It's currently not possible to set CORS based on e.g. HTTP Authorization. This is because signature AllowOriginFunc func(origin string) bool does no have r *http.Request. This makes advanced use cases impossible and the function for anything else than maybe wildcard-based subdomain matching. There's actually a fork that does that (https://github.com/go-chi/cors) but this should really be added here.