Skip to main content
Prerequisites: Before you begin, ensure you have the following installed:
  • Go 1.25 or newer
  • Git for version control
Verify installation: go version

Get Started

This quickstart demonstrates how to add Auth0 authentication to a Go web application. You’ll build a server-side app with login, logout, and user profile features using the go-auth0 SDK and Go’s standard net/http library.
1

Create a new project

Create a new directory for your Go application and initialize a module.
Install the required dependencies:
Create the project structure:
go.mod
2

Setup your Auth0 application

To use Auth0 services, you need an application set up in the Auth0 Dashboard. The Auth0 application is where you configure authentication for your project.You need the following information from your application’s Settings tab:
  • Domain
  • Client ID
  • Client Secret
App Dashboard
You have three options to set up your Auth0 application: use the Quick Setup tool (recommended), run a CLI command, or configure manually via the Dashboard:
Verify your .env file exists: cat .env (Mac/Linux) or type .env (Windows)
3

Create the Auth0 client

Create the auth.go file. This wraps the go-auth0 authentication client and provides a helper to build the authorization URL.
auth.go
What this does:
  • Initializes the go-auth0 authentication client with your tenant’s domain, client ID, and client secret
  • Provides an AuthorizationURL helper that builds the /authorize redirect URL with the required OAuth2 parameters
4

Create route handlers

Create the handlers.go file with handlers for login, callback, user profile, and logout.
handlers.go
Key points:
  • LoginHandler generates a random state parameter for CSRF protection and redirects to Auth0’s Universal Login
  • CallbackHandler exchanges the authorization code for tokens using go-auth0, then calls UserInfo to get the user’s profile
  • LogoutHandler clears the session and redirects to Auth0’s /v2/logout endpoint
  • UserHandler retrieves the profile from the session and renders the template
5

Create HTML templates

templates/home.html
6

Create the main server

Wire everything together in main.go:
main.go
7

Run and test your application

Start the development server:
You should see: Server listening on http://localhost:3000/Open http://localhost:3000 in your browser. Click Sign In to be redirected to Auth0’s Universal Login page. After authenticating, you’ll be redirected back to your app and see your profile information.
If port 3000 is already in use, update the AUTH0_CALLBACK_URL in your .env file and the Allowed Callback URLs and Allowed Logout URLs in your Auth0 Application Settings to use the new port.
CheckpointYou should now have a fully functional Go web application with Auth0 authentication running on your localhost. Your app:
  1. Redirects users to Auth0’s Universal Login for authentication
  2. Exchanges the authorization code for tokens using the go-auth0 SDK
  3. Retrieves and displays user profile information
  4. Supports logout with session cleanup

Advanced Usage

Create an IsAuthenticated middleware to protect routes that require authentication. Add this to your handlers.go:
handlers.go
Apply the middleware to protected routes in main.go:
main.go
After authentication, the access token stored in the session can be used to call a protected API:
To request an access token scoped to your API, add the audience parameter to the authorization URL in auth.go:
If your application uses refresh tokens, you can exchange a refresh token for a new set of tokens using the go-auth0 SDK:
To receive a refresh token, add offline_access to the scopes in your authorization URL:

Troubleshooting

”Failed to exchange authorization code for token”

Problem: The callback handler cannot exchange the authorization code.Solutions:
  1. Verify AUTH0_CLIENT_SECRET is correct in your .env file
  2. Ensure the AUTH0_CALLBACK_URL exactly matches the Allowed Callback URLs in your Auth0 Application Settings
  3. Check that the authorization code hasn’t expired (codes are single-use and short-lived)

“Failed to get user info”

Problem: The /userinfo endpoint returns an error.Solutions:
  1. Ensure the openid scope is included in the authorization URL
  2. Verify the access token is valid and not expired
  3. Check network connectivity to your Auth0 domain

”Invalid state parameter”

Problem: The state parameter in the callback doesn’t match the session.Solutions:
  1. Ensure cookies are enabled in your browser
  2. Check that the session store secret hasn’t changed between requests
  3. Verify you’re not using multiple browser tabs during the login flow

Users can’t log out

Problem: After clicking logout, users see an Auth0 error page.Solutions:
  1. Verify http://localhost:3000 is in the Allowed Logout URLs in your Auth0 Application Settings
  2. Ensure the client_id parameter matches your application’s Client ID
  3. Check that the returnTo URL exactly matches one of the allowed logout URLs

Session data not persisting

Problem: User profile data disappears between requests.Solutions:
  1. Ensure gob.Register(map[string]interface{}{}) is called before storing data
  2. Check that session.Save(r, w) is called after modifying session values
  3. Verify cookies are not being blocked by browser settings

Next Steps

Now that you have authentication working, consider exploring:

Resources