authlete

Developer-friendly & type-safe Go SDK specifically catered to leverage authlete API.

Important

This SDK is in Beta.

Summary

Authlete API: Welcome to the Authlete API documentation. Authlete is an API-first service where every aspect of the platform is configurable via API. This documentation will help you authenticate and integrate with Authlete to build powerful OAuth 2.0 and OpenID Connect servers.

At a high level, the Authlete API is grouped into two categories:

• Management APIs: Enable you to manage services and clients.
• Runtime APIs: Allow you to build your own Authorization Servers or Verifiable Credential (VC) issuers.

🌐 API Servers

Authlete is a global service with clusters available in multiple regions across the world:

• 🇺🇸 US: https://us.authlete.com
• 🇯🇵 Japan: https://jp.authlete.com
• 🇪🇺 Europe: https://eu.authlete.com
• 🇧🇷 Brazil: https://br.authlete.com

Our customers can host their data in the region that best meets their requirements.

🔑 Authentication

All API endpoints are secured using Bearer token authentication. You must include an access token in every request:

Authorization: Bearer YOUR_ACCESS_TOKEN

Getting Your Access Token

Authlete supports two types of access tokens:

Service Access Token - Scoped to a single service (authorization server instance)

1. Log in to Authlete Console
2. Navigate to your service → Settings → Access Tokens
3. Click Create Token and select permissions (e.g., service.read, client.write)
4. Copy the generated token

Organization Token - Scoped to your entire organization

1. Log in to Authlete Console
2. Navigate to Organization Settings → Access Tokens
3. Click Create Token and select org-level permissions
4. Copy the generated token

⚠️ Important Note: Tokens inherit the permissions of the account that creates them. Service tokens can only access their specific service, while organization tokens can access all services within your org.

Token Security Best Practices

• Never commit tokens to version control - Store in environment variables or secure secret managers
• Rotate regularly - Generate new tokens periodically and revoke old ones
• Scope appropriately - Request only the permissions your application needs
• Revoke unused tokens - Delete tokens you're no longer using from the console

Quick Test

Verify your token works with a simple API call:

curl -X GET https://us.authlete.com/api/service/get/list \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

🎓 Tutorials

If you're new to Authlete or want to see sample implementations, these resources will help you get started:

• Getting Started with Authlete
• From Sign-Up to the First API Request

🛠 Contact Us

If you have any questions or need assistance, our team is here to help:

• Contact Page

Table of Contents

• authlete
  • 🌐 API Servers
  • 🔑 Authentication
  • 🎓 Tutorials
  • 🛠 Contact Us
  • SDK Installation
  • SDK Example Usage
  • Authentication
  • Available Resources and Operations
  • Retries
  • Error Handling
  • Server Selection
  • Custom HTTP Client
• Development
  • Maturity
  • Contributions

SDK Installation

To add the SDK as a dependency to your project:

go get github.com/authlete/authlete-go-sdk

SDK Example Usage

Example

package main

import (
	"context"
	authlete "github.com/authlete/authlete-go-sdk"
	"log"
	"os"
)

func main() {
	ctx := context.Background()

	s := authlete.New(
		authlete.WithSecurity(os.Getenv("AUTHLETE_BEARER")),
	)

	res, err := s.Service.Get(ctx, "<id>")
	if err != nil {
		log.Fatal(err)
	}
	if res.Service != nil {
		// handle response
	}
}

Authentication

Per-Client Security Schemes

This SDK supports the following security scheme globally:

Name	Type	Scheme	Environment Variable
Bearer	http	HTTP Bearer	AUTHLETE_BEARER

You can configure it using the WithSecurity option when initializing the SDK client instance. For example:

package main

import (
	"context"
	authlete "github.com/authlete/authlete-go-sdk"
	"log"
	"os"
)

func main() {
	ctx := context.Background()

	s := authlete.New(
		authlete.WithSecurity(os.Getenv("AUTHLETE_BEARER")),
	)

	res, err := s.Service.Get(ctx, "<id>")
	if err != nil {
		log.Fatal(err)
	}
	if res.Service != nil {
		// handle response
	}
}

Available Resources and Operations

Available methods

Authorization

• ProcessRequest - Process Authorization Request
• Fail - Fail Authorization Request
• Issue - Issue Authorization Response

Authorization.Management

• GetTicketInfo - Get Ticket Information
• UpdateTicket - Update Ticket Information

Ciba

• ProcessAuthentication - Process Backchannel Authentication Request
• Issue - Issue Backchannel Authentication Response
• Fail - Fail Backchannel Authentication Request
• Complete - Complete Backchannel Authentication

Client

• Get - Get Client
• List - List Clients
• Create - Create Client
• Update - Update Client
• UpdateForm - Update Client
• Delete - Delete Client ⚡

