✨ v2.0 — AI-Optimized, RBAC, Production-Ready

Production-Ready Go API in 90 Seconds

Docker-ready, AI-optimized, fully tested. The Go boilerplate that doesn't waste your time.

Get Started View on GitHub

terminal

$ git clone https://github.com/vahiiiid/go-rest-api-boilerplate.git

$ cd go-rest-api-boilerplate

$ make quick-start

🔧 Installing development tools...

🐳 Building Docker containers...

🗄️ Running database migrations...

🚀 Starting API server with hot-reload...

✅ API running at http://localhost:8080/api/v1

📚 Swagger UI at http://localhost:8080/swagger/index.html

🏥 Health check at http://localhost:8080/health

🔐 JWT Auth 🐳 Docker 📚 Swagger 🔥 Hot Reload 🤖 AI-Ready 🧪 Tested

⚡ 90s Setup Time

🔥 ~2s Hot Reload

📦 ~15MB Docker Image

📚 23+ Doc Pages

🔐 7 Auth Endpoints

✅ 85%+ Test Coverage

Everything You Need to Ship Fast

From authentication to deployment — GRAB gives you a complete, production-grade foundation so you can focus on building features.

🔐

JWT Auth & Security

OAuth 2.0 BCP compliant with refresh token rotation, reuse detection, and bcrypt hashing.

🔑

Role-Based Access

Many-to-many RBAC with JWT integration, admin CLI, and middleware protection.

🏗️

Clean Architecture

Handler → Service → Repository. Official Go layout with dependency injection.

🐳

Docker-First

2-second hot-reload, multi-stage builds, ~15MB production images.

🗄️

Database & Migrations

PostgreSQL + GORM with golang-migrate. Version-controlled schema changes.

🤖

AI-Optimized

Built-in rules for GitHub Copilot, Cursor, Windsurf, and AGENTS.md.

🧪

Tested & CI/CD

Unit + integration tests, in-memory SQLite, GitHub Actions pipeline.

📦

Standardized APIs

Consistent JSend-inspired envelope format with pagination and metadata.

🏥

Health Checks

Kubernetes-ready liveness/readiness probes with RFC-compliant responses.

See It In Action

From clone to running API in three commands.

terminal

$ git clone https://github.com/vahiiiid/go-rest-api-boilerplate.git

Cloning into 'go-rest-api-boilerplate'...

remote: Enumerating objects: 850, done.

remote: Total 850 (delta 0), reused 0 (delta 0)

Receiving objects: 100% (850/850), done.

$ cd go-rest-api-boilerplate

$ ls

Dockerfile Makefile README.md cmd/ configs/ docker-compose.yml

go.mod go.sum internal/ migrations/ scripts/ tests/

Clean Architecture That Scales

Following official Go project layout and battle-tested community patterns.

🌐

HTTP Request

→

🛡️

Middleware

Auth · Rate Limit · CORS

→

📡

Handler

HTTP Layer

→

⚙️

Service

Business Logic

→

🗄️

Repository

Data Access

→

🐘

PostgreSQL

✓

Separation of Concerns

Each layer has a single responsibility. Changes in one layer don't affect others.

✓

Easy to Test & Mock

Built-in dependency injection makes testing straightforward with interfaces.

✓

Scales With Your Team

Domain-driven structure lets teams work independently on different features.

Built for Production, Not Just Demos

Every feature is production-tested and follows industry best practices.

✓ OAuth 2.0 BCP compliant JWT with HS256 signing
✓ Automatic refresh token rotation with family tracking
✓ Token reuse detection with family revocation
✓ SHA-256 token hashing before storage

POST /api/v1/auth/login
{
  "email": "user@example.com",
  "password": "SecurePass123!"
}

→ 200 OK
{
  "success": true,
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIs...",
    "refresh_token": "dGhpcyBpcyBhIHJlZnJl...",
    "token_type": "Bearer",
    "expires_in": 900
  }
}

✓ Consistent envelope: { success, data, error, meta }
✓ JSend-inspired design for frontend predictability
✓ Built-in pagination metadata
✓ Request ID tracking in every response

GET /api/v1/users?page=1&limit=20

→ 200 OK
{
  "success": true,
  "data": [
    { "id": 1, "email": "admin@grab.dev", "name": "Admin" },
    { "id": 2, "email": "user@grab.dev", "name": "User" }
  ],
  "meta": {
    "page": 1,
    "limit": 20,
    "total": 2,
    "pages": 1
  }
}

✓ Machine-readable error codes (NOT_FOUND, VALIDATION_ERROR...)
✓ Detailed field-level validation errors
✓ Consistent structure across all endpoints
✓ Rate limit errors include retry_after

POST /api/v1/auth/register
{ "email": "bad-email", "password": "123" }

→ 400 Bad Request
{
  "success": false,
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Request validation failed",
    "details": [
      { "field": "email", "message": "invalid email format" },
      { "field": "password", "message": "minimum 8 characters" }
    ],
    "request_id": "req_abc123"
  }
}

✓ Token bucket algorithm with burst support
✓ Per-IP rate limiting with LRU cache
✓ Configurable via YAML or environment variables
✓ Standard HTTP headers (X-RateLimit-*)

# config.yaml
rate_limit_enabled: true
rate_limit_requests: 50
rate_limit_window: "1m"

# Response Headers
X-RateLimit-Limit: 50
X-RateLimit-Remaining: 47
X-RateLimit-Reset: 1699920060

# When exceeded → 429 Too Many Requests
{
  "error": {
    "code": "TOO_MANY_REQUESTS",
    "message": "Rate limit exceeded",
    "retry_after": 23
  }
}

✓ Zero-downtime deployments out of the box
✓ Configurable shutdown timeout (default 30s)
✓ In-flight request completion
✓ Kubernetes-compatible signal handling

# Handles SIGTERM / SIGINT gracefully

INFO  Shutdown signal received
INFO  Stopping HTTP server...
INFO  Waiting for in-flight requests (timeout: 30s)
INFO  Draining connections: 3 active
INFO  Draining connections: 1 active
INFO  Closing database connections...
INFO  Server stopped gracefully ✓

# Zero dropped requests during deploy

✓ Structured JSON logging for production
✓ Request ID propagation across all layers
✓ Configurable log levels per environment
✓ Request/response logging middleware

{
  "level": "info",
  "timestamp": "2024-11-13T20:00:00Z",
  "request_id": "req_7f3a2b1c",
  "method": "POST",
  "path": "/api/v1/auth/login",
  "status": 200,
  "latency": "12.5ms",
  "client_ip": "192.168.1.1",
  "user_agent": "PostmanRuntime/7.32"
}

Built With Amazing Tools

Production-grade technologies you already know and trust.

GO

Go

Language

🍸

Gin

Web Framework

🗃️

GORM

ORM

🐘

PostgreSQL

Database

Docker Containers

GitHub Actions CI/CD

Swagger API Docs

Air Hot-Reload

Viper Config

golang-migrate Migrations

Perfect For

🚀

Shipping Fast

Launch MVPs and production APIs in days, not weeks.

👥

Team Projects

Consistent standards and patterns everyone understands.

🏗️

Scaling Up

Architecture that grows with your business.

📖

Learning Go

See how professionals structure real-world applications.

Ready to Build?

Get your production-ready Go API running in under 2 minutes. Free and open source.

Open Source MIT License Production-Ready

Get Started Read the Docs

If GRAB saves you time, give us a ★ on GitHub — it helps others discover the project.