Bearer tokens

Mobile apps and SPAs often need access and refresh tokens instead of cookies.

Enable

Tokens: goauth.TokensConfig{
    Enabled:            true,
    AccessTokenMaxAge:  15 * time.Minute,
    RefreshTokenMaxAge: 30 * 24 * time.Hour,
    AlwaysReturn:       false, // opt-in per request (default)
},

Opt in per request

Header / query	Effect
`X-Auth-Flow: token`	Return JSON tokens on sign-in
`?flow=token`	Same

{
  "sessionId": "550e8400-e29b-41d4-a716-446655440000",
  "user": {
    "id": "1",
    "name": "Demo",
    "email": "demo@example.com"
  },
  "accessToken": "eyJ...",
  "refreshToken": "eyJ...",
  "tokenType": "Bearer",
  "expiresIn": 900,
  "expiresAt": 1780478790
}

sessionId is a UUID v4 — stable session identifier for client storage (e.g. localStorage key in goauth.js).

Authenticate API calls

curl https://app.example.com/api/me \
  -H "Authorization: Bearer eyJ..."

auth.GetSession validates the access token automatically.

Refresh

curl -X POST https://app.example.com/auth/token \
  -d "refresh_token=eyJ..."

Or JSON:

{ "refreshToken": "eyJ..." }

Returns a fresh access/refresh pair.

React Native (simple)

const res = await fetch(`${API}/auth/callback/credentials`, {
  method: "POST",
  headers: {
    "Content-Type": "application/x-www-form-urlencoded",
    "X-Auth-Flow": "token",
  },
  body: new URLSearchParams({ email, password }),
});
const tokens = await res.json();
await SecureStore.setItemAsync("accessToken", tokens.accessToken);

Advanced: AlwaysReturn

AlwaysReturn: true,

Every sign-in returns JSON — no redirects or session cookies. Useful for pure API gateways.

Enable​

Opt in per request​

Sign-in response​

Authenticate API calls​

Refresh​

React Native (simple)​

Advanced: AlwaysReturn​