Get started
Google Sign-In, owned sessions

Ship a complete auth layer without shipping tokens.

TAuth sits between Google Identity Services and your UI. It mints first-party JWT cookies, rotates refresh tokens, and exposes a clean, single-origin contract that front-ends can trust.

Read the docs View on GitHub
Single binary Multi-tenant Preflight ready
tauth preflight 
$ tauth preflight --config=config.yaml
schema_version: tauth.preflight.v2
service: tauth v0.x
effective_config: redacted
dependencies: refresh_store OK

First-party cookies

Access sessions live in HttpOnly cookies, not local storage. SameSite rules are derived per tenant.

Tenant aware

Host multiple products with tenant-specific cookies, issuers, and refresh TTLs in one config.

Preflight validation

Emit a redacted config report so orchestrators can validate secrets and endpoints before launch.

Drop-in client

Use the hosted auth-client.js to handle nonce exchange, refresh retries, and logout state.

Layout structure

Hero, feature grid, deep dives, and a focused get-started block keep the story crisp for GitHub Pages. Everything is tuned for a dark, neon-accented presentation with monospace headings. 

Sections:
- Hero + preflight snippet
- Feature blocks
- Auth flow, JWT validation, tenant config
- Get started links
- Footer integration

Auth flow built for product teams

Clients post Google credentials to /auth/google, receive signed cookies, and hit /me for profile data. Refresh and logout are server-only, keeping token handling off the frontend. 

POST /auth/nonce
POST /auth/google
POST /auth/refresh
POST /auth/logout
GET  /me

Downstream JWT validation

Downstream Go services validate the app_session cookie with shared issuer and signing key settings. The sessionvalidator helper loads tenant config so every service agrees on cookie names. 

validator, err := sessionvalidator.New(
  sessionvalidator.Config{
    SigningKey: signingKey,
    Issuer: "tauth",
  },
)

Tenant config as a contract

A single YAML file describes every tenant, cookie domain, and TTL. The resolver maps requests to the correct tenant by host or optional headers for shared origins. 

tenants:
  - id: "notes"
    allowed_hosts: ["notes.localhost"]
    google_web_client_id: "..."
    jwt_signing_key: "..."
    session_cookie_name: "app_session_notes"

Get started in minutes

Launch the binary, point it at config.yaml, and let the hosted client handle the browser-side exchange.

Usage guide docs/usage.md Architecture ARCHITECTURE.md Migration guide docs/migration.md
quickstart 
$ tauth --config=config.yaml
listen :8443
cookies: app_session / app_refresh
auth-client.js: /static/auth-client.js