Thauth.devDocumentation
HomeLegalSupport

Documentation

SDK Quickstart

Wire a real authorization check from Go using the local Thauth SDK contract.

SDK Quickstart

The local Go SDK wraps the public project-scoped /v1/* endpoints.

What the SDK currently exposes

  • Check
  • CheckBatch
  • GetConfig
  • UpsertSubject

Construct a client

Create the client with your API base URL and a project API key.

package main

import (
    "context"
    "fmt"
    "log"

    "github.com/ThauthProject/thauth-backend/sdk/go/thauth"
)

func main() {
    client := thauth.NewClient("https://api.thauth.dev", "thauth_project_key")

    resp, err := client.Check(context.Background(), thauth.CheckRequest{
        Subject: "user:alice",
        Feature: "billing",
        Action:  "read",
    })
    if err != nil {
        log.Fatal(err)
    }

    fmt.Println(resp.Allowed, resp.Reason)
}

Use tenant scope when needed

Pass TenantID on a single check when the same subject can belong to multiple customer workspaces.

tenant := "tenant_acme"

resp, err := client.Check(ctx, thauth.CheckRequest{
    Subject:  "user:alice",
    Feature:  "reports",
    Action:   "export",
    TenantID: &tenant,
})

Batch checks for menu and screen gating

Use CheckBatch when one page needs several decisions for the same subject.

resp, err := client.CheckBatch(ctx, thauth.CheckBatchRequest{
    Subject: "user:alice",
    Checks: []thauth.CheckBatchItem{
        {Feature: "billing", Action: "read"},
        {Feature: "billing", Action: "write"},
        {Feature: "reports", Action: "export"},
    },
})

Sync subject assignments from your app

UpsertSubject lets your application create or update a subject and attach role IDs or override-backed permissions through the public project API.

tenantID := "tenant_acme"

resp, err := client.UpsertSubject(ctx, thauth.UpsertSubjectRequest{
    SubjectID:   "user:alice",
    SubjectType: "user",
    TenantID:    &tenantID,
    RoleIDs:     []string{"334858ea-4454-4f5e-84ae-afd1c0644d85"},
    Permissions: []thauth.UpsertSubjectPermission{
        {FeatureID: "6ea4a805-a7fa-4136-8995-7edfe15c4a0f", Action: "read", Effect: "allow"},
    },
})

Pull project config

Use GetConfig when you need the feature, action, and role map that belongs to the authenticated project key.

cfg, err := client.GetConfig(ctx)
if err != nil {
    return err
}

fmt.Println(cfg.Project.Name, cfg.Version)

The returned config contains:

  • project { id, name }
  • version
  • features[] { id, name, description?, actions[] { id, action } }
  • roles[] { id, name, description?, permissions[] { feature_id, feature_name, action_id, action } }

Error handling

The SDK returns API errors for non-200 responses. Treat invalid or expired project keys as integration failures and rotate them through your normal account management workflow.

Cookie Notice

We use essential cookies for sign-in, session security, and CSRF protection. We do not use analytics or advertising cookies right now. Learn more