Go

Once Corbado is integrated into your frontend, users can log in using passkeys. Upon successful login, they will receive a session-token.

By default, this session-token is stored in a cookie and sent to your backend with every request (if same-origin; refer to session-token handling for more details).

To verify if a user is authenticated and to retrieve user data, you must validate the session-token in your backend. The official SDK for your language facilitates this process with its validateToken() (or similar) function.

​

Token Validation

The session-token is a JWT that requires validation. The validateToken() (or similar) function performs the following tasks:

• Verifies the JWT signature using Corbado’s public keys (JWKS).
• Checks the token’s expiration, validity, and other claims.
• Returns the decoded claims if the token is valid, or throws an error if it is not.

​

Implementation

Below is an example of how to use the ValidateToken() function. As previously mentioned, by default, the session-token is stored in a cookie and sent to your backend. You will need to retrieve this cookie based on the HTTP framework you are using.

// Initialize SDK with your project ID, API secret, frontend API URL, and backend API URL
config, err := corbado.NewConfig("<Your Project ID>", "<Your API secret>", "<Your Frontend API URL>", "<Your Backend API URL>")
if err != nil {
    panic(err)
}

sdk, err := corbado.NewSDK(config)
if err != nil {
    panic(err)
}

// Retrieve session-token (e.g., from a cookie)
sessionToken := "..."

// Validate session-token
user, err := sdk.Sessions().ValidateToken(sessionToken)
if err != nil {
    // session-token is invalid
    panic(err)
}

// session-token is valid
fmt.Println(user.UserID)

​

Why is this important?

• Ensures only valid, untampered tokens are accepted.
• Protects your backend endpoints from unauthorized access.
• Handles key rotation and validation logic for you.

For more details, see the Corbado Go SDK documentation.