Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
// This is the api to refresh tokens
// Most of the code is taken from the jwt-go package's sample codes
func (h *handler) token(c echo.Context) error {
type tokenReqBody struct {
RefreshToken string `json:"refresh_token"`
tokenReq := tokenReqBody{}
// Parse takes the token string and a function for looking up the key.
// The latter is especially useful if you use multiple keys for your application.
// The standard is to use 'kid' in the head of the token to identify
// which key to use, but the parsed token (head and claims) is provided
// to the callback, providing flexibility.
token, err := jwt.Parse(tokenReq.RefreshToken, func(token *jwt.Token) (interface{}, error) {
// Don't forget to validate the alg is what you expect:
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
return []byte("secret"), nil
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
// Get the user record from database or
// run through your business logic to verify if the user can log in
if int(claims["sub"].(float64)) == 1 {
newTokenPair, err := generateTokenPair()
if err != nil {
return err
return c.JSON(http.StatusOK, newTokenPair)
return echo.ErrUnauthorized
return err
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment