Go
A small Go module for the server→server Background-Check flow (appraise evidence with your rh_sk_ secret key, get the verdict directly) plus offline token verification for the portable-token / badge path. Chi and Gin middleware are published as separate submodules so apps only compile what they use.
This SDK is implemented but not yet published to its package registry. Until it ships, mint attestation tokens on the device and verify them server-side with @rootherald/node (or any available server SDK). The API shown below is the planned surface and may change before release.
Two paths
Like every RootHerald server SDK, this one covers both halves of the model: server→server attest(the Background-Check default — your server submits the client's opaque evidence and gets the verdict back directly) and offline verify (validate a portable token against our JWKS, for thereturnToken case or the backend-less badge tier). The token-verify surface below is the offline path; the server→server attest surface mirrors @rootherald/node's createChallenge / attest.
Install
go get github.com/RootHerald/sdk-goVerify a token
client := rootherald.NewClient("https://rootherald.io",
rootherald.WithIssuer("rootherald.io/myorg"),
rootherald.WithAudience("my-app"),
)
verdict, claims, err := client.Verify(ctx, token)chi middleware
import (
"github.com/go-chi/chi/v5"
rh "github.com/RootHerald/sdk-go"
rhchi "github.com/RootHerald/sdk-go/chi"
)
r := chi.NewRouter()
r.Use(rhchi.Guard(rhchi.GuardConfig{
Verifier: client.Verifier(),
Action: "signup",
}))gin middleware
import rhgin "github.com/RootHerald/sdk-go/gin"
r := gin.Default()
r.POST("/signup",
rhgin.Guard(rhgin.GuardConfig{Verifier: client.Verifier()}),
signupHandler,
)Errors
switch {
case errors.Is(err, rootherald.ErrTokenExpired): // 401 + refresh
case errors.Is(err, rootherald.ErrSignature): // 401, suspect tamper
case errors.Is(err, rootherald.ErrJwksUnavailable): // 503, retry later
}Sample
A runnable hello-world chi server is at RootHerald/sdk-go/examples/hello.