Using OAuth 2.0 for Web Server Applications | Authorization

<!doctype html> <html lang="en" dir="ltr"> <head> <meta name="google-signin-client-id" content="721724668570-nbkv1cfusk7kk4eni4pjvepaus73b13t.apps.googleusercontent.com"> <meta name="google-signin-scope" content="profile email https://www.googleapis.com/auth/developerprofiles https://www.googleapis.com/auth/developerprofiles.award"> <meta property="og:site_name" content="Google for Developers"> <meta property="og:type" content="website"><meta name="theme-color" content="#009688"><meta charset="utf-8"> <meta content="IE=Edge" http-equiv="X-UA-Compatible"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="manifest" href="/_pwa/developers/manifest.json" crossorigin="use-credentials"> <link rel="preconnect" href="//www.gstatic.com" crossorigin> <link rel="preconnect" href="//fonts.gstatic.com" crossorigin> <link rel="preconnect" href="//fonts.googleapis.com" crossorigin> <link rel="preconnect" href="//apis.google.com" crossorigin> <link rel="preconnect" href="//www.google-analytics.com" crossorigin><link rel="stylesheet" href="//fonts.googleapis.com/css?family=Google+Sans:400,500|Roboto:400,400italic,500,500italic,700,700italic|Roboto+Mono:400,500,700&display=swap"> <link rel="stylesheet" href="//fonts.googleapis.com/css2?family=Material+Icons&family=Material+Symbols+Outlined&display=block"><link rel="stylesheet" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/css/app.css"> <link rel="shortcut icon" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/favicon-new.png"> <link rel="apple-touch-icon" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png"><link rel="canonical" href="https://developers.google.com/identity/protocols/oauth2/web-server"><link rel="search" type="application/opensearchdescription+xml" title="Google for Developers" href="https://developers.google.com/s/opensearch.xml"> <link rel="alternate" hreflang="en" href="https://developers.google.com/identity/protocols/oauth2/web-server" /><link rel="alternate" hreflang="x-default" href="https://developers.google.com/identity/protocols/oauth2/web-server" /><link rel="alternate" hreflang="ar" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=ar" /><link rel="alternate" hreflang="bn" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=bn" /><link rel="alternate" hreflang="zh-Hans" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=zh-cn" /><link rel="alternate" hreflang="zh-Hant" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=zh-tw" /><link rel="alternate" hreflang="fa" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=fa" /><link rel="alternate" hreflang="fr" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=fr" /><link rel="alternate" hreflang="de" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=de" /><link rel="alternate" hreflang="he" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=he" /><link rel="alternate" hreflang="hi" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=hi" /><link rel="alternate" hreflang="id" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=id" /><link rel="alternate" hreflang="it" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=it" /><link rel="alternate" hreflang="ja" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=ja" /><link rel="alternate" hreflang="ko" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=ko" /><link rel="alternate" hreflang="pl" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=pl" /><link rel="alternate" hreflang="pt-BR" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=pt-br" /><link rel="alternate" hreflang="ru" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=ru" /><link rel="alternate" hreflang="es-419" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=es-419" /><link rel="alternate" hreflang="th" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=th" /><link rel="alternate" hreflang="tr" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=tr" /><link rel="alternate" hreflang="vi" href="https://developers.google.com/identity/protocols/oauth2/web-server?hl=vi" /><title>Using OAuth 2.0 for Web Server Applications  |  Authorization  |  Google for Developers</title> <meta property="og:title" content="Using OAuth 2.0 for Web Server Applications  |  Authorization  |  Google for Developers"><meta property="og:url" content="https://developers.google.com/identity/protocols/oauth2/web-server"><meta property="og:image" content="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/opengraph/teal.png"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="675"><meta property="og:locale" content="en"><meta name="twitter:card" content="summary_large_image"><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Article", "headline": "Using OAuth 2.0 for Web Server Applications" } </script><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [{ "@type": "ListItem", "position": 1, "name": "Google Identity", "item": "https://developers.google.com/identity" },{ "@type": "ListItem", "position": 2, "name": "Authorization", "item": "https://developers.google.com/identity/authorization" },{ "@type": "ListItem", "position": 3, "name": "Using OAuth 2.0 for Web Server Applications", "item": "https://developers.google.com/identity/protocols/oauth2/web-server" }] } </script> <link rel="stylesheet" href="/extras.css"></head> <body class="" template="page" theme="teal" type="article" layout="docs" concierge='closed' display-toc pending> <devsite-progress type="indeterminate" id="app-progress"></devsite-progress> <section class="devsite-wrapper"> <devsite-cookie-notification-bar></devsite-cookie-notification-bar><devsite-header role="banner"> <div class="devsite-header--inner nocontent"> <div class="devsite-top-logo-row-wrapper-wrapper"> <div class="devsite-top-logo-row-wrapper"> <div class="devsite-top-logo-row"> <button type="button" id="devsite-hamburger-menu" class="devsite-header-icon-button button-flat material-icons gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Navigation menu button" visually-hidden aria-label="Open menu"> </button> <div class="devsite-product-name-wrapper"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item devsite-has-google-wordmark"> <a href="https://developers.google.com/identity" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Upper Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Google Identity" > <svg class="devsite-google-wordmark" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 148 48"> <title>Google</title> <path class="devsite-google-wordmark-svg-path" d="M19.58,37.65c-9.87,0-18.17-8.04-18.17-17.91c0-9.87,8.3-17.91,18.17-17.91c5.46,0,9.35,2.14,12.27,4.94l-3.45,3.45c-2.1-1.97-4.93-3.49-8.82-3.49c-7.21,0-12.84,5.81-12.84,13.02c0,7.21,5.64,13.02,12.84,13.02c4.67,0,7.34-1.88,9.04-3.58c1.4-1.4,2.32-3.41,2.66-6.16H19.58v-4.89h16.47c0.18,0.87,0.26,1.92,0.26,3.06c0,3.67-1.01,8.21-4.24,11.44C28.93,35.9,24.91,37.65,19.58,37.65z M61.78,26.12c0,6.64-5.1,11.53-11.36,11.53s-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53S61.78,19.43,61.78,26.12z M56.8,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C53.84,33.11,56.8,30.22,56.8,26.12z M87.25,26.12c0,6.64-5.1,11.53-11.36,11.53c-6.26,0-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53C82.15,14.59,87.25,19.43,87.25,26.12zM82.28,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C79.32,33.11,82.28,30.22,82.28,26.12z M112.09,15.29v20.7c0,8.52-5.02,12.01-10.96,12.01c-5.59,0-8.95-3.76-10.22-6.81l4.41-1.83c0.79,1.88,2.71,4.1,5.81,4.1c3.8,0,6.16-2.36,6.16-6.77v-1.66h-0.18c-1.14,1.4-3.32,2.62-6.07,2.62c-5.76,0-11.05-5.02-11.05-11.49c0-6.51,5.28-11.57,11.05-11.57c2.75,0,4.93,1.22,6.07,2.58h0.18v-1.88H112.09z M107.64,26.16c0-4.06-2.71-7.03-6.16-7.03c-3.49,0-6.42,2.97-6.42,7.03c0,4.02,2.93,6.94,6.42,6.94C104.93,33.11,107.64,30.18,107.64,26.16z M120.97,3.06v33.89h-5.07V3.06H120.97z M140.89,29.92l3.93,2.62c-1.27,1.88-4.32,5.11-9.61,5.11c-6.55,0-11.28-5.07-11.28-11.53c0-6.86,4.77-11.53,10.71-11.53c5.98,0,8.91,4.76,9.87,7.34l0.52,1.31l-15.42,6.38c1.18,2.31,3.01,3.49,5.59,3.49C137.79,33.11,139.58,31.84,140.89,29.92zM128.79,25.77l10.31-4.28c-0.57-1.44-2.27-2.45-4.28-2.45C132.24,19.04,128.66,21.31,128.79,25.77z"/> </svg>Identity </a> </li> </ul> </div> <div class="devsite-top-logo-row-middle"> <div class="devsite-header-upper-tabs"> <devsite-tabs class="upper-tabs"> <nav class="devsite-tabs-wrapper" aria-label="Upper tabs"> <tab class="devsite-dropdown "> <a href="https://developers.google.com/identity/authentication" track-metadata-eventdetail="https://developers.google.com/identity/authentication" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - authentication" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" > Authentication </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Authentication" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/authentication" track-metadata-position="nav - authentication" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Sign In with Google SDKs</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/android-credential-manager" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/android-credential-manager" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Credential Manager for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/gsi/web/guides/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/gsi/web/guides/overview" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Sign