Kotlin · Ktor

Authentication for Ktor

A session resolver, a requireAuth gate, and a logout handler for Kotlin/Ktor backends. Validate Authdog sessions on every call — on the same wire as the Node SDKs.

Start building Read the docs

Resolve the session

Application.kt

// Application.kt
val authdog = Authdog(System.getenv("PK_AUTHDOG"))
 
routing {
  get("/me") {
    val ctx = authdog.requireAuth(call) ?: return@get
  }
}

Idiomatic Ktor, not a framework

Everything Ktor apps need

A session resolver, a requireAuth gate, and a typed context — wire-compatible with the rest of your Authdog stack.

Resolve the session on any call

authdog.resolve(call) returns a typed AuthdogContext — token, user, and isAuthenticated — caching the result on the call so a route reads it without boilerplate.

requireAuth gate

authdog.requireAuth(call) responds 401 and returns null for unauthenticated requests, so `?: return@get` halts the handler before it runs. This is the security boundary.

Validated at startup

The Authdog constructor parses and validates the public key once — enforcing the trusted identity-host allowlist — so a malformed or untrusted key fails fast instead of at the first request.

Reads the cookie itself

It reads the authdog-session cookie or an Authorization: Bearer header directly, with an injectable Ktor HttpClient for the userinfo lookup — easy to mock in tests.

Safe logout handler

authdog.logout(call) expires the session cookie with HttpOnly and SameSite=Lax and redirects to a redirect_uri sanitized against open redirects.

Same wire as Node

It mirrors @authdog/express and @authdog/fastify on the wire, so one Authdog environment serves your Node and Kotlin services interchangeably.

Gate routes on the call

Protect a route with requireAuth

Call authdog.requireAuth(call) and Authdog rejects unauthenticated requests before your handler runs, returning null so `?: return@get` halts cleanly. When it succeeds you get the verified user, resolved once per call.

Routes.kt

// Routes.kt
get("/me") {
  val ctx = authdog.requireAuth(call) ?: return@get
  call.respond(ctx.user)
}

Ship secure Kotlin services

Authdog's Ktor SDK resolves the session on every call and enforces auth at a single gate, with the public key checked once at startup.

resolve()

To read the session anywhere

Call authdog.resolve(call) and any route gets a typed AuthdogContext — the result is cached on the call, so it costs at most one userinfo lookup.

requireAuth

The single enforcement point

Call authdog.requireAuth(call) and unauthenticated requests are rejected with 401 before your handler runs.

1 check

Public key validated at boot

The key is parsed and checked against the trusted-host allowlist once at construction, so untrusted keys never reach the hot path.

Add auth to your Ktor app.

Add the dependency, resolve the session, and gate your routes with requireAuth today. Free to start, with secure defaults built in.

Start Building