A standalone authentication microservice built in Go with JWT access tokens, refresh token rotation, role-based access control, rate limiting, and structured logging.
Authentication is infrastructure that every production system needs but few portfolios implement properly. This microservice demonstrates JWT with refresh token rotation, RBAC middleware, brute-force protection via rate limiting, and operational readiness with health checks and metrics.
- JWT access tokens (1-hour expiry, HS256 signed)
- Refresh token rotation (cryptographic random tokens, one-time use)
- Role-based access control (user, admin roles with middleware enforcement)
- Rate limiting (sliding window per IP, configurable limits)
- Structured logging (method, path, status, latency per request)
- Health check endpoint for load balancers
- Metrics endpoint (uptime, request count, user count)
- Thread-safe in-memory store (swap for PostgreSQL/Redis in production)
- Docker multi-stage build (3MB final image)
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /health |
No | Health check |
| GET | /metrics |
No | Uptime, request count, user count |
| POST | /auth/register |
No | Create account (rate limited) |
| POST | /auth/login |
No | Get access + refresh tokens (rate limited) |
| POST | /auth/refresh |
No | Rotate refresh token for new token pair |
| GET | /api/me |
JWT | Get current user profile |
| GET | /api/admin/stats |
JWT + Admin | Admin-only statistics |
git clone https://github.com/ctonneslan/auth-microservice.git
cd auth-microservice
go run .Server starts at http://localhost:8080.
docker build -t auth-service .
docker run -p 8080:8080 -e JWT_SECRET=your-secret auth-service# Register
curl -X POST localhost:8080/auth/register \
-H "Content-Type: application/json" \
-d '{"email":"user@example.com","name":"Alice","password":"securepass"}'
# Login (returns access_token + refresh_token)
curl -X POST localhost:8080/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"user@example.com","password":"securepass"}'
# Access protected route
curl localhost:8080/api/me \
-H "Authorization: Bearer <access_token>"
# Refresh tokens (rotates refresh token)
curl -X POST localhost:8080/auth/refresh \
-H "Content-Type: application/json" \
-d '{"refresh_token":"<refresh_token>"}'| Variable | Default | Description |
|---|---|---|
PORT |
8080 |
Server port |
JWT_SECRET |
dev-secret-change-in-production |
HMAC signing key |
main.go # Server setup, route registration
├── handlers/
│ └── auth.go # Register, Login, Refresh, Me handlers
├── middleware/
│ ├── auth.go # JWT validation + RBAC middleware
│ ├── ratelimit.go # Per-IP sliding window rate limiter
│ └── logging.go # Structured request logging
├── models/
│ └── user.go # Data types and request/response structs
└── store/
└── store.go # Thread-safe in-memory user + token store
- Passwords hashed with bcrypt (cost 12)
- JWT signed with HMAC-SHA256
- Refresh tokens are 256-bit cryptographic random
- Refresh token rotation (old token invalidated on use)
- Rate limiting on auth endpoints (20 req/min per IP)
- Protected routes require valid JWT in Authorization header
- Role-based access control for admin endpoints
MIT