In with Google for Web (including One Tap) </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/ios/start" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/ios/start" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Google Sign-In for iOS and macOS </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Industry standards</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/passkeys" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/passkeys" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Passkeys </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/openid-connect/openid-connect" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/openid-connect/openid-connect" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> OpenID Connect </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Legacy Sign In</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/one-tap/android/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/one-tap/android/overview" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> One Tap sign-up/sign-in for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/android/legacy-start-integrating" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/android/legacy-start-integrating" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Google Sign-In for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/web/sign-in" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/web/sign-in" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Google Sign-In for Web </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown devsite-active "> <a href="https://developers.google.com/identity/authorization" track-metadata-eventdetail="https://developers.google.com/identity/authorization" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - authorization" track-metadata-module="primary nav" aria-label="Authorization, selected" data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" > Authorization </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Authorization" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/authorization" track-metadata-position="nav - authorization" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Call Google APIs</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/android/authorize-access" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/android/authorize-access" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Authorizing for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/oauth2/web/guides/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/oauth2/web/guides/overview" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Authorizing for Web </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/ios/api-access" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/ios/api-access" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Authorizing for iOS/macOS </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/protocols/oauth2" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/protocols/oauth2" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Using OAuth 2.0 </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Share data with Google apps and devices</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/account-linking" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/account-linking" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Google Account Linking </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown "> <a href="https://developers.google.com/identity/credential-management" track-metadata-eventdetail="https://developers.google.com/identity/credential-management" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - credential management" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" > Credential management </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Credential management" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/credential-management" track-metadata-position="nav - credential management" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Android</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/android-credential-manager" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/android-credential-manager" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Credential Manager </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/blockstore/android" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/blockstore/android" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Blockstore </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Digital Asset Links </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developer.android.com/guide/topics/text/autofill" track-type="nav" track-metadata-eventdetail="https://developer.android.com/guide/topics/text/autofill" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Android autofill framework </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Web</li> <li class="devsite-nav-item"> <a href="https://web.dev/sign-in-form-best-practices/" track-type="nav" track-metadata-eventdetail="https://web.dev/sign-in-form-best-practices/" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Autocomplete </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Cross-platform</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/credential-sharing" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/credential-sharing" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Seamless credential sharing </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown "> <a href="https://developers.google.com/identity/credential-verification" track-metadata-eventdetail="https://developers.google.com/identity/credential-verification" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - credential verification" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" > Credential verification </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Credential verification" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/credential-verification" track-metadata-position="nav - credential verification" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Android</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sms-retriever/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sms-retriever/overview" track-metadata-position="nav - credential verification" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Verify users by SMS </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/phone-number-hint/android" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/phone-number-hint/android" track-metadata-position="nav - credential verification" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Phone Number Hint </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Web</li> <li class="devsite-nav-item"> <a href="https://web.dev/web-otp/" track-type="nav" track-metadata-eventdetail="https://web.dev/web-otp/" track-metadata-position="nav - credential verification" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Verify phone numbers on the web </div> </a> </li> </ul> </div> </div> </div> </tab> </nav> </devsite-tabs> </div> <devsite-search enable-signin enable-search enable-suggestions enable-query-completion project-name="Authorization" tenant-name="Google for Developers" project-scope="/identity/authorization" url-scoped="https://developers.google.com/s/results/identity/authorization" > <form class="devsite-search-form" action="https://developers.google.com/s/results" method="GET"> <div class="devsite-search-container"> <button type="button" search-open class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Open search"></button> <div class="devsite-searchbox"> <input aria-activedescendant="" aria-autocomplete="list" aria-label="Search" aria-expanded="false" aria-haspopup="listbox" autocomplete="off" class="devsite-search-field devsite-search-query" name="q" placeholder="Search" role="combobox" type="text" value="" > <div class="devsite-search-image material-icons" aria-hidden="true"> </div> <div class="devsite-search-shortcut-icon-container" aria-hidden="true"> <kbd class="devsite-search-shortcut-icon">/</kbd> </div> </div> </div> </form> <button type="button" search-close class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Close search"></button> </devsite-search> </div> <devsite-language-selector> <ul role="presentation"> <li role="presentation"> <a role="menuitem" lang="en" >English</a> </li> <li role="presentation"> <a role="menuitem" lang="de" >Deutsch</a> </li> <li role="presentation"> <a role="menuitem" lang="es" >Español</a> </li> <li role="presentation"> <a role="menuitem" lang="es_419" >Español – América Latina</a> </li> <li role="presentation"> <a role="menuitem" lang="fr" >Français</a> </li> <li role="presentation"> <a role="menuitem" lang="id" >Indonesia</a> </li> <li role="presentation"> <a role="menuitem" lang="it" >Italiano</a> </li> <li role="presentation"> <a role="menuitem" lang="pl" >Polski</a> </li> <li role="presentation"> <a role="menuitem" lang="pt_br" >Português – Brasil</a> </li> <li role="presentation"> <a role="menuitem" lang="vi" >Tiếng Việt</a> </li> <li role="presentation"> <a role="menuitem" lang="tr" >Türkçe</a> </li> <li role="presentation"> <a role="menuitem" lang="ru" >Русский</a> </li> <li role="presentation"> <a