Building GateKeeper: Designing a Role-Based Access Control Library in Pure Go
As developers, we use authorization libraries almost every day. Whether it's a web application, an API, or an internal tool, we often rely on packages that decide who can do what. But I realized I had never actually built one. So instead of using an existing library, I decided to build my own Role-Based Access Control (RBAC) library in Go using only the standard library. This project eventually became GateKeeper v1.0.0. Why I Built One As a beginner in backend development, I wanted to get exposure on how to make public APIs and how to make them work under the hood. It also made me fight my old syntax habits. Go has strict error handling, which I also learned. I built it because I wanted to understand the engineering decisions behind public libraries. Instead of watching another tutorial, I built it myself. Project Goals Before writing any code, I brainstorm the architecture in my mind. No external library used, only the standard Go library. Keeping the public APIs simple and easy to read for developers to use. Write tests for each and every function, no matter how small. These constraints forced me to think more carefully about the design instead of depending on external packages. The Core Model Engine ├── Users ├── Roles └── Permissions Relationships are straightforward: Users | V Roles | V Permissions A user can have multiple roles, and roles can have multiple permissions. Permissions describe access to a resource and an action. Designing The API One thing I learned the hard way is that API design matters more than the implementation itself. I wanted to keep the library easy to read even without documentation. The public API ended up looking something like this: CreateUser() CreateRole() CreatePermission() AssignRole() AssignPermission() Can() DeleteUser() DeleteRole() DeletePermission() RenameUser() RenameRole() I had to redesign the API many times before eventually coming up with the final one. The time spent fighting the design was worth it. It taught me API de