Cannot get Golang Auth Plugin to execute in OAS template

huner2 · March 23, 2026, 9:21pm

I’m migrating API definitions from legacy to OAS to utilize multi-auth, but I cannot seem to get custom Golang authentication plugins to execute.

I have since moved to running the custom auth code in a post-auth plugin just to have something working, but it would be way better to be able to use them in the auth step.

I can’t find an example of the OAS API format with a custom auth plugin that utilizes Golang. Is it still supported?

James · April 23, 2026, 9:57am

Yes, custom Golang authentication plugins are fully supported in OAS APIs.

To configure a custom Golang authentication plugin in the OAS format, you need to define it within the x-tyk-api-gateway extension. The configuration requires two main parts:

server.authentication: Set the baseIdentityProvider to “custom_auth” and configure the custom block with your plugin details (function name, path to .so file).
middleware.global.pluginConfig: Set the driver to “goplugin”.

Here is an example of the OAS API format with a custom Golang auth plugin that should be viable:

json
{
  "openapi": "3.0.0",
  "info": {
    "title": "API with Custom Go Auth",
    "version": "1.0.0"
  },
  "paths": {},
  "x-tyk-api-gateway": {
    "info": {
      "name": "API with Custom Go Auth",
      "state": {
        "active": true
      }
    },
    "server": {
      "listenPath": {
        "value": "/my-api",
        "strip": true
      },
      "authentication": {
        "enabled": true,
        "baseIdentityProvider": "custom_auth",
        "custom": {
          "enabled": true,
          "config": {
            "enabled": true,
            "functionName": "MyAuthFunction",
            "path": "/opt/tyk-gateway/middleware/my_plugin.so",
            "rawBodyOnly": false,
            "requireSession": false
          }
        }
      }
    },
    "middleware": {
      "global": {
        "pluginConfig": {
          "driver": "goplugin"
        }
      }
    }
  }
}

Multi-Auth Configuration

Since you mentioned migrating to OAS to utilize multi-auth (e.g., allowing either an API Key OR the Custom Auth plugin), you can use Tyk’s compliant security processing mode. In this mode, you define the security array and reference “custom” as the scheme name, so something like this:

json
{
  "x-tyk-api-gateway": {
    "server": {
      "authentication": {
        "enabled": true,
        "securityProcessingMode": "compliant",
        "security": [
          ["api_key"],
          ["custom"]
        ],
        "custom": {
          "enabled": true,
          "config": {
            "enabled": true,
            "functionName": "MyAuthFunction",
            "path": "/opt/tyk-gateway/middleware/my_plugin.so"
          }
        }
      }
    },
    "middleware": {
      "global": {
        "pluginConfig": {
          "driver": "goplugin"
        }
      }
    }
  }
}

This configuration will allow the request to pass if either the API key is valid OR the custom Golang auth plugin successfully authenticates the request.

Hope that helps?