Credentials

Password or arbitrary field-based sign-in. Mirrors Auth.js Credentials provider.

Important rules

Sessions are always JWT (or bearer tokens) — never database strategy.
Sign-in endpoint: POST /auth/callback/credentials (not GET).
Works with MFA when enabled.

Simple example

import "github.com/izetmolla/goauth/providers/credentials"

credentials.New(credentials.Options{
    Fields: []goauth.CredentialField{
        {Name: "email", Label: "Email", Type: "email"},
        {Name: "password", Label: "Password", Type: "password"},
    },
    Authorize: func(ctx context.Context, creds map[string]string, r *http.Request) (*goauth.User, error) {
        u, ok := validatePassword(creds["email"], creds["password"])
        if !ok {
            return nil, nil // rejected sign-in
        }
        return u, nil
    },
})

curl -X POST http://localhost:3000/auth/callback/credentials \
  -d "email=demo@example.com&password=secret"

Advanced: MFA + token flow

# Step 1 — password OK, MFA required
curl -X POST http://localhost:3000/auth/callback/credentials \
  -H "X-Auth-Flow: token" \
  -d "email=demo@example.com&password=secret"
# → { "challenge": "eyJ...", "expiresIn": 600 }

# Step 2 — verify OTP
curl -X POST http://localhost:3000/auth/mfa/verify \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "challenge=eyJ...&code=123456&trustDevice=true"
# → { accessToken, refreshToken, sessionId, user }

Authorize contract

Return	Meaning
`(*User, nil)`	Success
`(nil, nil)`	Invalid credentials (generic failure)
`(nil, err)`	`CredentialsSignin` error

Never put passwords in JWT claims — only run Authorize server-side.

Important rules​

Simple example​

Advanced: MFA + token flow​

Authorize contract​

Important rules

Simple example

Advanced: MFA + token flow

Authorize contract