Skip to main content

Callbacks overview

Callbacks are synchronous hooks that shape auth decisions. Events are fire-and-forget side effects. Both live on goauth.Config.

Callbacks: goauth.Callbacks{ /* control flow */ },
Events:    goauth.Events{    /* logging, analytics */ },

When callbacks run (sign-in success path)

flowchart TD
    A[Provider authenticates] --> B[Profile → User]
    B --> C{Callbacks.SignIn}
    C -->|false| X[AccessDenied]
    C -->|true| D[resolveUser]
    D --> E{Adapter database?}
    E -->|yes| F[GetUserByAccount / CreateUser / LinkAccount]
    E -->|no| G[Use profile user]
    F --> H{Callbacks.ResolveUser?}
    G --> H
    H --> I[issueSession]
    I --> J{JWT strategy?}
    J -->|yes| K[Callbacks.JWT]
    J -->|no| L[CreateSession row]
    K --> M[Set cookie / tokens]
    L --> N[Callbacks.Session]
    M --> N

Callback reference

CallbackInputReturnPurpose
SignInSignInCallbackParams(bool, error)Allow or deny sign-in
ResolveUserResolveUserParams(*User, error)Persist user in your DB
JWTJWTCallbackParams(JWT, error)Add claims to token
SessionSessionCallbackParams(*Session, error)Shape API session JSON
RedirectURL strings(string, error)Sanitize post-login redirects

Events reference

EventWhenUse for
SignInAfter auth, before responseAudit log
SignOutPOST signoutRevoke external sessions
CreateUserAdapter created userWelcome email, CRM
LinkAccountOAuth account linkedAnalytics
SessionGET /auth/sessionMetrics

Events cannot return errors to block sign-in.

What callbacks do NOT do

TaskWhere it belongs
Send magic link emailemail.SendVerificationRequest
Send login OTP emailotp.SendCode
Send MFA OTP after passwordMFA.SendCode
Validate passwordcredentials.Authorize
Verify WebAuthngoauth/webauthn (internal)

Minimal config with callbacks

Callbacks: goauth.Callbacks{
    SignIn: func(ctx context.Context, p goauth.SignInCallbackParams) (bool, error) {
        if p.User.Email == "" {
            return false, nil
        }
        return true, nil
    },
},

Next steps