Client.Management

• UpdateLockFlag - Update Client Lock
• RefreshSecret - Rotate Client Secret
• UpdateSecret - Update Client Secret
• ListAuthorizedApplications - Get Authorized Applications
• ListAuthorizedApplicationsWithBody - Get Authorized Applications
• ListAuthorizations - Get Authorized Applications (by Subject)
• UpdateAuthorizations - Update Client Tokens
• DeleteClientTokens - Delete Client Tokens
• RevokeClientTokens - Delete Client Tokens
• DeleteAuthorizations - Delete Client Tokens (by Subject)
• GetGrantedScopesForClient - Get Granted Scopes
• CreateGrantedScopes - Get Granted Scopes
• GetGrantedScopes - Get Granted Scopes (by Subject)
• DeleteGrantedScopesForClient - Delete Granted Scopes
• DeleteGrantedScopes - Delete Granted Scopes (by Subject)
• GetRequestableScopes - Get Requestable Scopes
• UpdateRequestableScopesWithBody - Update Requestable Scopes
• UpdateRequestableScopes - Update Requestable Scopes
• DeleteRequestableScopes - Delete Requestable Scopes

DeviceFlow

• Authorization - Process Device Authorization Request
• Verification - Process Device Verification Request
• Complete - Complete Device Authorization

DynamicClientRegistration

• Register - Register Client
• Get - Get Client
• Update - Update Client
• Delete - Delete Client

Federation

• Configuration - Process Entity Configuration Request
• Registration - Process Federation Registration Request

GrantManagement

• ProcessRequest - Process Grant Management Request

HardwareSecurityKeys

• Create - Create Security Key
• Delete - Delete Security Key
• Get - Get Security Key
• List - List Security Keys

Introspection

• Process - Process Introspection Request
• StandardProcess - Process OAuth 2.0 Introspection Request

Lifecycle

• GetAPILifecycleHealthcheck - Health Check

NativeSso

• Process - Native SSO Processing
• Logout - Native SSO Logout Processing

PushedAuthorization

• Create - Process Pushed Authorization Request

Revocation

• Process - Process Revocation Request

Service

• Get - Get Service
• List - List Services
• Update - Update Service
• Delete - Delete Service ⚡
• GetConfiguration - Get Service Configuration

Token

• Process - Process Token Request
• Fail - Fail Token Request
• Issue - Issue Token Response

Token.Management

• ReissueIDToken - Reissue ID Token
• List - List Issued Tokens
• Create - Create Access Token
• Update - Update Access Token
• Delete - Delete Access Token
• Revoke - Revoke Access Token

Userinfo

• Process - Process UserInfo Request
• Issue - Issue UserInfo Response

VerifiableCredentials

• GetMetadata - Get Verifiable Credential Issuer Metadata
• GetJwtIssuer - Get JWT Issuer Information
• GetJwks - Get JSON Web Key Set
• CreateOffer - Create Credential Offer
• GetOfferInfo - Get Credential Offer Information
• Parse - Parse Single Credential
• Issue - Issue Single Credential
• BatchParse - Parse Batch Credentials
• BatchIssue - Issue Batch Credentials
• DeferredParse - Parse Deferred Credential
• DeferredIssue - Issue Deferred Credential

Retries

Some of the endpoints in this SDK support retries. If you use the SDK without any configuration, it will fall back to the default retry strategy provided by the API. However, the default retry strategy can be overridden on a per-operation basis, or across the entire SDK.

To change the default retry strategy for a single API call, simply provide a retry.Config object to the call by using the WithRetries option:

package main

import (
	"context"
	authlete "github.com/authlete/authlete-go-sdk"
	"github.com/authlete/authlete-go-sdk/retry"
	"log"
	"models/operations"
	"os"
)

func main() {
	ctx := context.Background()

	s := authlete.New(
		authlete.WithSecurity(os.Getenv("AUTHLETE_BEARER")),
	)

	res, err := s.Service.Get(ctx, "<id>", operations.WithRetries(
		retry.Config{
			Strategy: "backoff",
			Backoff: &retry.BackoffStrategy{
				InitialInterval: 1,
				MaxInterval:     50,
				Exponent:        1.1,
				MaxElapsedTime:  100,
			},
			RetryConnectionErrors: false,
		}))
	if err != nil {
		log.Fatal(err)
	}
	if res.Service != nil {
		// handle response
	}
}

If you'd like to override the default retry strategy for all operations that support retries, you can use the WithRetryConfig option at SDK initialization:

package main

import (
	"context"
	authlete "github.com/authlete/authlete-go-sdk"
	"github.com/authlete/authlete-go-sdk/retry"
	"log"
	"os"
)

func main() {
	ctx := context.Background()

	s := authlete.New(
		authlete.WithRetryConfig(
			retry.Config{
				Strategy: "backoff",
				Backoff: &retry.BackoffStrategy{
					InitialInterval: 1,
					MaxInterval:     50,
					Exponent:        1.1,
					MaxElapsedTime:  100,
				},
				RetryConnectionErrors: false,
			}),
		authlete.WithSecurity(os.Getenv("AUTHLETE_BEARER")),
	)

	res, err := s.Service.Get(ctx, "<id>")
	if err != nil {
		log.Fatal(err)
	}
	if res.Service != nil {
		// handle response
	}
}

Error Handling

Handling errors in this SDK should largely match your expectations. All operations return a response object or an error, they will never return both.

