Skip to main content
After successful authentication, Hanko generates a session token stored as a cookie. This guide shows how to validate these session tokens in your Go backend to authenticate API requests.

Get the Hanko API URL

Retrieve your project’s API URL from the Hanko Console. This URL is used to validate session tokens.
If you are self-hosting Hanko, use your self-hosted instance URL instead.

Authentication flow

To authenticate requests in your Go backend:
  1. Extract the session token from the HTTP cookie
  2. Validate the token using Hanko’s session validation API
  3. Allow or deny the request based on validation result

Implementation example

This example shows how to create a session validator that can be used as middleware in your Go application:

Using the validator as middleware

Here’s how to use the session validator to protect your API endpoints: