Authenticate a human user via browser or device code with automatic environment detection.
- Local machine (browser available): Authorization Code + PKCE
- SSH / headless session: Device Code flow (RFC 8628)
The SDK auto-detects the environment and selects the appropriate flow.
- Go 1.25+
- An AuthGate server with a configured OAuth client
| Variable | Required | Description |
|---|---|---|
AUTHGATE_URL |
Yes | AuthGate server URL |
CLIENT_ID |
Yes | OAuth 2.0 client identifier |
export AUTHGATE_URL=https://auth.example.com
export CLIENT_ID=your-client-id
go run main.goAlternatively, create a .env file in the go-cli/ directory:
AUTHGATE_URL=https://auth.example.com
CLIENT_ID=your-client-idThen simply run:
go run main.goEnvironment variables take precedence over .env values. The .env file is optional — the program works without it.
- Calls
authgate.New()which performs OIDC discovery and starts the appropriate OAuth flow - Requests
profileandemailscopes - Stores the token in the OS keyring (falls back to file-based storage if keyring is unavailable)
- Fetches user info via the
/oauth/userinfoendpoint - Validates the token via
/oauth/tokeninfoand prints detailed metadata
On subsequent runs, the cached token is reused automatically. If expired, it is refreshed transparently.
User: Jane Doe (jane@example.com)
Subject: user-uuid-1234
Access Token: eyJhbGci...
Refresh Token: dGhpcyBp...
Token Type: Bearer
Expires In: 3600
Expires At: 2025-01-01T12:00:00Z
Scope: profile email
ID Token: eyJ0eXAi...
TokenInfo Active: true
TokenInfo UserID: user-uuid-1234
TokenInfo ClientID: your-client-id
TokenInfo Scope: profile email
TokenInfo SubjectType: user
TokenInfo Issuer: https://auth.example.com
TokenInfo Exp: 1735732800
Tokens are persisted in the OS keyring:
| Platform | Backend |
|---|---|
| macOS | Keychain |
| Linux | Secret Service (D-Bus) |
| Windows | Windows Credential Manager |
If the keyring is unavailable, tokens fall back to a file-based cache.