role="menuitem" lang="he" >עברית</a> </li> <li role="presentation"> <a role="menuitem" lang="ar" >العربيّة</a> </li> <li role="presentation"> <a role="menuitem" lang="fa" >فارسی</a> </li> <li role="presentation"> <a role="menuitem" lang="hi" >हिंदी</a> </li> <li role="presentation"> <a role="menuitem" lang="bn" >বাংলা</a> </li> <li role="presentation"> <a role="menuitem" lang="th" >ภาษาไทย</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_cn" >中文 – 简体</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_tw" >中文 – 繁體</a> </li> <li role="presentation"> <a role="menuitem" lang="ja" >日本語</a> </li> <li role="presentation"> <a role="menuitem" lang="ko" >한국어</a> </li> </ul> </devsite-language-selector> <devsite-user enable-profiles fp-auth id="devsite-user"> Sign in </devsite-user> </div> </div> </div> <div class="devsite-collapsible-section "> <div class="devsite-header-background"> <div class="devsite-product-id-row" > <div class="devsite-product-description-row"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item "> <a href="https://developers.google.com/identity/authorization" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Lower Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Authorization" > Authorization </a> </li> </ul> </div> </div> <div class="devsite-doc-set-nav-row"> <devsite-tabs class="lower-tabs"> <nav class="devsite-tabs-wrapper" aria-label="Lower tabs"> <tab class="devsite-active"> <a href="https://developers.google.com/identity/protocols/oauth2" track-metadata-eventdetail="https://developers.google.com/identity/protocols/oauth2" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - oauth 2.0" track-metadata-module="primary nav" aria-label="OAuth 2.0, selected" data-category="Site-Wide Custom Events" data-label="Tab: OAuth 2.0" track-name="oauth 2.0" > OAuth 2.0 </a> </tab> <tab > <a href="https://developers.google.com/identity/authorization/android" track-metadata-eventdetail="https://developers.google.com/identity/authorization/android" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - android" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Android" track-name="android" > Android </a> </tab> <tab > <a href="https://developers.google.com/identity/oauth2/web/guides/overview" track-metadata-eventdetail="https://developers.google.com/identity/oauth2/web/guides/overview" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - web" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Web" track-name="web" > Web </a> </tab> <tab > <a href="https://developers.google.com/identity/account-linking" track-metadata-eventdetail="https://developers.google.com/identity/account-linking" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - google account linking" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Google Account Linking" track-name="google account linking" > Google Account Linking </a> </tab> </nav> </devsite-tabs> </div> </div> </div> </div> </devsite-header> <devsite-book-nav scrollbars > <div class="devsite-book-nav-filter" > <input type="text" placeholder="Filter" aria-label="Type to filter" role="searchbox"> </div> <nav class="devsite-book-nav devsite-nav nocontent" aria-label="Side menu"> <div class="devsite-mobile-header"> <button type="button" id="devsite-close-nav" class="devsite-header-icon-button button-flat material-icons gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close navigation" aria-label="Close navigation"> </button> <div class="devsite-product-name-wrapper"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item devsite-has-google-wordmark"> <a href="https://developers.google.com/identity" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Upper Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Google Identity" > <svg class="devsite-google-wordmark" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 148 48"> <title>Google</title> <path class="devsite-google-wordmark-svg-path" d="M19.58,37.65c-9.87,0-18.17-8.04-18.17-17.91c0-9.87,8.3-17.91,18.17-17.91c5.46,0,9.35,2.14,12.27,4.94l-3.45,3.45c-2.1-1.97-4.93-3.49-8.82-3.49c-7.21,0-12.84,5.81-12.84,13.02c0,7.21,5.64,13.02,12.84,13.02c4.67,0,7.34-1.88,9.04-3.58c1.4-1.4,2.32-3.41,2.66-6.16H19.58v-4.89h16.47c0.18,0.87,0.26,1.92,0.26,3.06c0,3.67-1.01,8.21-4.24,11.44C28.93,35.9,24.91,37.65,19.58,37.65z M61.78,26.12c0,6.64-5.1,11.53-11.36,11.53s-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53S61.78,19.43,61.78,26.12z M56.8,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C53.84,33.11,56.8,30.22,56.8,26.12z M87.25,26.12c0,6.64-5.1,11.53-11.36,11.53c-6.26,0-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53C82.15,14.59,87.25,19.43,87.25,26.12zM82.28,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C79.32,33.11,82.28,30.22,82.28,26.12z M112.09,15.29v20.7c0,8.52-5.02,12.01-10.96,12.01c-5.59,0-8.95-3.76-10.22-6.81l4.41-1.83c0.79,1.88,2.71,4.1,5.81,4.1c3.8,0,6.16-2.36,6.16-6.77v-1.66h-0.18c-1.14,1.4-3.32,2.62-6.07,2.62c-5.76,0-11.05-5.02-11.05-11.49c0-6.51,5.28-11.57,11.05-11.57c2.75,0,4.93,1.22,6.07,2.58h0.18v-1.88H112.09z M107.64,26.16c0-4.06-2.71-7.03-6.16-7.03c-3.49,0-6.42,2.97-6.42,7.03c0,4.02,2.93,6.94,6.42,6.94C104.93,33.11,107.64,30.18,107.64,26.16z M120.97,3.06v33.89h-5.07V3.06H120.97z M140.89,29.92l3.93,2.62c-1.27,1.88-4.32,5.11-9.61,5.11c-6.55,0-11.28-5.07-11.28-11.53c0-6.86,4.77-11.53,10.71-11.53c5.98,0,8.91,4.76,9.87,7.34l0.52,1.31l-15.42,6.38c1.18,2.31,3.01,3.49,5.59,3.49C137.79,33.11,139.58,31.84,140.89,29.92zM128.79,25.77l10.31-4.28c-0.57-1.44-2.27-2.45-4.28-2.45C132.24,19.04,128.66,21.31,128.79,25.77z"/> </svg>Identity </a> </li> </ul> </div> </div> <div class="devsite-book-nav-wrapper"> <div class="devsite-mobile-nav-top"> <ul class="devsite-nav-list"> <li class="devsite-nav-item"> <a href="/identity/authentication" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authentication" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Authentication </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> More </li> </ul> </li> <li class="devsite-nav-item"> <a href="/identity/authorization" class="devsite-nav-title gc-analytics-event devsite-nav-active" data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorization" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Authorization </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> More </li> </ul> <ul class="devsite-nav-responsive-tabs"> <li class="devsite-nav-item"> <a href="/identity/protocols/oauth2" class="devsite-nav-title gc-analytics-event devsite-nav-has-children devsite-nav-active" data-category="Site-Wide Custom Events" data-label="Tab: OAuth 2.0" track-name="oauth 2.0" data-category="Site-Wide Custom Events" data-label="Responsive Tab: OAuth 2.0" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> OAuth 2.0 </a> </li> <li class="devsite-nav-item"> <a href="/identity/authorization/android" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Android" track-name="android" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Android" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Android </a> </li> <li class="devsite-nav-item"> <a href="/identity/oauth2/web/guides/overview" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Web" track-name="web" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Web" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Web </a> </li> <li class="devsite-nav-item"> <a href="/identity/account-linking" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Google Account Linking" track-name="google account linking" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Account Linking" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Account Linking </a> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/identity/credential-management" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential management" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Credential management </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> More </li> </ul> </li> <li class="devsite-nav-item"> <a href="/identity/credential-verification" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential verification" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Credential verification </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> More </li> </ul> </li> </ul> </div> <div class="devsite-mobile-nav-bottom"> <ul class="devsite-nav-list" menu="_book"> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2" >Overview</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/cross-client-identity" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/cross-client-identity" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/cross-client-identity" >Cross-client Identity</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/scopes" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/scopes" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/scopes" >OAuth 2.0 Scopes</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/policies" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/policies" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/policies" >OAuth 2.0 Policies</a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Access to Google APIs </div></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/web-server" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/web-server" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/web-server" >for