## Entitlements quickstart Use the **`entitlements`** package from the Frontegg Go SDK to evaluate feature and permission entitlements locally. The client maintains an in-memory snapshot that refreshes in the background — there is no network round-trip per check. br Check out the repo on GitHub br Prerequisites Go ≥ 1.24 and a Frontegg workspace with a **Client ID** and **API Key** (Frontegg Portal → **Settings → API Tokens**). For conceptual background on features, plans, and flags, see [Getting started with Entitlements](/ciam/guides/authorization/entitlements/intro). ### Install the SDK The entitlements client is included in the main Go SDK package: ``` go get github.com/frontegg/go-sdk ``` ### Initialize the client Create a Frontegg client and obtain the entitlements sub-client. If you already initialized the SDK at application startup, reuse that client: ```go import "github.com/frontegg/go-sdk" client := frontegg.New(frontegg.Credentials{ ClientID: "", APIKey: "", }) ent := client.Entitlements() ``` ### Start the background refresher Call `Start` to begin loading and refreshing the entitlements snapshot. Use `Ready` to block until the first snapshot is available before serving checks: ```go import "github.com/frontegg/go-sdk/entitlements" if err := ent.Start(ctx); err != nil { log.Fatal(err) } defer ent.Close() if err := ent.Ready(ctx); err != nil { log.Fatal(err) } ``` Call `ent.Close()` to stop the background refresher when you are done. ### Scope to a user or tenant Before running checks, scope the client to the subject you are evaluating: ```go // From a raw Frontegg token (the SDK validates it and derives attributes): scoped, err := ent.ForFronteggToken(ctx, token) // Or from an entity you already validated: // scoped := ent.ForUser(entity) ``` ### Query entitlements #### Feature entitlement ```go res := scoped.IsEntitledToFeature(ctx, "advanced-analytics", nil) if !res.Result { log.Printf("User is not entitled to feature: %s", res.Justification) } ``` #### Permission entitlement ```go res := scoped.IsEntitledToPermission(ctx, "fe.secure.read", nil) if !res.Result { log.Printf("User is not entitled to permission: %s", res.Justification) } ``` #### Unified API Provide exactly one of a feature key or permission key: ```go res, err := scoped.IsEntitledTo(ctx, "advanced-analytics", "", nil) if err != nil { log.Fatal(err) } ``` ### Result shape Each check returns an `IsEntitledResult`: ```go type IsEntitledResult struct { Result bool Justification Justification // when Result is false } ``` When `Result` is `false`, `Justification` explains why (`missing-feature`, `missing-permission`, or `bundle-expired`). Permissions in JWTs Some JWTs do not include permissions in their payload. Permissions are required for entitlement checks. When validating tokens before scoping, set `WithRolesAndPermissions: true` on `ValidateTokenOptions`. See [Validating JWT](/ciam/sdks/backend/go/go-integrate#validating-jwt) in the Go integrate guide. ### Related documentation - [Go SDK integrate guide](/ciam/sdks/backend/go/go-integrate) — authentication, middleware, and other clients - [Getting started with Entitlements](/ciam/guides/authorization/entitlements/intro) — features, plans, and feature flags - [Source & issues](https://github.com/frontegg/go-sdk) — Go SDK on GitHub