By Default, an API error will return apierrors.APIError. When custom error responses are specified for an operation, the SDK may also return their associated error. You can refer to respective Errors tables in SDK docs for more details on possible error types for each operation.

For example, the Get function may return the following errors:

Error Type	Status Code	Content Type
apierrors.ResultError	400, 401, 403	application/json
apierrors.ResultError	500	application/json
apierrors.APIError	4XX, 5XX	*/*

Example

package main

import (
	"context"
	"errors"
	authlete "github.com/authlete/authlete-go-sdk"
	"github.com/authlete/authlete-go-sdk/models/apierrors"
	"log"
	"os"
)

func main() {
	ctx := context.Background()

	s := authlete.New(
		authlete.WithSecurity(os.Getenv("AUTHLETE_BEARER")),
	)

	res, err := s.Service.Get(ctx, "<id>")
	if err != nil {

		var e *apierrors.ResultError
		if errors.As(err, &e) {
			// handle error
			log.Fatal(e.Error())
		}

		var e *apierrors.ResultError
		if errors.As(err, &e) {
			// handle error
			log.Fatal(e.Error())
		}

		var e *apierrors.APIError
		if errors.As(err, &e) {
			// handle error
			log.Fatal(e.Error())
		}
	}
}

Server Selection

Select Server by Index

You can override the default server globally using the WithServerIndex(serverIndex int) option when initializing the SDK client instance. The selected server will then be used as the default on the operations that use it. This table lists the indexes associated with the available servers:

#	Server	Description
0	https://us.authlete.com	🇺🇸 US Cluster
1	https://jp.authlete.com	🇯🇵 Japan Cluster
2	https://eu.authlete.com	🇪🇺 Europe Cluster
3	https://br.authlete.com	🇧🇷 Brazil Cluster

Example

package main

import (
	"context"
	authlete "github.com/authlete/authlete-go-sdk"
	"log"
	"os"
)

func main() {
	ctx := context.Background()

	s := authlete.New(
		authlete.WithServerIndex(0),
		authlete.WithSecurity(os.Getenv("AUTHLETE_BEARER")),
	)

	res, err := s.Service.Get(ctx, "<id>")
	if err != nil {
		log.Fatal(err)
	}
	if res.Service != nil {
		// handle response
	}
}

Override Server URL Per-Client

The default server can also be overridden globally using the WithServerURL(serverURL string) option when initializing the SDK client instance. For example:

package main

import (
	"context"
	authlete "github.com/authlete/authlete-go-sdk"
	"log"
	"os"
)

func main() {
	ctx := context.Background()

	s := authlete.New(
		authlete.WithServerURL("https://br.authlete.com"),
		authlete.WithSecurity(os.Getenv("AUTHLETE_BEARER")),
	)

	res, err := s.Service.Get(ctx, "<id>")
	if err != nil {
		log.Fatal(err)
	}
	if res.Service != nil {
		// handle response
	}
}

Custom HTTP Client

The Go SDK makes API calls that wrap an internal HTTP client. The requirements for the HTTP client are very simple. It must match this interface:

type HTTPClient interface {
	Do(req *http.Request) (*http.Response, error)
}

The built-in net/http client satisfies this interface and a default client based on the built-in is provided by default. To replace this default with a client of your own, you can implement this interface yourself or provide your own client configured as desired. Here's a simple example, which adds a client with a 30 second timeout.

import (
	"net/http"
	"time"

	"github.com/authlete/authlete-go-sdk"
)

var (
	httpClient = &http.Client{Timeout: 30 * time.Second}
	sdkClient  = authlete.New(authlete.WithClient(httpClient))
)

This can be a convenient way to configure timeouts, cookies, proxies, custom headers, and other low-level configuration.

Development

Maturity

This SDK is in beta, and there may be breaking changes between versions without a major version update. Therefore, we recommend pinning usage to a specific package version. This way, you can install the same version each time without breaking changes unless you are intentionally looking for the latest version.

Contributions

While we value open-source contributions to this SDK, this library is generated programmatically. Any manual changes added to internal files will be overwritten on the next generation. We look forward to hearing your feedback. Feel free to open a PR or an issue with a proof of concept and we'll do our best to include it in a future release.

SDK Created by Speakeasy