I'm writing microservices in go and want to migrate to using super tokens (self-hosted). What is the "best practice" to authenticate requests on different services? Previously using AWS Cognito which gave me JWKs to validate requests.

hey @User it depends on who is querying those micro services - is the frontend querying them or is it one backend microservice to another?

Let’s discuss both scenarios as both happen. We have http endpoints coming from react front ends but also grpc and event driven communications too.

So from frontend you can query different API domains and share the same user session across all of them as long as all those API domains have the same top level domain. For backend to backend, you can use our JWT recipe to create JWTs and use that for auth. That being said, we will be working on all sorts of m2m auth soon (since using JWTs has its limitations)

Thanks for the reply, that is helpful. So the general idea is I'll need to install the supertoken golang sdk on each service, run the

supertokens.Init

with the same config and then use

session.VerifySession

on the endpoints I require? This is in addition to the new service i'm introducing which implements the requires auth endpoints for the frontend sdk. Does that seem generally correct?

Yes. Correct!

Quick question: what is the suggested way to mock session verification? Basically I’d like to generate access tokens for component tests that’ll pass the session verification middleware’s without having to spin up a local version of core

That's unfortunately not optimised for yet 😦

Go

Actually, nvm. Unfortunately there isn't an easy way to mock replies from the core on the SDK level. What you could do is to somehow add http interceptors to network calls like these: https://github.com/supertokens/supertokens-golang/blob/master/supertokens/querier.go#L187 And then mock back replies from the core.

Ah ok, thanks 👍