Auth Microservice

I built this because every backend project I started kept growing its own slightly-different auth layer, and the worst place to ad-lib is the part that decides who you are. The goal was a small, opinionated service that other things could just talk to and trust.

Most of the time was spent on the things that don’t demo well, rotating refresh tokens cleanly, deciding what to do when an OAuth provider sneezes, making sure rate limits worked across replicas. Nothing here is novel. The whole point is that it isn’t. Auth bugs tend to be the kind that show up at 3am in a way that’s very hard to roll back, and the safest thing you can do is stay close to patterns that have been beaten on by other people for years.

Go was the right call for it. Not because of any specific language feature, I could’ve written this in Node or Rust, but because the standard library is dense enough that I didn’t need many dependencies, and the binary I shipped was small and fast to start. Cold-starting an auth service in 30ms instead of 2s was a real quality-of-life thing for the dev environment.

The hardest part was figuring out the contract for downstream services. Every team wanted slightly different claims in the token. I spent more time saying no to those requests than implementing the service itself. The right answer was to keep tokens minimal and let services fetch the rest of what they needed at the edge of their own boundary. Putting business data in JWTs is a trap that takes years to get out of.

If I rebuilt it tomorrow I’d be more aggressive about WebAuthn from day one. The flow is clunky to implement but users seem to genuinely prefer it once it’s wired up, and the security story is meaningfully better than passwords plus a TOTP on the side.