating tokens
jwt.Validate
*Claims on success. Any validation failure returns a descriptive error.
Validation checks performed:
Signature verification
Confirms the token was signed with the configured
Secret. A tampered or forged token fails here.Signing method check
Ensures the
alg header matches the configured SigningMethod. Rejects tokens that specify a different algorithm (prevents algorithm-switching attacks such as alg: none).jwt.ValidateRefreshToken
Validate but uses RefreshSecret for signature verification. Call this when processing a refresh request.
Refreshing tokens
jwt.Refresh
*TokenPair (new access token + new refresh token). This is the one-stop function for a /auth/refresh endpoint.
Example refresh endpoint:
Helper functions
jwt.IsExpired
true if the token is expired (or otherwise invalid), without returning an error. Convenient for quick pre-checks such as short-circuiting expensive operations.
jwt.GetUserID
UserID. A shorthand when you only need the user identifier and don’t need the full claims.
jwt.GetClaims
jwt.NewParser().ParseUnverified.
Custom claims
jwt.GenerateCustomClaims
Claims type. Pass any value that implements jwt.Claims (from github.com/golang-jwt/jwt/v5). The token is signed with the configured Secret and SigningMethod.
Quick reference
Generate
Generate, GenerateWithExtra, GeneratePair, GenerateRefreshToken, MustGenerateValidate
Validate, ValidateRefreshToken — full signature + claims checksRefresh
Refresh — validates refresh token and returns a new TokenPairHelpers
IsExpired, GetUserID, GetClaims (debug only), GenerateCustomClaims