knoxcall-go is the official KnoxCall client for Go — stdlib only, context-first, goroutine-safe (the token store uses single-flight refresh).
Install
Not yet published — install from the monorepo path with a
replace directive in your go.mod, or via a git checkout.Create a client
Sandbox: true to target the isolated Test data plane (sandbox.knoxcall.com management host, sandbox-{tenant}.knoxcall.com proxy host) with a tk_test_ key. Passing conflicting credential options (e.g. APIKey and ClientID) is a construction error; explicit options always beat the environment.
DPoP-bound OAuth clients are not yet supported by the Go SDK — if the server issues a DPoP-bound token, the SDK fails fast with a clear error rather than mis-authenticating. Use a Bearer OAuth client, or the Node.js / Python SDK.
Manage resources
Create a route, then list with pagination — single-object methods return the unwrapped object; paginated lists return a typedPage[T]; ListAll walks every page:
Secrets, Webhooks, Clients, OAuthClients, Environments, APIKeys, Account, AuditLogs, Agents, Crypto, PKI, Vaults, and DynamicDB. All methods take a context.Context first.
Call routes through the proxy
client.Call() proxies a request through a KnoxCall route to your upstream and returns the raw *http.Response — the upstream’s status belongs to you; the SDK never turns it into an error. Reference routes by slug (write-once, rename-proof); UUIDs also work.
context.WithTimeout).
Bound routes
State the route (and optional defaults) once withclient.Route(), then use plain HTTP verbs:
Call().
Verify webhooks
ConstructWebhookEvent (also available as client.Webhooks.ConstructEvent) verifies the delivery’s HMAC-SHA256 signature and parses it into a typed event in one step. Pass the raw body bytes — never re-serialized JSON:
legacy header (stripe, github, slack, aws-sns, custom) are selected with &knoxcall.ConstructEventOptions{Format: "stripe"}; the replay window defaults to 300s; custom requires HeaderName.
Handle errors
All API failures are typed and unwrap to*APIError (status, machine-readable type, human message, RequestID for support):
AuthenticationError (401), PermissionDeniedError (403), NotFoundError (404), ConflictError (409), ValidationError (422), RateLimitError (429), ServerError (5xx), plus SignupError, WebhookSignatureVerificationError, and ConnectionError / ConnectionTimeoutError for transport failures.
Retries and idempotency
Management requests retry automatically on transport errors and HTTP 408/429/500/502/503/504 (never 409), with exponential half-jitter backoff andRetry-After honored up to 30s. Every mutating request carries a ULID X-Idempotency-Key that stays stable across retries. A 401 purges the cached token and retries once with fresh credentials. Tune with Options{RetryMaxAttempts, RetryBaseDelay, RetryMaxDelay}.
Full reference
The package README documents every resource method, the ephemeral proxy, field-actions, crypto/PKI/vault operations, and credential-lessSignup(): sdk/knoxcall-go/README.md in the monorepo.