encore-go-auth

Encore Go Authentication

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "encore-go-auth" with this command: npx skills add encoredev/skills/encoredev-skills-encore-go-auth

Encore Go Authentication

Instructions

Encore Go provides a built-in authentication system using the //encore:authhandler annotation.

  1. Create an Auth Handler

package auth

import ( "context" "encore.dev/beta/auth" "encore.dev/beta/errs" )

// AuthParams defines what the auth handler receives type AuthParams struct { Authorization string header:"Authorization" }

// AuthData defines what authenticated requests have access to type AuthData struct { UserID string Email string Role string }

//encore:authhandler func Authenticate(ctx context.Context, params *AuthParams) (auth.UID, *AuthData, error) { token := strings.TrimPrefix(params.Authorization, "Bearer ")

payload, err := verifyToken(token)
if err != nil {
    return "", nil, &errs.Error{
        Code:    errs.Unauthenticated,
        Message: "invalid token",
    }
}

return auth.UID(payload.UserID), &AuthData{
    UserID: payload.UserID,
    Email:  payload.Email,
    Role:   payload.Role,
}, nil

}

  1. Protect Endpoints

package user

import "context"

// Protected endpoint - requires authentication //encore:api auth method=GET path=/profile func GetProfile(ctx context.Context) (*Profile, error) { // Only authenticated users reach here }

// Public endpoint - no authentication required //encore:api public method=GET path=/health func Health(ctx context.Context) (*HealthResponse, error) { return &HealthResponse{Status: "ok"}, nil }

  1. Access Auth Data in Endpoints

package user

import ( "context" "encore.dev/beta/auth" myauth "myapp/auth" // Import your auth package )

//encore:api auth method=GET path=/profile func GetProfile(ctx context.Context) (*Profile, error) { // Get the user ID userID, ok := auth.UserID() if !ok { // Should not happen with auth endpoint }

// Get full auth data
data := auth.Data().(*myauth.AuthData)

return &Profile{
    UserID: string(userID),
    Email:  data.Email,
    Role:   data.Role,
}, nil

}

Auth Handler Signature

The auth handler must:

  • Have the //encore:authhandler annotation

  • Accept context.Context and a params struct pointer

  • Return (auth.UID, *YourAuthData, error)

//encore:authhandler func MyAuthHandler(ctx context.Context, params *Params) (auth.UID, *AuthData, error)

Auth Handler Behavior

Scenario Returns Result

Valid credentials (uid, data, nil)

Request authenticated

Invalid credentials ("", nil, err) with errs.Unauthenticated

401 response

Other error ("", nil, err)

Request aborted

Common Auth Patterns

JWT Token Validation

import ( "github.com/golang-jwt/jwt/v5" "encore.dev/config" )

var secrets struct { JWTSecret config.String }

func verifyToken(tokenString string) (*Claims, error) { token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(t *jwt.Token) (interface{}, error) { return []byte(secrets.JWTSecret()), nil }) if err != nil { return nil, err }

claims, ok := token.Claims.(*Claims)
if !ok || !token.Valid {
    return nil, errors.New("invalid token")
}

return claims, nil

}

API Key Authentication

//encore:authhandler func Authenticate(ctx context.Context, params *AuthParams) (auth.UID, *AuthData, error) { apiKey := params.Authorization

user, err := db.QueryRow[User](ctx, `
    SELECT id, email, role FROM users WHERE api_key = $1
`, apiKey)
if err != nil {
    return "", nil, &errs.Error{
        Code:    errs.Unauthenticated,
        Message: "invalid API key",
    }
}

return auth.UID(user.ID), &AuthData{
    UserID: user.ID,
    Email:  user.Email,
    Role:   user.Role,
}, nil

}

Cookie-Based Auth

type AuthParams struct { Cookie string header:"Cookie" }

//encore:authhandler func Authenticate(ctx context.Context, params *AuthParams) (auth.UID, *AuthData, error) { sessionID := parseCookie(params.Cookie, "session") if sessionID == "" { return "", nil, &errs.Error{ Code: errs.Unauthenticated, Message: "no session", } }

session, err := getSession(ctx, sessionID)
if err != nil || session.ExpiresAt.Before(time.Now()) {
    return "", nil, &errs.Error{
        Code:    errs.Unauthenticated,
        Message: "session expired",
    }
}

return auth.UID(session.UserID), &AuthData{
    UserID: session.UserID,
    Email:  session.Email,
    Role:   session.Role,
}, nil

}

Service-to-Service Auth

Auth data automatically propagates in internal service calls:

package order

import ( "context" "myapp/user" // Import the user service )

//encore:api auth method=GET path=/orders/:id func GetOrderWithUser(ctx context.Context, params *GetOrderParams) (*OrderWithUser, error) { order, err := getOrder(ctx, params.ID) if err != nil { return nil, err }

// Auth is automatically propagated to this call
profile, err := user.GetProfile(ctx)
if err != nil {
    return nil, err
}

return &OrderWithUser{Order: order, User: profile}, nil

}

Guidelines

  • Only one //encore:authhandler per application

  • Return auth.UID as the first return value (user identifier)

  • Return your custom AuthData struct as second value

  • Use auth.UserID() to get the authenticated user ID

  • Use auth.Data() and type assert to get full auth data

  • Auth propagates automatically in service-to-service calls

  • Keep auth handlers fast - they run on every authenticated request

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

encore-auth

No summary provided by upstream source.

Repository SourceNeeds Review
141-encoredev
Coding

encore-service

No summary provided by upstream source.

Repository SourceNeeds Review
139-encoredev
Coding

encore-code-review

No summary provided by upstream source.

Repository SourceNeeds Review
139-encoredev
Coding

encore-api

No summary provided by upstream source.

Repository SourceNeeds Review
138-encoredev