OPEN SWAG GO
Guides

Protect Your Documentation

Never expose internal API documentation publicly in production. Use DocsAuth to require authentication before serving the Scalar UI and the OpenAPI spec.

main.go
docs := openswag.New(openswag.Config{
    Title:   "Internal API",
    Version: "1.0.0",
    DocsAuth: &openswag.DocsAuth{
        Type:     "basic",
        Username: os.Getenv("DOCS_USER"),
        Password: os.Getenv("DOCS_PASS"),
    },
})

Use Environment Variables for Credentials

Never hardcode usernames, passwords, or API keys in your source code. Always read them from environment variables or a secrets manager.

// Good
auth := &openswag.DocsAuth{
    Username: os.Getenv("DOCS_USER"),
    Password: os.Getenv("DOCS_PASS"),
}
 
// Bad — never do this
auth := &openswag.DocsAuth{
    Username: "admin",
    Password: "secret123",
}

Credential Persistence

When using the auth playground, control how credentials are stored on the client side. Disable persistence in shared or public environments.

playground := auth.NewPlaygroundConfig(
    auth.WithPersistence(false), // Don't store tokens in localStorage
)

For internal tools where convenience matters, you can enable persistence with a short TTL:

playground := auth.NewPlaygroundConfig(
    auth.WithPersistence(true),
    auth.WithPersistenceTTL(15 * time.Minute),
)

CORS Proxy Configuration

If your API and documentation are on different origins, the try-it console needs a CORS proxy to make requests. Configure this explicitly rather than using a wildcard Access-Control-Allow-Origin.

docs := openswag.New(openswag.Config{
    Title:   "My API",
    Version: "1.0.0",
    UIConfig: openswag.UIConfig{
        CORSProxyURL: "https://cors-proxy.internal.example.com",
    },
})

CORS Checklist

  • Set specific allowed origins instead of *
  • Restrict allowed methods to what your API actually uses
  • Set Access-Control-Max-Age to reduce preflight requests
  • Never expose sensitive headers in Access-Control-Expose-Headers

API Key Protection

For machine-to-machine access to your docs, use API key authentication:

docs := openswag.New(openswag.Config{
    Title:   "Partner API",
    Version: "1.0.0",
    DocsAuth: &openswag.DocsAuth{
        Type:      "apikey",
        HeaderName: "X-Docs-Key",
        APIKey:     os.Getenv("DOCS_API_KEY"),
    },
})

Summary

PracticeRecommendation
Docs authenticationAlways enable in production
CredentialsUse environment variables
Credential persistenceDisable for public environments
CORSUse specific origins, not wildcards
API keysRotate regularly, store in secrets manager

Multi-Tenant SaaS Example

Previous Page

Production Performance Tips

Next Page

On this page

Protect Your DocumentationUse Environment Variables for CredentialsCredential PersistenceCORS Proxy ConfigurationCORS ChecklistAPI Key ProtectionSummary