Server-side Web Apps</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/javascript-implicit-flow" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/javascript-implicit-flow" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/javascript-implicit-flow" >for JavaScript Web Apps</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/native-app" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/native-app" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/native-app" >for Mobile & Desktop Apps</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/limited-input-device" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/limited-input-device" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/limited-input-device" >for TV & Device Apps</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/service-account" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/service-account" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/service-account" >for Service Accounts</a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Prepare your app for production </div></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/production-readiness/policy-compliance" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/production-readiness/policy-compliance" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/production-readiness/policy-compliance" >Comply with OAuth 2.0 policies</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/production-readiness/brand-verification" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/production-readiness/brand-verification" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/production-readiness/brand-verification" >Submit for brand verification</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/production-readiness/sensitive-scope-verification" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/production-readiness/sensitive-scope-verification" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/production-readiness/sensitive-scope-verification" >Sensitive scope verification</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/production-readiness/restricted-scope-verification" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/production-readiness/restricted-scope-verification" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/production-readiness/restricted-scope-verification" >Restricted scope verification</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/production-readiness/google-workspace" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/production-readiness/google-workspace" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/production-readiness/google-workspace" >Additional considerations for Google Workspace</a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Resources </div></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/resources/best-practices" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/resources/best-practices" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/resources/best-practices" >Best practices</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/resources/granular-permissions" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/resources/granular-permissions" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/resources/granular-permissions" >How to handle granular permissions</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/resources/oob-migration" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/resources/oob-migration" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/resources/oob-migration" >Out-of-band (OOB) Migration</a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/resources/loopback-migration" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/resources/loopback-migration" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/resources/loopback-migration" >Loopback IP Address Migration for Mobile and Chrome Apps</a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Related topics </div></li> <li class="devsite-nav-item"><a href="/identity/protocols/risc" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/risc" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/risc" >Cross-Account Protection (RISC)</a></li> <li class="devsite-nav-item devsite-nav-external"><a href="https://webauthn.guide/" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: https://webauthn.guide/" track-type="bookNav" track-name="click" track-metadata-eventdetail="https://webauthn.guide/" >WebAuthn</a></li> </ul> <ul class="devsite-nav-list" menu="Authentication" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> Sign In with Google SDKs </li> <li class="devsite-nav-item"> <a href="/identity/android-credential-manager" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential Manager for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Credential Manager for Android </a> </li> <li class="devsite-nav-item"> <a href="/identity/gsi/web/guides/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Sign In with Google for Web (including One Tap)" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Sign In with Google for Web (including One Tap) </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/ios/start" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Sign-In for iOS and macOS" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Sign-In for iOS and macOS </a> </li> <li class="devsite-nav-item devsite-nav-heading"> Industry standards </li> <li class="devsite-nav-item"> <a href="/identity/passkeys" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Passkeys" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Passkeys </a> </li> <li class="devsite-nav-item"> <a href="/identity/openid-connect/openid-connect" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: OpenID Connect" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> OpenID Connect </a> </li> <li class="devsite-nav-item devsite-nav-heading"> Legacy Sign In </li> <li class="devsite-nav-item"> <a href="/identity/one-tap/android/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: One Tap sign-up/sign-in for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> One Tap sign-up/sign-in for Android </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/android/legacy-start-integrating" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Sign-In for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Sign-In for Android </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/web/sign-in" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Sign-In for Web" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Sign-In for Web </a> </li> </ul> <ul class="devsite-nav-list" menu="Authorization" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> Call Google APIs </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/android/authorize-access" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorizing for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Authorizing for Android </a> </li> <li class="devsite-nav-item"> <a href="/identity/oauth2/web/guides/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorizing for Web" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Authorizing for Web </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/ios/api-access" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorizing for iOS/macOS" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Authorizing for iOS/macOS </a> </li> <li class="devsite-nav-item"> <a href="/identity/protocols/oauth2" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Using OAuth 2.0" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Using OAuth 2.0 </a> </li> <li class="devsite-nav-item devsite-nav-heading"> Share data with Google apps and devices </li> <li class="devsite-nav-item"> <a href="/identity/account-linking" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Account Linking" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Account Linking </a> </li> </ul> <ul class="devsite-nav-list" menu="Credential management" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> Android </li> <li class="devsite-nav-item"> <a href="/identity/android-credential-manager" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential Manager" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Credential Manager </a> </li> <li class="devsite-nav-item"> <a href="/identity/blockstore/android" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Blockstore" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Blockstore </a> </li> <li class="devsite-nav-item"> <a href="/identity/smartlock-passwords/android/associate-apps-and-sites" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Digital Asset Links" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Digital Asset Links </a> </li> <li class="devsite-nav-item"> <a href="https://developer.android.com/guide/topics/text/autofill" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Android autofill framework" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Android autofill framework </a> </li> <li class="devsite-nav-item devsite-nav-heading"> Web </li> <li class="devsite-nav-item"> <a href="https://web.dev/sign-in-form-best-practices/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Autocomplete" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Autocomplete </a> </li> <li class="devsite-nav-item devsite-nav-heading"> Cross-platform </li> <li class="devsite-nav-item"> <a href="/identity/credential-sharing" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Seamless credential sharing" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Seamless credential sharing </a> </li> </ul> <ul class="devsite-nav-list" menu="Credential verification" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> Android </li> <li class="devsite-nav-item"> <a href="/identity/sms-retriever/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Verify users by SMS" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Verify users by SMS </a> </li> <li class="devsite-nav-item"> <a href="/identity/phone-number-hint/android" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Phone Number Hint" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Phone Number Hint </a> </li> <li class="devsite-nav-item devsite-nav-heading"> Web </li> <li class="devsite-nav-item"> <a href="https://web.dev/web-otp/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Verify phone numbers on the web" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Verify phone numbers on the web </a> </li> </ul> </div> </div> </nav> </devsite-book-nav> <section id="gc-wrapper"> <main role="main" class="devsite-main-content" has-book-nav > <devsite-content> <article class="devsite-article"> <div class="devsite-article-meta nocontent" role="navigation"> <ul class="devsite-breadcrumb-list" aria-label="Breadcrumb"> <li class="devsite-breadcrumb-item "> <a href="https://developers.google.com/" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="" > Home </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/products" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="2" track-type="globalNav" track-name="breadcrumb" track-metadata-position="2" track-metadata-eventdetail="" > Products </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/identity" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="3" track-type="globalNav" track-name="breadcrumb" track-metadata-position="3" track-metadata-eventdetail="Google Identity" > Google Identity </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/identity/authorization" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="4" track-type="globalNav" track-name="breadcrumb" track-metadata-position="4" track-metadata-eventdetail="Authorization" > Authorization </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/identity/protocols/oauth2" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="5" track-type="globalNav" track-name="breadcrumb" track-metadata-position="5" track-metadata-eventdetail="" > OAuth 2.0 </a> </li> </ul> <devsite-thumb-rating position="header"> </devsite-thumb-rating> </div> <devsite-feedback position="header" project-name="Authorization" product-id="5186570" bucket="Identity guides" context="External devsite feedback" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="header" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png" > <button> Send feedback </button> </devsite-feedback> <h1 class="devsite-page-title" tabindex="-1"> Using OAuth 2.0 for Web Server Applications </h1> <devsite-feature-tooltip ack-key="AckCollectionsBookmarkTooltipDismiss" analytics-category="Site-Wide Custom Events" analytics-action-show="Callout Profile displayed" analytics-action-close="Callout Profile dismissed" analytics-label="Create Collection Callout" class="devsite-page-bookmark-tooltip nocontent" dismiss-button="true" id="devsite-collections-dropdown" dismiss-button-text="Dismiss" close-button-text="Got it"> <devsite-bookmark></devsite-bookmark> Stay organized with collections Save and categorize content based on your preferences. </devsite-feature-tooltip> <div class="devsite-page-title-meta"><devsite-view-release-notes></devsite-view-release-notes></div> <devsite-toc class="devsite-nav" depth="2" devsite-toc-embedded > </devsite-toc> <div class="devsite-article-body clearfix "> This document explains how web server applications use Google API Client Libraries or Google OAuth 2.0 endpoints to implement OAuth 2.0 authorization to access Google APIs. OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives. This OAuth 2.0 flow is specifically for user authorization. It is designed for applications that can store confidential information and maintain state. A properly authorized web server application can access an API while the user interacts with the application or after the user has left the application. Web server applications frequently also use <a href="/identity/protocols/oauth2/service-account"> service accounts</a> to authorize API requests, particularly when calling Cloud APIs to access project-based data rather than user-specific data. Web server applications can use service accounts in conjunction with user authorization. <aside class="note">Note: Given the security implications of getting the implementation correct, we strongly encourage you to use OAuth 2.0 libraries when interacting with Google's OAuth 2.0 endpoints. It is a best practice to use well-debugged code provided by others, and it will help you protect yourself and your users. For more information, see <a href="#libraries">Client libraries</a>.</aside> <h2 id="libraries" data-text="Client libraries" tabindex="-1">Client libraries</h2> The language-specific examples on this page use <a href="/api-client-library">Google API Client Libraries</a> to implement OAuth 2.0 authorization. To run the code samples, you must first install the client library for your language. When you use a Google API Client Library to handle your application's OAuth 2.0 flow, the client library performs many actions that the application would otherwise need to handle on its own. For example, it determines when the application can use or refresh stored access tokens as well as when the application must reacquire consent. The client library also generates correct redirect URLs and helps to implement redirect handlers that exchange authorization codes for access tokens. Google API Client Libraries for server-side applications are available for the following languages: <ul> <li><a href="https://github.com/googleapis/google-api-go-client" class="external notranslate">Go</a></li> <li><a href="/api-client-library/java" class="notranslate">Java</a></li> <li><a href="/api-client-library/dotnet" class="notranslate">.NET</a></li> <li><a href="https://github.com/googleapis/google-api-nodejs-client" class="external notranslate">Node.js</a></li> <li><a href="https://github.com/googleapis/google-api-php-client" class="external notranslate">PHP</a></li> <li><a href="https://github.com/googleapis/google-api-python-client" class="external notranslate">Python</a></li> <li><a href="https://github.com/googleapis/google-api-ruby-client" class="external notranslate">Ruby</a></li> </ul> <aside class="note">Important: The <a href="/api-client-library/javascript">Google API client library for JavaScript</a> and <a href="/identity/gsi/web/guides/overview">Sign In With Google</a> are only intended to handle OAuth 2.0 in the user's browser. If you want to use JavaScript on the server-side to manage OAuth 2.0 interactions with Google, consider using the <a href="https://github.com/googleapis/google-api-nodejs-client">Node.js</a> library on your back-end platform.</aside> <h2 id="prerequisites" data-text="Prerequisites" tabindex="-1">Prerequisites</h2> <h3 id="enable-apis" data-text="Enable APIs for your project" tabindex="-1">Enable APIs for your project</h3> Any application that calls Google APIs needs to enable those APIs in the API Console. To enable an API for your project: <ol> <li><a href="https://console.developers.google.com/apis/library">Open the API Library</a> in the Google API Console.</li> <li>If prompted, select a project, or create a new one.</li> <li>The API Library lists all available APIs, grouped by product family and popularity. If the API you want to enable isn't visible in the list, use search to find it, or click View All in the product family it belongs to.</li> <li>Select the API you want to enable, then click the Enable button.</li> <li>If prompted, enable billing.</li> <li>If prompted, read and accept the API's Terms of Service.</li> </ol> <h3 id="creatingcred" data-text="Create authorization credentials" tabindex="-1">Create authorization credentials</h3> Any application that uses OAuth 2.0 to access Google APIs must have authorization credentials that identify the application to Google's OAuth 2.0 server. The following steps explain how to create credentials for your project. Your applications can then use the credentials to access APIs that you have enabled for that project. <ol> <li>Go to the <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>.</li> <li>Click Create credentials > OAuth client ID.</li> <li>Select the Web application application type.</li> <li>Fill in the form and click Create. Applications that use languages and frameworks like PHP, Java, Python, Ruby, and .NET must specify authorized redirect URIs. The redirect URIs are the endpoints to which the OAuth 2.0 server can send responses. These endpoints must adhere to <a href="#uri-validation">Google’s validation rules</a>. For testing, you can specify URIs that refer to the local machine, such as <code translate="no" dir="ltr">http://localhost:8080</code>. With that in mind, please note that all of the examples in this document use <code translate="no" dir="ltr">http://localhost:8080</code> as the redirect URI. We recommend that you <a href="#protectauthcode">design your app's auth endpoints</a> so that your application does not expose authorization codes to other resources on the page.