JWTs Authentication with Go, echo, and GraphQL

A simple tutorial of JWT authentication using Go, echo, and GraphQL

Manato Kuroda


I’ve introduced how to build Go API with GraphQL in the previous post. This post will highlight an authentication of GraphQL API.

Example Repo

Here is a link to the codebase in full for reference:


To quickly start off, you can set up GraphQL API by following the post:

In case you are not familiar with JWTs, you can check the introduction before starting.


jwt-go allow us to use JWTs in Go. Then install:

go get github.com/dgrijalva/jwt-go

Generate RSA key

JSON Web Tokens offer a simple way to generate tokens for any APIs and these tokens include a payload that should be cryptographically signed. The Popular way of signatures is using HS256 signing which needs the secret key when generating and validating tokens both. For microservices, it means that the secret key needs to be accessible in multiple locations and that it increases the risk of it being compromised.

Public-Key Signatures is a better way of storing the signing key safely in one service and only used to generate keys, while other services can verify the tokens without having access to the key. In this article, we take advantage of it.

Generate RSA key in the root project:

$ ssh-keygen -t rsa -m PEM

Enter your project path:

Generating public/private rsa key pair.
Enter file in which to save the key: