Skip to main content

Backend guide

After a successful login Hanko issues a cookie containing a JSON Web Token (JWT). You can use this JWT to authenticate requests on your backend. To do so, first retrieve the JSON Web Key Set (JWKS) containing the public keys used to verify the JWT from the Hanko API's .well-known/jwks.json endpoint. Then use the JWKS to verify the JWT using a library for the programming language of your choice.

This is an example of a custom middleware in a Go-based backend using Echo and the lestrrat-go/jwx package:

import (    "context"    "fmt"    "log"    "net/http"    "github.com/labstack/echo/v4"    "github.com/lestrrat-go/jwx/v2/jwk"    "github.com/lestrrat-go/jwx/v2/jwt")func SessionMiddleware() echo.MiddlewareFunc {  return func(next echo.HandlerFunc) echo.HandlerFunc {    return func(c echo.Context) error {      cookie, err := c.Cookie("hanko")      if err == http.ErrNoCookie {        return c.Redirect(http.StatusTemporaryRedirect, "/unauthorized")      }      if err != nil {        return err      }      // replace "hankoApiURL" with your API URL      set, err := jwk.Fetch(        context.Background(),        fmt.Sprintf("%v/.well-known/jwks.json", hankoApiURL)      )      if err != nil {        return err      }      token, err := jwt.Parse([]byte(cookie.Value), jwt.WithKeySet(set))      if err != nil {        return c.Redirect(http.StatusTemporaryRedirect, "/unauthorized")      }      log.Printf("session for user '%s' verified successfully", token.Subject())      c.Set("token", cookie.Value)      c.Set("user", token.Subject())      return next(c)    }  }}