</li> </ol> After creating your credentials, download the client_secret.json file from the API Console. Securely store the file in a location that only your application can access. <aside class="note">Important: Do not store the client_secret.json file in a publicly-accessible location. In addition, if you share the source code to your application — for example, on GitHub — store the client_secret.json file outside of your source tree to avoid inadvertently sharing your client credentials.</aside> <h3 id="identify-access-scopes" data-text="Identify access scopes" tabindex="-1">Identify access scopes</h3> Scopes enable your application to only request access to the resources that it needs while also enabling users to control the amount of access that they grant to your application. Thus, there may be an inverse relationship between the number of scopes requested and the likelihood of obtaining user consent. Before you start implementing OAuth 2.0 authorization, we recommend that you identify the scopes that your app will need permission to access. We also recommend that your application request access to authorization scopes via an <a href="#incrementalAuth">incremental authorization</a> process, in which your application requests access to user data in context. This best practice helps users to more easily understand why your application needs the access it is requesting. The <a href="/identity/protocols/oauth2/scopes">OAuth 2.0 API Scopes</a> document contains a full list of scopes that you might use to access Google APIs. <aside class="warning">If your public application uses scopes that permit access to certain user data, it must complete a verification process. If you see unverified app on the screen when testing your application, you must submit a verification request to remove it. Find out more about <a href="https://support.google.com/cloud/answer/7454865" class="external" target="_blank">unverified apps</a> and get answers to <a href="https://support.google.com/cloud/answer/9110914" class="external" target="_blank"> frequently asked questions about app verification</a> in the Help Center. </aside> <h3 id="languagespecificrequirements" data-text="Language-specific requirements" tabindex="-1">Language-specific requirements</h3> To run any of the code samples in this document, you'll need a Google account, access to the Internet, and a web browser. If you are using one of the API client libraries, also see the language-specific requirements below. <div class="ds-selector-tabs" data-ds-scope="lang"> <section> <h3 class="hide-from-toc" id="php" data-text="PHP" tabindex="-1">PHP</h3> To run the PHP code samples in this document, you'll need: <ul> <li>PHP 8.0 or greater with the command-line interface (CLI) and JSON extension installed.</li> <li>The <a href="https://getcomposer.org/">Composer</a> dependency management tool.</li> <li> The Google APIs Client Library for PHP: <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> composer require google/apiclient:^2.15.0</pre></devsite-code> </li> </ul> See <a href="https://github.com/googleapis/google-api-php-client">Google APIs Client Library for PHP</a> for more information. </section> <section> <h3 class="hide-from-toc" id="python" data-text="Python" tabindex="-1">Python</h3> To run the Python code samples in this document, you'll need: <ul> <li>Python 3.7 or greater</li> <li>The <a href="https://pypi.org/project/pip/">pip</a> package management tool.</li> <li>The Google APIs Client Library for Python 2.0 release: <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> pip install --upgrade google-api-python-client</pre></devsite-code> </li> <li>The <code translate="no" dir="ltr">google-auth</code>, <code translate="no" dir="ltr">google-auth-oauthlib</code>, and <code translate="no" dir="ltr">google-auth-httplib2</code> for user authorization. <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> pip install --upgrade google-auth google-auth-oauthlib google-auth-httplib2</pre></devsite-code> </li> <li>The Flask Python web application framework. <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> pip install --upgrade flask</pre></devsite-code> </li> <li>The <code translate="no" dir="ltr">requests</code> HTTP library. <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> pip install --upgrade requests</pre></devsite-code> </li> </ul> Review the Google API Python client library <a href="https://github.com/googleapis/google-api-python-client?tab=readme-ov-file#version-20-release">release note</a> if you aren't able to upgrade python and associated migration guide. </section> <section> <h3 class="hide-from-toc" id="ruby" data-text="Ruby" tabindex="-1">Ruby</h3> To run the Ruby code samples in this document, you'll need: <ul> <li>Ruby 2.6 or greater</li> <li> The Google Auth Library for Ruby: <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> gem install googleauth</pre></devsite-code> </li> <li> The client libraries for Drive and Calendar Google APIs: <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> gem install google-apis-drive_v3 google-apis-calendar_v3</pre></devsite-code> </li> <li> The Sinatra Ruby web application framework. <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> gem install sinatra</pre></devsite-code> </li> </ul> </section> <section> <h3 class="hide-from-toc" id="node.js" data-text="Node.js" tabindex="-1">Node.js</h3> To run the Node.js code samples in this document, you'll need: <ul> <li>The maintenance LTS, active LTS, or current release of Node.js.</li> <li> The Google APIs Node.js Client: <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded>npm install googleapis crypto express express-session</pre></devsite-code> </li> </ul> </section> <section> <h3 class="hide-from-toc" id="httprest" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> You do not need to install any libraries to be able to directly call the OAuth 2.0 endpoints. </section> </div> <h2 id="obtainingaccesstokens" data-text="Obtaining OAuth 2.0 access tokens" tabindex="-1">Obtaining OAuth 2.0 access tokens</h2> The following steps show how your application interacts with Google's OAuth 2.0 server to obtain a user's consent to perform an API request on the user's behalf. Your application must have that consent before it can execute a Google API request that requires user authorization. The list below quickly summarizes these steps: <ol> <li>Your application identifies the permissions it needs.</li> <li>Your application redirects the user to Google along with the list of requested permissions.</li> <li>The user decides whether to grant the permissions to your application.</li> <li>Your application finds out what the user decided.</li> <li>If the user granted the requested permissions, your application retrieves tokens needed to make API requests on the user's behalf.</li> </ol> <h3 id="creatingclient" data-text="Step 1: Set authorization parameters" tabindex="-1">Step 1: Set authorization parameters</h3> Your first step is to create the authorization request. That request sets parameters that identify your application and define the permissions that the user will be asked to grant to your application. <ul> <li>If you use a Google client library for OAuth 2.0 authentication and authorization, you create and configure an object that defines these parameters.</li> <li>If you call the Google OAuth 2.0 endpoint directly, you'll generate a URL and set the parameters on that URL.</li> </ul> The tabs below define the supported authorization parameters for web server applications. The language-specific examples also show how to use a client library or authorization library to configure an object that sets those parameters. <div class="ds-selector-tabs" data-ds-scope="lang"> <section> <h3 class="hide-from-toc" id="php_1" data-text="PHP" tabindex="-1">PHP</h3> The following code snippet creates a <code translate="no" dir="ltr">Google\Client()</code> object, which defines the parameters in the authorization request. That object uses information from your client_secret.json file to identify your application. (See <a href="#creatingcred">creating authorization credentials</a> for more about that file.) The object also identifies the scopes that your application is requesting permission to access and the URL to your application's auth endpoint, which will handle the response from Google's OAuth 2.0 server. Finally, the code sets the optional <code translate="no" dir="ltr">access_type</code> and <code translate="no" dir="ltr">include_granted_scopes</code> parameters. For example, this code requests read-only, offline access to a user's Google Drive metadata and Calendar events: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP">use Google\Client; $client = new Client(); // Required, call the setAuthConfig function to load authorization credentials from // client_secret.json file. $client->setAuthConfig('client_secret.json'); // Required, to set the scope value, call the addScope function $client->addScope([Google\Service\Drive::DRIVE_METADATA_READONLY, Google\Service\Calendar::CALENDAR_READONLY]); // Required, call the setRedirectUri function to specify a valid redirect URI for the // provided client_id $client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php'); // Recommended, offline access will give you both an access and refresh token so that // your app can refresh the access token without user interaction. $client->setAccessType('offline'); // Recommended, call the setState function. Using a state value can increase your assurance that // an incoming connection is the result of an authentication request. $client->setState($sample_passthrough_value); // Optional, if your application knows which user is trying to authenticate, it can use this // parameter to provide a hint to the Google Authentication Server. $client->setLoginHint('hint@example.com'); // Optional, call the setPrompt function to set "consent" will prompt the user for consent $client->setPrompt('consent'); // Optional, call the setIncludeGrantedScopes function with true to enable incremental // authorization $client->setIncludeGrantedScopes(true);</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="python_1" data-text="Python" tabindex="-1">Python</h3> The following code snippet uses the <code translate="no" dir="ltr">google-auth-oauthlib.flow</code> module to construct the authorization request. The code constructs a <code translate="no" dir="ltr">Flow</code> object, which identifies your application using information from the client_secret.json file that you downloaded after <a href="#creatingcred">creating authorization credentials</a>. That object also identifies the scopes that your application is requesting permission to access and the URL to your application's auth endpoint, which will handle the response from Google's OAuth 2.0 server. Finally, the code sets the optional <code translate="no" dir="ltr">access_type</code> and <code translate="no" dir="ltr">include_granted_scopes</code> parameters. For example, this code requests read-only, offline access to a user's Google Drive metadata and Calendar events: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python">import google.oauth2.credentials import google_auth_oauthlib.flow # Required, call the from_client_secrets_file method to retrieve the client ID from a # client_secret.json file. The client ID (from that file) and access scopes are required. (You can # also use the from_client_config method, which passes the client configuration as it originally # appeared in a client secrets file but doesn't access the file itself.) flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file('client_secret.json', scopes=['https://www.googleapis.com/auth/drive.metadata.readonly', 'https://www.googleapis.com/auth/calendar.readonly']) # Required, indicate where the API server will redirect the user after the user completes # the authorization flow. The redirect URI is required. The value must exactly # match one of the authorized redirect URIs for the OAuth 2.0 client, which you # configured in the API Console. If this value doesn't match an authorized URI, # you will get a 'redirect_uri_mismatch' error. flow.redirect_uri = 'https://www.example.com/oauth2callback' # Generate URL for request to Google's OAuth 2.0 server. # Use kwargs to set optional request parameters. authorization_url, state = flow.authorization_url( # Recommended, enable offline access so that you can refresh an access token without # re-prompting the user for permission. Recommended for web server apps. access_type='offline', # Optional, enable incremental authorization. Recommended as a best practice. include_granted_scopes='true', # Optional, if your application knows which user is trying to authenticate, it can use this # parameter to provide a hint to the Google Authentication Server. login_hint='hint@example.com', # Optional, set prompt to 'consent' will prompt the user for consent prompt='consent')</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="ruby_1" data-text="Ruby" tabindex="-1">Ruby</h3> Use the client_secrets.json file that you created to configure a client object in your application. When you configure a client object, you specify the scopes your application needs to access, along with the URL to your application's auth endpoint, which will handle the response from the OAuth 2.0 server. For example, this code requests read-only, offline access to a user's Google Drive metadata and Calendar events: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby">require 'googleauth' require 'googleauth/web_user_authorizer' require 'googleauth/stores/redis_token_store' require 'google/apis/drive_v3' require 'google/apis/calendar_v3' # Required, call the from_file method to retrieve the client ID from a # client_secret.json file. client_id = Google::Auth::ClientId.from_file('/path/to/client_secret.json') # Required, scope value # Access scopes for two non-Sign-In scopes: Read-only Drive activity and Google Calendar. scope = ['Google::Apis::DriveV3::AUTH_DRIVE_METADATA_READONLY', 'Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY'] # Required, Authorizers require a storage instance to manage long term persistence of # access and refresh tokens. token_store = Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new) # Required, indicate where the API server will redirect the user after the user completes # the authorization flow. The redirect URI is required. The value must exactly # match one of the authorized redirect URIs for the OAuth 2.0 client, which you # configured in the API Console. If this value doesn't match an authorized URI, # you will get a 'redirect_uri_mismatch' error. callback_uri = '/oauth2callback' # To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI # from the client_secret.json file. To get these credentials for your application, visit # https://console.cloud.google.com/apis/credentials. authorizer = Google::Auth::WebUserAuthorizer.new(client_id, scope, token_store, callback_uri)</pre></devsite-code> Your application uses the client object to perform OAuth 2.0 operations, such as generating authorization request URLs and applying access tokens to HTTP requests. </section> <section> <h3 class="hide-from-toc" id="node.js_1" data-text="Node.js" tabindex="-1">Node.js</h3> The following code snippet creates a <code translate="no" dir="ltr">google.auth.OAuth2</code> object, which defines the parameters in the authorization request. That object uses information from your client_secret.json file to identify your application. To ask for permissions from a user to retrieve an access token, you redirect them to a consent page. To create a consent page URL: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript">const {google} = require('googleapis'); const crypto = require('crypto'); const express = require('express'); const session = require('express-session'); /** * To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI * from the client_secret.json file. To get these credentials for your application, visit * https://console.cloud.google.com/apis/credentials. */ const oauth2Client = new google.auth.OAuth2( YOUR_CLIENT_ID, YOUR_CLIENT_SECRET, YOUR_REDIRECT_URL ); // Access scopes for two non-Sign-In scopes: Read-only Drive activity and Google Calendar. const scopes = [ 'https://www.googleapis.com/auth/drive.metadata.readonly', 'https://www.googleapis.com/auth/calendar.readonly' ]; // Generate a secure random state value. const state = crypto.randomBytes(32).toString('hex'); // Store state in the session req.session.state = state; // Generate a url that asks permissions for the Drive activity and Google Calendar scope const authorizationUrl = oauth2Client.generateAuthUrl({ // 'online' (default) or 'offline' (gets refresh_token) access_type: 'offline', /** Pass in the scopes array defined above. * Alternatively, if only one scope is needed, you can pass a scope URL as a string */ scope: scopes, // Enable incremental authorization. Recommended as a best practice. include_granted_scopes: true, // Include the state parameter to reduce the risk of CSRF attacks. state: state });</pre></devsite-code> Important Note - The <code translate="no" dir="ltr">refresh_token</code> is only returned on the first authorization. More details <a href="https://github.com/googleapis/google-api-nodejs-client/issues/750#issuecomment-304521450"> here</a>. </section> <section> <h3 class="hide-from-toc" id="httprest_1" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> Google's OAuth 2.0 endpoint is at <code translate="no" dir="ltr">https://accounts.google.com/o/oauth2/v2/auth</code>. This endpoint is accessible only over HTTPS. Plain HTTP connections are refused. </section> </div> The Google authorization server supports the following query string parameters for web server applications: <table class="responsive details"> <thead> <tr> <th colspan="2">Parameters</th> </tr> </thead> <tbody> <tr id="request-parameter-client_id"> <td><code translate="no" dir="ltr">client_id</code></td> <td>Required The client ID for your application. You can find this value in the API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>. </td> </tr> <tr id="request-parameter-redirect_uri"> <td><code translate="no" dir="ltr">redirect_uri</code></td> <td>Required Determines where the API server redirects the user after the user completes the authorization flow. