Use the entitlements package from the Frontegg Go SDK to evaluate feature and permission entitlements locally. The client maintains an in-memory snapshot that refreshes in the background — there is no network round-trip per check.
Prerequisites
Prerequisites
Go ≥ 1.24 and a Frontegg workspace with a Client ID and API Key (Frontegg Portal → Settings → API Tokens). For conceptual background on features, plans, and flags, see Getting started with Entitlements.
The entitlements client is included in the main Go SDK package:
go get github.com/frontegg/go-sdkCreate a Frontegg client and obtain the entitlements sub-client. If you already initialized the SDK at application startup, reuse that client:
import "github.com/frontegg/go-sdk"
client := frontegg.New(frontegg.Credentials{
ClientID: "<YOUR_CLIENT_ID>",
APIKey: "<YOUR_API_KEY>",
})
ent := client.Entitlements()Call Start to begin loading and refreshing the entitlements snapshot. Use Ready to block until the first snapshot is available before serving checks:
import "github.com/frontegg/go-sdk/entitlements"
if err := ent.Start(ctx); err != nil {
log.Fatal(err)
}
defer ent.Close()
if err := ent.Ready(ctx); err != nil {
log.Fatal(err)
}Call ent.Close() to stop the background refresher when you are done.
Before running checks, scope the client to the subject you are evaluating:
// From a raw Frontegg token (the SDK validates it and derives attributes):
scoped, err := ent.ForFronteggToken(ctx, token)
// Or from an entity you already validated:
// scoped := ent.ForUser(entity)res := scoped.IsEntitledToFeature(ctx, "advanced-analytics", nil)
if !res.Result {
log.Printf("User is not entitled to feature: %s", res.Justification)
}res := scoped.IsEntitledToPermission(ctx, "fe.secure.read", nil)
if !res.Result {
log.Printf("User is not entitled to permission: %s", res.Justification)
}Provide exactly one of a feature key or permission key:
res, err := scoped.IsEntitledTo(ctx, "advanced-analytics", "", nil)
if err != nil {
log.Fatal(err)
}Each check returns an IsEntitledResult:
type IsEntitledResult struct {
Result bool
Justification Justification // when Result is false
}When Result is false, Justification explains why (missing-feature, missing-permission, or bundle-expired).
Permissions in JWTs
Permissions in JWTs
Some JWTs do not include permissions in their payload. Permissions are required for entitlement checks. When validating tokens before scoping, set WithRolesAndPermissions: true on ValidateTokenOptions. See Validating JWT in the Go integrate guide.
- Go SDK integrate guide — authentication, middleware, and other clients
- Getting started with Entitlements — features, plans, and feature flags
- Source & issues — Go SDK on GitHub