Skip to main content

Go reference client

pkg/client exists in TrustPlane Auth as the reference client shape. It shows how a caller-side helper should assemble request material, build the transcript-v1 bytes, sign the proof, and return headers for a TrustPlane Auth adapter or compatible verifier.

It is the conceptual template for TypeScript and Python SDK work. Those SDKs should match the same contract before package publication.

What it builds

The Go reference client builds transcript-v1 through the same canonicalization contract used by the conformance vectors. The important interoperability rule is the same as the SDK contract: the client signs the transcript that the verifier independently rebuilds from the request, passport, nonce, body hash, and route context.

The client returns adapter-ready headers:

  • Authorization
  • X-TrustPlane-Transcript-SHA256
  • X-TrustPlane-Proof
  • X-TrustPlane-Nonce
  • X-TrustPlane-Body-SHA256

These headers are request material for the adapter. They do not replace verifier policy, replay checks, bundle freshness checks, or upstream application authorization.

Software signing boundary

The raw local signing path requires a passport confirmation claim with:

{
  "cnf": {
    "key_binding": "software",
    "public_key_b64url": "..."
  }
}

The passport cnf.public_key_b64url value must match the local signing key. The client rejects missing confirmation material, mismatched public key material, and stronger signer classes when using raw local signing.

Stronger signer classes such as hardware_local, remote_kms, and attested_workload require their own broker, KMS, hardware, or attested signing paths. They are not satisfied by a raw local software key held by the SDK.

Access and install posture

Public package and source access for the Go reference client is release-dependent. Do not assume that a public go get path is available for every preview phase.

For current hands-on evaluation, start with the documented CLI artifacts, examples, conformance vectors, and adapter flows. The reference client page describes the SDK shape so future TypeScript and Python SDKs can follow the same signing and transcript contract without duplicating verifier behavior.