📖 2 min read (~ 500 words).

Client-side credentials

Server-side authentication is the Authenticator story. Client-side authentication is the ClientAuthInfoWriter story — pure encoding: take credentials, set the right header / query parameter on the outgoing request. See client / authentication for the full reference; this page is a recipe collection.

Built-in writers

rt := client.New("api.example.com", "/v1", []string{"https"})

// One of:
rt.DefaultAuthentication = client.BasicAuth("alice", "s3cret")
rt.DefaultAuthentication = client.APIKeyAuth("X-Api-Key", "header", apiKey)
rt.DefaultAuthentication = client.APIKeyAuth("api_key", "query", apiKey)
rt.DefaultAuthentication = client.BearerToken(accessToken)

Full source: docs/examples/auth/clientside/main.go

DefaultAuthentication is used for any operation that does not specify its own. Per-operation override:

op.AuthInfo = client.BearerToken(operationSpecificToken)

Full source: docs/examples/auth/clientside/main.go

Composing multiple credentials

For APIs that require more than one credential header on the same request (an API key plus a bearer token, say):

rt.DefaultAuthentication = client.Compose(
	client.APIKeyAuth("X-Api-Key", "header", apiKey),
	client.BearerToken(accessToken),
)

Full source: docs/examples/auth/clientside/main.go

Compose skips nil writers; the first one to return an error short-circuits the chain.

Refreshing OAuth2 tokens

BearerToken captures a fixed string. For tokens that need to refresh mid-session, wrap a golang.org/x/oauth2.TokenSource:

// requires `golang.org/x/oauth2` — left inline because the doc-examples
// module intentionally avoids pulling in that dependency.
import (
    "github.com/go-openapi/runtime"
    "github.com/go-openapi/strfmt"
    "golang.org/x/oauth2"
)

func OAuth2(src oauth2.TokenSource) runtime.ClientAuthInfoWriter {
    return runtime.ClientAuthInfoWriterFunc(func(r runtime.ClientRequest, _ strfmt.Registry) error {
        tok, err := src.Token() // refreshes when expired
        if err != nil {
            return err
        }
        return r.SetHeaderParam("Authorization", "Bearer "+tok.AccessToken)
    })
}

rt.DefaultAuthentication = OAuth2(myTokenSource)

Custom: HMAC body signing

Sign the body with a shared secret and attach the signature as a header:

// HMACSignature attaches an HMAC-SHA256 signature of the request body
// as `X-Sig`, along with the key identifier as `X-Sig-Key`.
func HMACSignature(keyID string, key []byte) runtime.ClientAuthInfoWriter {
	return runtime.ClientAuthInfoWriterFunc(func(r runtime.ClientRequest, _ strfmt.Registry) error {
		body := r.GetBody()
		mac := hmac.New(sha256.New, key)
		mac.Write(body)
		sig := hex.EncodeToString(mac.Sum(nil))
		if err := r.SetHeaderParam("X-Sig-Key", keyID); err != nil {
			return err
		}
		return r.SetHeaderParam("X-Sig", sig)
	})
}

Full source: docs/examples/auth/clientside/main.go

Then wire it on the runtime:

rt.DefaultAuthentication = HMACSignature("k1", sharedSecret)

The runtime calls AuthenticateRequest after the operation’s parameters have been bound — so for buffered bodies r.GetBody() returns the encoded payload. For streaming bodies (multipart, raw streams) the runtime arranges a body-copy closure so the signer sees the bytes that go on the wire; see client / requests for the exact assembly path.

Explicit “no auth”

For operations whose spec lists a security requirement that should be satisfied by sending nothing (rare but legal):

op.AuthInfo = client.PassThroughAuth

Full source: docs/examples/auth/clientside/main.go

A nil writer would have the same effect — PassThroughAuth is the explicit version, useful when you want the intent to read clearly in review.