Authingo
Get Started

Introduction

Learn how AuthInGo brings Better Auth-style developer experience to Go backends and React apps.

AuthInGo

AuthInGo is a small, server-first authentication framework for Go applications with React or Next.js frontends.

Instead of issuing JWTs to the browser, AuthInGo creates opaque session tokens, stores the session in your database, and sends tokens with HttpOnly cookies. That means the browser can authenticate requests without ever owning readable credentials.

Good fit

AuthInGo is best when you want authentication inside your own Go service, backed by your own database, with a lightweight React client for UI state.

Architecture at a glance

AuthInGo has three main pieces:

LayerPackageResponsibility
Server coregithub.com/binit2-1/authingoRegisters auth routes, creates users, hashes passwords, creates sessions, sets cookies, and protects routes.
Storagegithub.com/binit2-1/authingo/adapters/postgresPersists users and sessions in PostgreSQL through the Store interface.
Frontend@authingo/reactProvides global auth state, session checks, logout, and email/password client actions.

Request flow

  1. Your React app calls signIn.email() or signUp.email().
  2. The Go backend validates the request and creates a session.
  3. AuthInGo sets authingo_session and authingo_refresh as HttpOnly cookies.
  4. Your app calls /session through useAuth().checkSession().
  5. Protected backend routes use RequireAuth to validate the session cookie before running application code.

Core routes

Mounting auth.Handler() exposes these routes relative to the path where you mount it:

MethodRoutePurpose
POST/sign-upCreate a user and start a session.
POST/sign-inAuthenticate a user and start a session.
GET/sessionReturn the current user and session from cookies.
POST/sign-outDelete the current session and clear cookies.

Security defaults

AuthInGo leans on server-side controls:

  • Passwords are hashed with bcrypt before storage.
  • Session tokens are random opaque values, not signed user payloads.
  • Cookies are HttpOnly, so client-side JavaScript cannot read them.
  • The session cookie defaults to SameSite=Lax.
  • The refresh cookie defaults to SameSite=Strict and is scoped to /api/auth/refresh.
  • Cross-site embedded demos can explicitly opt into SameSite=None; Secure.
  • Built-in state-changing routes and protected routes require the X-Authingo-Client: true header.
  • Expired sessions can be cleaned up by the storage adapter.

Install AuthInGo

Create the database tables and mount the Go handler.

Understand concepts

Learn the model before customizing your app.

AuthInGo

Build secure Go authentication with opaque cookie sessions, PostgreSQL storage, and a small React SDK.

Installation

Install AuthInGo, create the PostgreSQL schema, mount Go auth routes, and connect your first React app.

On this page

AuthInGoArchitecture at a glanceRequest flowCore routesSecurity defaults