Skip to content
Sesame

Overview

View as Markdown

Sesame is a guide for implementing authentication with Go and SQL. It’s inspired by Lucia Auth, which does the same thing for JavaScript.

You start with users and server-side sessions, then build up to a full production-ready auth system: password login, verification and recovery, rate limiting, inactivity timeouts, OAuth with PKCE, TOTP 2FA, and passkeys.

What you get

Section titled “What you get”
  • SQL schemas and query patterns you can copy
  • Working code for each auth layer
  • A reference implementation style based on net/http
  • Security-focused defaults for cookies, CSRF, token handling, encryption, and abuse prevention

What this isn’t

Section titled “What this isn’t”
  • A framework or library you install
  • Middleware that hides how things work
  • JWT-based auth for browsers

Why sessions over JWTs?

Section titled “Why sessions over JWTs?”

JWTs are self-contained. You validate them with a signature check, no database call needed. That sounds good until you need to:

Revoke a token. A JWT is valid until it expires. Want to log out a user everywhere? Kill a stolen token? You need server-side state anyway. A denylist, token versioning, or introspection endpoint. Once you add those, the “no database” benefit disappears.

Rotate tokens safely. JWT setups grow into short-lived access tokens plus long-lived refresh tokens, with storage rules, replay detection, and multi-device tracking. More moving parts means more ways to mess up.

Track sessions. Many JWT systems eventually add refresh token tables, blacklists, and device lists. At that point you’ve built sessions, but now your policy is split between what the token says and what the server knows.

Sessions are simpler

Section titled “Sessions are simpler”

Server-side sessions give you:

  • Instant revocation
  • Clean token rotation
  • Easy session lists and auditing
  • One source of truth

The database lookup on each request is usually not a problem. You’re probably already querying for user data anyway. Add caching if you need it.

How to use this guide

Section titled “How to use this guide”

Work through the sections in order. Each one builds on the previous:

  1. Users & Sessions - Foundation for secure server-side auth.
  2. Password Signup/Login - Signup/login flow with secure password handling.
  3. Email/Password - Additional email/password patterns and hardening.
  4. Verification & Recovery - Email verification and account recovery flows.
  5. Rate Limiting - Brute-force and abuse protection patterns.
  6. Inactivity Timeouts - Session idle expiry and renewal behavior.
  7. OAuth - Authorization Code flow with PKCE and secure callback handling.
  8. 2FA - TOTP enrollment, encrypted secret storage, and recovery codes.
  9. Passkeys - WebAuthn registration and authentication.

The guide uses Go’s standard library where possible. For focused areas, it uses go-nanoid, golang.org/x/oauth2, pquerna/otp, and go-webauthn.