JWTs, or JSON Web Tokens as they are more formally known, are a compact, URL-safe means of representing claims to be transferred between two parties. This is essentially a confusing way of saying that JWTs allow you to transmit information from a client to the server in a stateless, but secure way.
The JWT standard uses either a secret, using the HMAC algorithm, or a public/private key pair using RSA or ECDSA.
Note - If you are interested in the formal definition of what JWTs are, then I recommend checking out the RFC: RFC-7519
These are heavily used within Single-Page Applications (SPAs) as a means of secure communications as they allow us to do two key things:
- Authentication - The most commonly used practice. Once a user logs in to your application, or authenticates in some manner, every request that is then sent from the client on behalf of the user will contain the JWT.
- Information Exchange - The second use for JWTs is to securely transmit information between different systems. These JWTs can be signed using public/private key pairs so you can verify each system in this transaction in a secure manner and JWTs contain an anti-tamper mechanism as they are signed based off the header and the payload.
So, if you haven’t guessed by now, in this tutorial, we’ll be looking at exactly what it takes to build a secure Go-based REST API that uses JSON Web Tokens to communicate!
This tutorial is available in a video format, if you want to support me and my work then please feel free to leave a like and subscribe to my channel for my content!
A Simple REST API
So, we are going to be using the code from one of my other articles, Creating a simple REST API in Go, to get us started. This will feature a really simple
Hello World style endpoint and it will run on port 8081.
When we run this an attempt to hit our homepage, running on
http://localhost:8081/, we should see the message
Hello World in our browser.
So, now that we have a simple API that we can now protect using signed JWT tokens, let’s build a client API that will try to request data from this original API.
To do this, we can use a JWT that has been signed with a secure key that both our client and server will have knowledge off. Let’s walk through how this will work:
- Our client will generate a signed JWT based of our shared passphrase.
- When our client goes to hit our server API, it will include this JWT as part of the request.
- Our server will be able to read this JWT and validate the token using the same passphrase.
- If the JWT is valid, it will then return the highly confidential
hello worldmessage back to the client, otherwise it’ll return
Our architecture diagram is going to end up looking a little something like this:
So, let’s see this in action, let’s create a really simple server:
Let’s break this down. We’ve created a really simple API that feature a solitary endpoint, this is protected by our
isAuthorized middleware decorator. In this
isAuthorized function, we check to see that the incoming request features the
Token header in the request and we then subsequently check to see if the token is valid based off our private
If this is a valid token, we then serve the protected endpoint.
Note - This example uses decorators, if you aren’t comfortable with the concept of decorators in Go then I recommend you check out my other article here: Getting Started with Decorators in Go
Now that we have a server that features a JWT secured endpoint, let’s build something that can interact with it.
We’ll be building a simple client application which will attempt to call our
/ endpoint of our server.
Let’s break down what’s happening in the above code. Again, we’ve defined a really simple API that features a single endpoint. This endpoint, when triggered, generates a new JWT using our secure
mySigningKey, it then creates a new http client and sets the
Token header equal to the JWT string that we have just generated.
It then attempts to hit our
server application which is running on
http://localhost:9000 using this signed JWT token. Our server then validates the token we’ve generated in the client and proceeds to serve us our super secret
Hello World message.
Hopefully, this tutorial helped to demystify the art of securing your Go applications and REST APIs using JSON Web Tokens. This was a lot of fun writing this article, and I hope it has helped you in your Go development travels.
If you enjoyed this tutorial, then please let me know in the comments section below, or give this article a share across social media, it really helps me and my site!
Note - If you want to keep track of when new Go articles are posted to the site, then please feel free to follow me on twitter for all the latest news: @Elliot_F.
If you fancy reading up more on JSON Web Tokens and how they are used then I can thoroughly recommend the following articles:
- Go Decorators Tutorial - Go Decorators
- RFC-7519 - https://tools.ietf.org/html/rfc7519
- JWT Introduction - https://jwt.io/introduction/