Implementing security requires to first define the security schemes in the design, see security in the Design section for details.

Service Security

The service generated code define package functions for registering the security middlewares that actually implement the authorization. The functions are defined in the app package (unless the target package was overridden when running goagen) and follow naming pattern UseXXXMiddleware where XXX is the name of the security scheme, for example:

func UseAPIKeyMiddleware(service *goa.Service, middleware goa.Middleware)

The middleware should either return an error (typically a ErrUnauthorized) in case of authentication failure or proceed to calling the next handler in case of success.

The generated code also includes functions for instantiating security scheme data structures that contains a copy of the information provided in the design. This contains information that can be leveraged by the security middleware implementations. These functions follow the naming pattern NewXXXSecurity where XXX is the name of the security scheme, for example:

func NewAPIKeySecurity() *goa.APIKeySecurity

Security Middlewares

goa comes either complete or partial implementations of security middlewares for all security schemes.

Basic Auth

The simplistic implementation of a basic auth middleware can serve as a basis for more sophisticated implementations.


There is no security middleware implementation provided for the API key scheme as the validation simply consists of comparing two values. There is an example implementation though in the examples GitHub repository.


goa comes with a complete implementation for a JWT security middleware. The JWT example also demonstrates how to load keys to validate tokens.


Implementing OAuth2 requires more work as OAuth2 is not simply an authentication mechanism, it’s also a way to let third-parties impersonate service users. The oauth2 GitHub repository provides a framework for easily adding OAuth2 support to a goa service. Consult the README for additional information.


The security examples demonstrate how to implement security middlewares for all the supported schemes.