Skip to content
Last updated

Entitlements quickstart

Use the entitlements package from the Frontegg Go SDK to evaluate feature and permission entitlements locally. The client maintains an in-memory snapshot that refreshes in the background — there is no network round-trip per check.



Prerequisites

Go ≥ 1.24 and a Frontegg workspace with a Client ID and API Key (Frontegg Portal → Settings → API Tokens). For conceptual background on features, plans, and flags, see Getting started with Entitlements.

Install the SDK

The entitlements client is included in the main Go SDK package:

go get github.com/frontegg/go-sdk

Initialize the client

Create a Frontegg client and obtain the entitlements sub-client. If you already initialized the SDK at application startup, reuse that client:

import "github.com/frontegg/go-sdk"

client := frontegg.New(frontegg.Credentials{
	ClientID: "<YOUR_CLIENT_ID>",
	APIKey:   "<YOUR_API_KEY>",
})

ent := client.Entitlements()

Start the background refresher

Call Start to begin loading and refreshing the entitlements snapshot. Use Ready to block until the first snapshot is available before serving checks:

import "github.com/frontegg/go-sdk/entitlements"

if err := ent.Start(ctx); err != nil {
	log.Fatal(err)
}
defer ent.Close()

if err := ent.Ready(ctx); err != nil {
	log.Fatal(err)
}

Call ent.Close() to stop the background refresher when you are done.

Scope to a user or tenant

Before running checks, scope the client to the subject you are evaluating:

// From a raw Frontegg token (the SDK validates it and derives attributes):
scoped, err := ent.ForFronteggToken(ctx, token)

// Or from an entity you already validated:
//   scoped := ent.ForUser(entity)

Query entitlements

Feature entitlement

res := scoped.IsEntitledToFeature(ctx, "advanced-analytics", nil)

if !res.Result {
	log.Printf("User is not entitled to feature: %s", res.Justification)
}

Permission entitlement

res := scoped.IsEntitledToPermission(ctx, "fe.secure.read", nil)

if !res.Result {
	log.Printf("User is not entitled to permission: %s", res.Justification)
}

Unified API

Provide exactly one of a feature key or permission key:

res, err := scoped.IsEntitledTo(ctx, "advanced-analytics", "", nil)
if err != nil {
	log.Fatal(err)
}

Result shape

Each check returns an IsEntitledResult:

type IsEntitledResult struct {
	Result        bool
	Justification Justification // when Result is false
}

When Result is false, Justification explains why (missing-feature, missing-permission, or bundle-expired).

Permissions in JWTs

Some JWTs do not include permissions in their payload. Permissions are required for entitlement checks. When validating tokens before scoping, set WithRolesAndPermissions: true on ValidateTokenOptions. See Validating JWT in the Go integrate guide.