Centralized Authorization
for Modern Platforms.
Issue application-level JWTs, integrate with OAuth providers for identity verification, and enforce secure logout using Redis-backed token revocation.
Centralized JWT Issuance
Single /mint endpoint issues signed JWT access tokens. One authority for your entire system.
OAuth 2.0 Authentication
Google OAuth via Goth for identity verification. Establishes secure browser sessions during OAuth flows.
Redis Token Revocation
Immediate logout via Redis. Stores revoked:<jti> with TTL matching token expiry. Automatic cleanup.
Stateless Validation
Downstream services verify JWT signatures locally. Middleware checks Redis for revocation. No token minting downstream.
Microservice Ready
Clean Go project structure. Provider-agnostic token design. Pluggable into any web application.
Decoupled Auth
Platforms decide how users authenticate. Authflow decides how access is granted and revoked. Single JWT issuer.
How It Works
Initiation
Auth
Validation
Issuance
Revocation
JWT Claims
| CLAIM | DESCRIPTION |
|---|---|
| sub | Subject (user identifier) |
| iss | Issuer (authflow-go) |
| jti | Unique token ID |
| iat | Issued at |
| exp | Expiration time |
| provider | Authentication source (e.g., google, local) |
Quick Start
Architecture
Key Design Principle
Authentication and authorization are intentionally decoupled. Platforms decide how users authenticate. Authflow-Go decides how access is granted and revoked. This enables a single JWT issuer, consistent logout semantics, and stateless downstream services.
- Authentication: Handled by OAuth Providers
- Authorization: Centralized in Authflow-Go
- Token Lifecycle: Controlled in one place
- Revocation: Redis-backed with TTL cleanup
OAuth
API Reference
| METHOD | ENDPOINT | DESCRIPTION |
|---|---|---|
| GET | /auth/{provider} | Initiate OAuth flow. Redirects to provider authorization endpoint (e.g., Google). |
| GET | /auth/{provider}/callback | OAuth callback. Validates authorization code & state, exchanges for credentials, issues JWT. |
| POST | /mint | Issue a JWT. Accepts sub, provider, and optional email. Does not authenticate — assumes identity is already verified. |
| POST | /logout | Revoke a JWT. Validates token, extracts jti, writes revoked:<jti> to Redis with TTL. |
Security Model
SINGLE JWT ISSUER
Authflow-Go is the sole JWT authority. Downstream services never mint tokens. All token lifecycle operations are centralized.
REDIS REVOCATION MODEL
revoked:<jti> → "1" (TTL = token_expiry − now). Any request using a revoked token is rejected by middleware, even if the JWT is otherwise valid. Automatic cleanup via TTL.
STATELESS AUTHORIZATION
JWTs enable stateless authorization. Middleware verifies signature & expiry, then checks Redis for revoked jti. No database hits for standard validation.
DECOUPLED AUTH
Authentication strategies vary per platform. Authorization is centralized. Token lifecycle is controlled in one place. Logout is enforceable across services.
Live Integration
AuthFlow is currently running in production as the authentication layer for:
rag-works.vercel.app →- Create an account
- Log in via OAuth
- Access protected routes
- Log out (token revoked via Redis)
All auth operations in rag-works are powered by AuthFlow.