Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
// This is the api to refresh tokens
// Most of the code is taken from the jwt-go package's sample codes
func (h *handler) token(c echo.Context) error {
type tokenReqBody struct {
RefreshToken string `json:"refresh_token"`
tokenReq := tokenReqBody{}
// Parse takes the token string and a function for looking up the key.
// The latter is especially useful if you use multiple keys for your application.
// The standard is to use 'kid' in the head of the token to identify
// which key to use, but the parsed token (head and claims) is provided
// to the callback, providing flexibility.
token, err := jwt.Parse(tokenReq.RefreshToken, func(token *jwt.Token) (interface{}, error) {
// Don't forget to validate the alg is what you expect:
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
return []byte("secret"), nil
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
// Get the user record from database or
// run through your business logic to verify if the user can log in
if int(claims["sub"].(float64)) == 1 {
newTokenPair, err := generateTokenPair()
if err != nil {
return err
return c.JSON(http.StatusOK, newTokenPair)
return echo.ErrUnauthorized
return err
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.