Skip to main content
By Kunal Dawar
This tutorial demonstrates how to call your protected Go API from client applications. We recommend that you log in to follow this quickstart with examples configured for your account.

Calling the API From Your Application

You can call your protected API from your application by passing an Access Token in the Authorization header of your HTTP request as a Bearer token.
The examples use port 8080. Update the port in your requests to match your server configuration.

Obtaining an Access Token

If you are calling the API from a Single-Page Application or a Mobile/Native application, after the authorization flow is completed, you will get an Access Token. How you get the token and how you make the call to the API will be dependent on the type of application you are developing and the framework you are using.

Single-Page Applications

React, Vue, Angular quickstarts with examples

Mobile / Native Applications

iOS, Android, React Native quickstarts
For testing purposes, you can also get an Access Token from the Test tab in your API settings.

Test Your Protected API

1

Test Public Endpoint (No Authentication)

You can make a request to the /api/public endpoint without passing any Access Token:
Expected: 200 OK with message “Hello from a public endpoint! No authentication required.”
2

Test Private Endpoint Without Token

This should fail with a 401 error:
Expected: 401 Unauthorized {"error": "invalid_token"}
3

Test Private Endpoint With Token

This should succeed with a valid token:
Expected: 200 OK with user information
4

Test Scoped Endpoint (Permission Required)

To test the endpoint that requires a scope, pass the Access Token containing the correct scope (read:messages) as a Bearer token:
Expected with scope: 200 OK with read:messages permission
If the required scope is not present, the API returns a 403 HTTP Status (Forbidden): Insufficient permissions

API Response Behavior

The middleware returns RFC 6750 compliant error responses with structured JSON:401 Unauthorized (token missing or invalid):
{"error": "invalid_token", "description": "authorization header missing"}
403 Forbidden (insufficient permissions):
Insufficient permissions
The response includes a WWW-Authenticate header for proper OAuth 2.0 compliance:
WWW-Authenticate: Bearer error="invalid_token", error_description="token expired"

Next Steps

Custom Claims Validation

Add domain-specific authorization logic with type-safe claims

Token Refresh

Implement refresh token flow for long-lived sessions

DPoP Support

Enable Demonstrating Proof-of-Possession for enhanced security

Production Best Practices

Pre-launch security review and best practices
Edit on GitHub