A fully-featured, production-ready gRPC boilerplate in Go — complete with JWT authentication, TLS, validation, error handling, Envoy REST gateway, and more.
This repository demonstrates a production-grade gRPC service built in Go, showcasing best practices in secure communication, modular code structure, and robust error handling. It includes tools and configurations for real-world deployment, local development, and REST-to-gRPC bridging via Envoy.
Whether you're starting a new microservice or modernizing an existing monolith, this boilerplate is a clean foundation for scalable, performant, and secure Go-based services.
- JWT-based auth using
RS256with PEM key pair (private.pem/public.pem) - Tokens include standard and custom claims (
sub,iat,role, etc.) - Server-side verification via
UnaryServerInterceptor
- Sends and parses custom metadata headers (e.g. Authorization token)
- Uses
context.Contextwith outgoing/incoming metadata
- Structured error response using custom
Errorprotobuf - Wrapped with
google.golang.org/grpc/statusandcodes - Uniform client-side error decoding with details
- Custom validation logic in handler layer
- Example: Rejects empty names with gRPC errors
- Self-signed certs (
cert.pem,key.pem) for local testing - Supports replacement with production-grade certs without code change
- gRPC client configured with
credentials.NewClientTLSFromFile
- REST-to-gRPC translation using Envoy
- Accepts standard HTTP/JSON requests and forwards to gRPC backend
- No BSR (Buf Schema Registry) required
- All client-server requests use
context.Context - Deadline propagation supported with timeouts
- Unary interceptors for:
- Logging
- Authentication
- Error translation
- Shared
proto/folder between client and server - Uses
buffor linting, breaking checks, and codegen
Makefileincludes:make proto: Compile all protosmake run-server: Start the gRPC servermake run-client: Run the test client
- Client includes:
- Auth token generation via
jwt-go - TLS transport
- Metadata headers
- Calls for
Create,Read,Write, andDelete
- Auth token generation via
- Centralized configuration via
config.yml - Share JWT keys, TLS cert paths, and server address between components
- Go ≥ 1.23
buf(https://buf.build/)makedocker(for Envoy REST proxy)
make protomake run-servermake run-clientThis project includes a Docker-based Envoy proxy to bridge HTTP/JSON REST requests to your gRPC backend
Steps to Run Envoy:
- Make sure the gRPC server is running on port 50051.
- Build the Envoy Docker image from the provided Dockerfile:
docker build -t go-grpc-envoy -f envoy/Dockerfile .- Run the container:
docker run --rm -p 8080:8080 --network host go-grpc-envoy
- --network host allows Envoy to communicate with the gRPC server on localhost:50051
- If you're on macOS or Windows, replace --network host with appropriate Docker networking, or use host.docker.internal in the envoy.yaml.
- Test using curl:
curl -X POST http://localhost:8080/v1/users \
-H "Authorization: Bearer <your_jwt>" \
-H "Content-Type: application/json" \
-d '{"name": "test", "email": "[email protected]", "number": "1234567890"}'| Environment | Setup |
|---|---|
| Local Dev | Uses self-signed cert.pem and key.pem |
| Production | Replace certs in certs/ folder, no code changes required |
| Client | Uses server’s cert.pem as CA cert |
| File | Purpose |
|---|---|
private.pem |
Signing key (client) |
public.pem |
Verification key (server) |
- Tokens issued by client via RSA
- Claims are validated server-side via custom interceptor