Published: 2026-04-10
Layered Security Model for JWT-Based Authentication and Authorization in Golang Echo REST APIs
DOI: 10.35870/ijsecs.v6i1.6692
Giovanni Ekayuda, Suprihadi Suprihadi
-
Giovanni Ekayuda:
Satya Wacana Christian University
-
Suprihadi Suprihadi:
Satya Wacana Christian University
Abstract
Microservices architecture improves scalability and flexibility in modern distributed systems, yet it simultaneously widens the attack surface through decentralized service communication. Many existing implementations rely primarily on token validation without structured service-level authorization enforcement, leaving systems exposed to privilege escalation vulnerabilities. This study designed and evaluated a layered security model for a RESTful Application Programming Interface built with the Go Echo framework. The proposed approach combines JSON Web Token authentication using asymmetric cryptography with a token versioning mechanism, and pairs Role-Based Access Control with Attribute-Based Access Control within a sequential middleware pipeline. The methodology covered system architecture design, middleware implementation, structured security testing, and response time analysis. All simulated unauthorized access scenarios — including vertical and horizontal privilege escalation attempts — were successfully blocked. The average response time under the fully secured configuration measured 24.9 ms, indicating that the overhead introduced by the layered middleware remains practically acceptable. These findings suggest that separating authentication and authorization at the service level produces measurable security gains without meaningfully degrading system performance in microservices-based REST API applications.
Keywords
Microservices Security; JSON Web Token; Role-Based Access Control; Attribute-Based Access Control; Golang Echo
Article Information
This article has been peer-reviewed and published in the International Journal Software Engineering and Computer Science (IJSECS). The content is available under the terms of the Creative Commons Attribution 4.0 International License.
-
Issue: Vol. 6 No. 1 (2026)
-
Section: Articles
-
Published: 2026-04-10
-
License: CC BY 4.0
-
Copyright: © 2026 Authors
-
DOI: 10.35870/ijsecs.v6i1.6692
AI Research Hub
This article is indexed and available through various AI-powered research tools and citation platforms. Our AI Research Hub ensures that scholarly work is discoverable, accessible, and easily integrated into the global research ecosystem.
Giovanni Ekayuda, Satya Wacana Christian University
Department of Informatics Engineering, Faculty of Information Technology, Universitas Kristen Satya Wacana, Salatiga City, Central Java Province, Indonesia
Suprihadi Suprihadi, Satya Wacana Christian University
Department of Informatics Engineering, Faculty of Information Technology, Universitas Kristen Satya Wacana, Salatiga City, Central Java Province, Indonesia
-
Aldea, C. L., & Bocu, R. (2025). Authentication challenges and solutions in microservice architectures. Applied Sciences, 15(22). https://doi.org/10.3390/app152212088
-
Al-Wadi, R. A., & Maaita, A. A. (2023). Authentication and role-based authorization in microservice architecture: A generic performance-centric design. Journal of Advances in Information Technology, 14(4), 758–768.
-
Berardi, D., Giallorenzo, S., Melis, A., Prandini, M., Mauro, J., & Montesi, F. (2022). Microservice security: A systematic literature review. PeerJ Computer Science, 7. https://doi.org/10.7717/peerj-cs.779
-
Bucko, A., Vishi, K., Krasniqi, B., & Rexha, B. (2023). Enhancing JWT authentication and authorization in web applications based on user behavior history. Computers, 12(4). https://doi.org/10.3390/computers12040078
-
Dalimunthe, S., Hasri Putra, E., & Fadhly Ridha, M. A. (2023). RESTful API security using JSON Web Token (JWT) with HMAC-SHA512 algorithm in session management. IT Journal Research and Development, 8(1), 81–94.
-
de Almeida, M. G., & Canedo, E. D. (2022). Authentication and authorization in microservices architecture: A systematic literature review. Applied Sciences, 12(6). https://doi.org/10.3390/app12063023
-
Escaleira, P., Cunha, V. A., Barraca, J. P., Gomes, D., & Aguiar, R. L. (2025). A systematic review on security mechanisms for serverless computing. Cluster Computing, 28(7). https://doi.org/10.1007/s10586-025-05371-4
-
Fauziah, R., et al. (2026). Evaluating middleware performance in microservices architectures. Electronics, 15(1), 221.
-
Gbenle, T. P., Abayomi, A. A., Uzoka, A. C., Ogeawuchi, J. C., Adanigbo, O. S., & Odofin, O. T. (2022). Applying OAuth2 and JWT protocols in securing distributed API gateways: Best practices and case review. International Journal of Multidisciplinary Research and Growth Evaluation, 3(5), 628–634.
