Guardian - Auth0 Go SDK

Guardian is Auth0’s multifactor authentication (MFA) service. Use these methods to configure and manage MFA factors, enrollments, and policies.

Overview

The Guardian client provides access to MFA management through three main sub-resources:

type Client struct {
    Enrollments *enrollments.Client
    Factors     *factors.Client
    Policies    *policies.Client
}

Enrollments

Manage user MFA enrollments. Access via managementClient.Guardian.Enrollments.

Get Enrollment

Retrieve details of a specific enrollment.

enrollment, err := managementClient.Guardian.Enrollments.Get(context.Background(), "dev_abc123")
if err != nil {
    // Handle error
}
fmt.Printf("Enrollment status: %s\n", enrollment.GetStatus())

Delete Enrollment

Remove a user’s MFA enrollment.

err := managementClient.Guardian.Enrollments.Delete(context.Background(), "dev_abc123")
if err != nil {
    // Handle error
}

Factors

Manage available MFA factors (SMS, push notifications, OTP, etc.). Access via managementClient.Guardian.Factors.

List Factors

Get all available MFA factors.

factors, err := managementClient.Guardian.Factors.List(context.Background())
if err != nil {
    // Handle error
}

for _, factor := range factors {
    fmt.Printf("Factor: %s (enabled: %v)\n", factor.GetName(), factor.GetEnabled())
}

Update Factor

Enable or disable an MFA factor.

factor, err := managementClient.Guardian.Factors.Update(context.Background(), "sms", &management.UpdateFactorRequest{
    Enabled: auth0.Bool(true),
})
if err != nil {
    // Handle error
}

Factor Types

Common MFA factors include:

SMS: Text message verification
Push Notification: Push-based authentication (Guardian app)
OTP: One-time password (TOTP)
Email: Email-based verification
WebAuthn: Hardware keys and biometrics
Duo: Duo Security integration

Policies

Manage MFA policies that determine when MFA is required. Access via managementClient.Guardian.Policies.

Get Policies

Retrieve current MFA policies.

policies, err := managementClient.Guardian.Policies.Get(context.Background())
if err != nil {
    // Handle error
}
fmt.Printf("MFA policy: %s\n", policies.GetPolicy())

Update Policies

Set MFA policy requirements.

policy, err := managementClient.Guardian.Policies.Update(context.Background(), &management.UpdatePolicyRequest{
    Policy: auth0.String("all-applications"), // or "confidence-score"
})
if err != nil {
    // Handle error
}

Policy Options

never: MFA is never required
confidence-score: Adaptive MFA based on risk
all-applications: MFA required for all applications

Complete Example

Here’s a complete example of configuring Guardian MFA:

package main

import (
    "context"
    "fmt"
    "log"
    
    "github.com/auth0/go-auth0/v2"
    "github.com/auth0/go-auth0/v2/management"
)

func main() {
    managementClient, err := management.New(
        "yourtenant.auth0.com",
        management.WithClientCredentials(clientID, clientSecret),
    )
    if err != nil {
        log.Fatal(err)
    }
    
    ctx := context.Background()
    
    // Enable SMS factor
    _, err = managementClient.Guardian.Factors.Update(ctx, "sms", &management.UpdateFactorRequest{
        Enabled: auth0.Bool(true),
    })
    if err != nil {
        log.Fatal(err)
    }
    
    // Enable OTP factor
    _, err = managementClient.Guardian.Factors.Update(ctx, "otp", &management.UpdateFactorRequest{
        Enabled: auth0.Bool(true),
    })
    if err != nil {
        log.Fatal(err)
    }
    
    // Set policy to require MFA for all applications
    _, err = managementClient.Guardian.Policies.Update(ctx, &management.UpdatePolicyRequest{
        Policy: auth0.String("all-applications"),
    })
    if err != nil {
        log.Fatal(err)
    }
    
    fmt.Println("Guardian MFA configured successfully")
}

SMS Configuration

For SMS factors, you can configure the provider:

// Configure Twilio as SMS provider
smsConfig, err := managementClient.Guardian.Factors.SMS.Update(ctx, &management.SMSConfiguration{
    Provider: auth0.String("twilio"),
    From:     auth0.String("+1234567890"),
    MessagingServiceSID: auth0.String("MGxxxxx"),
    AuthToken: auth0.String("your-auth-token"),
    SID:      auth0.String("ACxxxxx"),
})

Push Notifications

Configure push notifications (Guardian app):

pushConfig, err := managementClient.Guardian.Factors.Push.Update(ctx, &management.PushConfiguration{
    Provider: auth0.String("guardian"),
})

​Overview

​Enrollments

​Get Enrollment

​Delete Enrollment

​Factors

​List Factors

​Update Factor

​Factor Types

​Policies

​Get Policies

​Update Policies

​Policy Options

​Complete Example

​SMS Configuration

​Push Notifications