Octelium Logo
Documentation
Workload Client-less Access to SaaS APIs with Go SDK

You can easily protect all your public SaaS APIs as Octelium Services and provide your client-less WORKLOAD Users such as your Golang-based microservices and applications with secret-less access to all of your APIs without having to expose, manage and share the API keys, access tokens or OAuth2 client credentials required to access such APIs. In this short guide, we're going to use the Golang SDK (read more here) to access a generic HTTP SaaS API that requires a bearer access token.

We first create a Secret with the name apikey1 that stores the bearer access token required to access the protected SaaS API as follows:

octeliumctl create secret apikey1

You can read more about Secret management here. Note that Octelium supports more HTTP authentication types other than bearer authentication. You can read more here.

Now we actually create the Service representing our SaaS API as follows:

1
kind: Service

2
metadata:

3
  name: my-api

4
spec:

5
  mode: HTTP

6
  isPublic: true

7
  config:

8
    upstream:

9
      url: https://api.example.com

10
    http:

11
      auth:

12
        bearer:

13
          fromSecret: apikey1

You can now apply the Service as follows (read more here):

octeliumctl apply /PATH/TO/SERVICE.YAML

Now, we can use the octelium-go library in our Golang-based application to access the Service my-api as follows:

1
package main

2


3
import (

4
	"context"

5
	"fmt"

6
	"io"

7
	"os"

8


9
	"github.com/octelium/octelium/octelium-go"

10
)

11


12
func main() {

13
	if err := doMain(context.Background()); err != nil {

14
		panic(err)

15
	}

16
}

17


18
func doMain(ctx context.Context) error {

19
	octeliumC, err := octelium.NewClient(ctx, &octelium.ClientConfig{

20
		Domain:              "example.com",

21
		AuthenticationToken: os.Getenv("AUTH_TOKEN"),

22
	})

23
	if err != nil {

24
		return err

25
	}

26


27
	defer octeliumC.Close()

28


29
	httpC := octeliumC.HTTP().Client()

30


31
	resp, err := httpC.Get("https://my-api.example.com/v1/resources")

32
	if err != nil {

33
		return err

34
	}

35


36
	defer resp.Body.Close()

37
	body, err := io.ReadAll(resp.Body)

38
	fmt.Printf("Body : %s", body)

39


40
	return nil

41
}

It's important to note that the Go-SDK is not the only way to access publicly exposed BeyondCorp Services. You can also use the OAuth2 client credentials flow to access any such Service (read more here). This enables your applications and microservices written in any language to access the Cluster's Services via standard OAuth2 libraries that are supported in most major programming languages without having to use any clients or use specific SDKs.

© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld
AboutContactEnterprise
Privacy PolicyTerms