-
Gunawan, R. (2024). Enhancing data security using JSON Web Token (JWT) and HMAC-SHA256 algorithm. International Journal on Recent and Innovation Trends in Computing and Communication.
-
Gupta, R. K. (2025). Beyond the perimeter: Zero-trust architecture as a framework for cloud API security. World Journal of Advanced Research and Reviews, 26(1), 3389–3398.
-
Hu, V. C., Kuhn, D. R., & Ferraiolo, D. F. (2015). Attribute-based access control. Computer, 48(2), 85–88. https://doi.org/10.1109/MC.2015.33
-
Hutasuhut, N. R. P., Amri, M. G., & Aji, R. F. (2024). Security gap in microservices: A systematic literature review. International Journal of Advanced Computer Science and Applications, 15(12).
-
Ibnu Muakhori, & Syamsiah, N. (2025). Pengamanan arsitektur microservices pada aplikasi perusahaan: Strategi dan implementasi. Info Kripto, 19(1), 29–37. https://doi.org/10.56706/ik.v19i1.116
-
International Organization for Standardization. (2022a). ISO/IEC 27001:2022 information security, cybersecurity and privacy protection — Information security management systems — Requirements. ISO.
-
International Organization for Standardization. (2022b). ISO/IEC 27002:2022 information security, cybersecurity and privacy protection — Information security controls. ISO.
-
Kovtun, D. P., & Laponina, O. R. (2025). Using attribute-based access control and mTLS in microservice architecture. International Journal of Open Information Technologies, 13(6).
-
Kurniawan, M. C., Gamayanto, I., Sanyoto, G. K., & Widjajanto, B. (2025). Security evaluation of keycloak-based role-based access control in microservice architectures using the OWASP ASVS framework. Journal of Applied Informatics and Computing, 9(6).
-
Lee, C., & Jeon, S. (2024). A study on the security performance of JWT token signature algorithms. Journal of Information and Security, 24(4), 3–10. https://doi.org/10.33778/kcsa.2024.24.4.003
-
OWASP Foundation. (2023). OWASP Application Security Verification Standard (ASVS) version 4.0.3. https://owasp.org/www-project-application-security-verification-standard/
-
Phanireddy, S. (2023). Securing RESTful APIs in microservices architectures: A comprehensive threat model and mitigation framework. International Journal of Emerging Research in Engineering and Technology, 4, 64–73. https://doi.org/10.63282/3050-922x.ijeret-v4i2p107
-
Rahman, M., et al. (2025). Trends and best practices in API-based web development security. Journal of Information Technology and Digital Systems.
-
Ramadhan Purba, G., Rizal, & Afrillia, Y. (2025). Keamanan endpoint API menggunakan OAuth2 pada unit layanan terpadu universitas Malikussaleh. Rabit: Jurnal Teknologi dan Sistem Informasi Univrab, 10(2), 1424–1434.
-
Sänger, N., & Abeck, S. (2023). User authorization in microservice-based applications. Software, 2(3), 400–426. https://doi.org/10.3390/software2030019
-
Venčkauskas, A., Kukta, D., Grigaliūnas, Š., & Brūzgienė, R. (2023). Enhancing microservices security with token-based access control method. Sensors, 23(6). https://doi.org/10.3390/s23063363
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
1. Copyright Retention and Open Access License
Authors retain copyright of their work and grant the journal non-exclusive right of first publication under the Creative Commons Attribution 4.0 International License (CC BY 4.0).
This license allows unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
2. Rights Granted Under CC BY 4.0
Under this license, readers are free to:
- Share — copy and redistribute the material in any medium or format
- Adapt — remix, transform, and build upon the material for any purpose, including commercial use
- No additional restrictions — the licensor cannot revoke these freedoms as long as license terms are followed
3. Attribution Requirements
All uses must include:
- Proper citation of the original work
- Link to the Creative Commons license
- Indication if changes were made to the original work
- No suggestion that the licensor endorses the user or their use
4. Additional Distribution Rights
Authors may:
- Deposit the published version in institutional repositories
- Share through academic social networks
- Include in books, monographs, or other publications
- Post on personal or institutional websites
Requirement: All additional distributions must maintain the CC BY 4.0 license and proper attribution.
5. Self-Archiving and Pre-Print Sharing
Authors are encouraged to:
- Share pre-prints and post-prints online
- Deposit in subject-specific repositories (e.g., arXiv, bioRxiv)
- Engage in scholarly communication throughout the publication process
6. Open Access Commitment
This journal provides immediate open access to all content, supporting the global exchange of knowledge without financial, legal, or technical barriers.