Package feature map
Everything implemented in goauth and where to read about it.
Core module (github.com/izetmolla/goauth)
| Feature | Source files | Documentation |
|---|---|---|
| HTTP handler / router | goauth.go | Routes |
| Config & validation | config.go, goauth.go | Config reference |
| Providers interface | provider.go | Providers overview |
| OAuth flow | oauth.go, actions_auth.go | OAuth & OIDC |
| Session issue/read | session.go | Session strategies |
| Bearer tokens | tokens.go | Bearer tokens |
| CSRF | cookies.go, actions_simple.go | CSRF & cookies |
| Redirect safety | redirect.go | Redirect callback |
| HTML token callback | callback_page.go | Browser callback |
| MFA | actions_mfa.go | OTP guide |
| Passkeys | actions_passkey.go | Passkey |
| Session list/revoke | actions_sessions.go | Session management |
| Email / magic link | actions_email.go | Email & OTP |
| Errors | errors.go | Errors |
| Checks (PKCE/state) | checks.go | OAuth |
| UUID session IDs | checks.go, tokens.go | Bearer tokens |
Subpackages
goauth/jwt
| Feature | Doc |
|---|---|
JWE dir + A256CBC-HS512 | Session strategies |
| Secret rotation (multi-secret decode) | Config scenarios |
goauth/webauthn
| Feature | Doc |
|---|---|
| Registration verify (ES256, attestation none) | WebAuthn internals |
| Assertion verify + sign count | Passkey |
| CBOR / COSE (stdlib) | WebAuthn internals |
goauth/providers/*
| Package | Type | Doc |
|---|---|---|
github | OAuth | OAuth |
google | OIDC | OAuth |
apple | OIDC form_post | providers README |
azuread | OIDC | Azure AD |
oauth | Generic OAuth 2 | OAuth |
oidc | Generic OIDC | OAuth |
credentials | Password | Credentials |
email | Magic link | OTP guide |
otp | Email login code | OTP guide |
passkey | WebAuthn | Passkey |
goauth/adapters/*
| Package | Migrator | SessionLister | AuthenticatorStore |
|---|---|---|---|
postgres | Yes | Yes | Yes |
mysql / mariadb | Yes | Yes | Yes |
memory | No | Yes | Yes |
redis | — | Yes | No |
mongodb | — | Yes | No |
sqladapter | DB interface for GORM/sql | — | — |
Doc: Adapters.
goauth/client
| Feature | Doc |
|---|---|
goauth.js popup + localStorage | Client JS |
External: github.com/izetmolla/fiberauth
Fiber v3 middleware — not in this repo; see root README.
Config surface map
| Config field | Controls |
|---|---|
Secret | All encryption |
Providers | Sign-in methods |
Adapter | Persistence |
Session | JWT vs database, lifetime |
JWT | Custom encode/decode |
Tokens | Mobile bearer flow |
MFA | Post-password OTP |
WebAuthn | Passkey enable flag |
Pages | Custom routes |
Cookies | Cross-subdomain SSO |
Callbacks | SignIn, ResolveUser, JWT, Session, Redirect |
Events | Audit hooks |
Full detail: Config reference.
HTTP actions map
/auth/session
/auth/csrf
/auth/providers
/auth/signin[/:provider]
/auth/callback/:provider
/auth/signout
/auth/token (Tokens.Enabled)
/auth/mfa/verify (MFA.Enabled)
/auth/sessions (SessionLister + DB strategy)
What to read first (developer onboarding)
- Config scenarios — pick your stack
- Callbacks overview
- OTP & verification — if any codes/emails
- User creation
- Developer cookbook — full production example