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client, which you configured in your client's API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>. If this value doesn't match an authorized redirect URI for the provided <code translate="no" dir="ltr">client_id</code> you will get a <code translate="no" dir="ltr">redirect_uri_mismatch</code> error. Note that the <code translate="no" dir="ltr">http</code> or <code translate="no" dir="ltr">https</code> scheme, case, and trailing slash ('<code translate="no" dir="ltr">/</code>') must all match. </td> </tr> <tr id="request-parameter-response_type"> <td><code translate="no" dir="ltr">response_type</code></td> <td>Required Determines whether the Google OAuth 2.0 endpoint returns an authorization code. Set the parameter value to <code translate="no" dir="ltr">code</code> for web server applications. </td> </tr> <tr id="request-parameter-scope"> <td id="scope"><code translate="no" dir="ltr">scope</code></td> <td>Required A space-delimited list of scopes that identify the resources that your application could access on the user's behalf. These values inform the consent screen that Google displays to the user. Scopes enable your application to only request access to the resources that it needs while also enabling users to control the amount of access that they grant to your application. Thus, there is an inverse relationship between the number of scopes requested and the likelihood of obtaining user consent. We recommend that your application request access to authorization scopes in context whenever possible. By requesting access to user data in context, via <a href="#incrementalAuth">incremental authorization</a>, you help users to more easily understand why your application needs the access it is requesting. </td> </tr> <tr id="request-parameter-access_type"> <td><code translate="no" dir="ltr">access_type</code></td> <td>Recommended Indicates whether your application can refresh access tokens when the user is not present at the browser. Valid parameter values are <code translate="no" dir="ltr">online</code>, which is the default value, and <code translate="no" dir="ltr">offline</code>. Set the value to <code translate="no" dir="ltr">offline</code> if your application needs to refresh access tokens when the user is not present at the browser. This is the method of refreshing access tokens described later in this document. This value instructs the Google authorization server to return a refresh token and an access token the first time that your application exchanges an authorization code for tokens. </td> </tr> <tr id="request-parameter-state"> <td><code translate="no" dir="ltr">state</code></td> <td>Recommended Specifies any string value that your application uses to maintain state between your authorization request and the authorization server's response. The server returns the exact value that you send as a <code translate="no" dir="ltr">name=value</code> pair in the URL query component (<code translate="no" dir="ltr">?</code>) of the <code translate="no" dir="ltr">redirect_uri</code> after the user consents to or denies your application's access request. You can use this parameter for several purposes, such as directing the user to the correct resource in your application, sending nonces, and mitigating cross-site request forgery. Since your <code translate="no" dir="ltr">redirect_uri</code> can be guessed, using a <code translate="no" dir="ltr">state</code> value can increase your assurance that an incoming connection is the result of an authentication request. If you generate a random string or encode the hash of a cookie or another value that captures the client's state, you can validate the response to additionally ensure that the request and response originated in the same browser, providing protection against attacks such as <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-10.12">cross-site request forgery</a>. See the <a href="/identity/protocols/oauth2/openid-connect#createxsrftoken">OpenID Connect</a> documentation for an example of how to create and confirm a <code translate="no" dir="ltr">state</code> token. <aside class="special"> Important: The OAuth client must prevent CSRF as called out in the <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-10.12">OAuth2 Specification </a>. One way to achieve this is by using the <code translate="no" dir="ltr">state</code> parameter to maintain state between your authorization request and the authorization server's response. </aside> </td> </tr> <tr id="request-parameter-include_granted_scopes"> <td><code translate="no" dir="ltr">include_granted_scopes</code></td> <td>Optional Enables applications to use incremental authorization to request access to additional scopes in context. If you set this parameter's value to <code translate="no" dir="ltr">true</code> and the authorization request is granted, then the new access token will also cover any scopes to which the user previously granted the application access. See the <a href="#incrementalAuth">incremental authorization</a> section for examples. </td> </tr> <tr id="request-parameter-enable_granular_consent"> <td><code translate="no" dir="ltr">enable_granular_consent</code></td> <td>Optional Defaults to <code translate="no" dir="ltr">true</code>. If set to <code translate="no" dir="ltr">false</code>, <a href="/identity/protocols/oauth2/resources/granular-permissions">more granular Google Account permissions</a> will be disabled for OAuth client IDs created before 2019. No effect for newer OAuth client IDs, since more granular permissions is always enabled for them. When Google enables granular permissions for an application, this parameter will no longer have any effect. </td> </tr> <tr id="request-parameter-login_hint"> <td><code translate="no" dir="ltr">login_hint</code></td> <td>Optional If your application knows which user is trying to authenticate, it can use this parameter to provide a hint to the Google Authentication Server. The server uses the hint to simplify the login flow either by prefilling the email field in the sign-in form or by selecting the appropriate multi-login session. Set the parameter value to an email address or <code translate="no" dir="ltr">sub</code> identifier, which is equivalent to the user's Google ID. </td> </tr> <tr id="request-parameter-prompt"> <td><code translate="no" dir="ltr">prompt</code></td> <td>Optional A space-delimited, case-sensitive list of prompts to present the user. If you don't specify this parameter, the user will be prompted only the first time your project requests access. See <a href="/identity/protocols/oauth2/openid-connect#re-consent"> Prompting re-consent</a> for more information. Possible values are: <table class="responsive"> <tr> <td><code translate="no" dir="ltr">none</code></td> <td>Do not display any authentication or consent screens. Must not be specified with other values.</td> </tr> <tr> <td><code translate="no" dir="ltr">consent</code></td> <td>Prompt the user for consent.</td> </tr> <tr> <td><code translate="no" dir="ltr">select_account</code></td> <td>Prompt the user to select an account.</td> </tr> </table> </td> </tr> </tbody> </table> <h3 id="redirecting" data-text="Step 2: Redirect to Google's OAuth 2.0 server" tabindex="-1">Step 2: Redirect to Google's OAuth 2.0 server</h3> Redirect the user to Google's OAuth 2.0 server to initiate the authentication and authorization process. Typically, this occurs when your application first needs to access the user's data. In the case of <a href="#incrementalAuth">incremental authorization</a>, this step also occurs when your application first needs to access additional resources that it does not yet have permission to access. <div class="ds-selector-tabs" data-ds-scope="lang"> <section> <h3 class="hide-from-toc" id="php_2" data-text="PHP" tabindex="-1">PHP</h3> <ol> <li>Generate a URL to request access from Google's OAuth 2.0 server: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP">$auth_url = $client->createAuthUrl();</pre></devsite-code> </li> <li>Redirect the user to <code translate="no" dir="ltr">$auth_url</code>: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP">header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));</pre></devsite-code> </li> </ol> </section> <section> <h3 class="hide-from-toc" id="python_2" data-text="Python" tabindex="-1">Python</h3> This example shows how to redirect the user to the authorization URL using the Flask web application framework: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python">return flask.redirect(authorization_url)</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="ruby_2" data-text="Ruby" tabindex="-1">Ruby</h3> <ol> <li>Generate a URL to request access from Google's OAuth 2.0 server: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby">auth_uri = authorizer.get_authorization_url(request: request)</pre></devsite-code></li> <li>Redirect the user to <code translate="no" dir="ltr">auth_uri</code>.</li> </ol> </section> <section> <h3 class="hide-from-toc" id="node.js_2" data-text="Node.js" tabindex="-1">Node.js</h3> <ol> <li> Use the generated URL <code translate="no" dir="ltr">authorizationUrl</code> from <a href="#creatingclient">Step 1</a> <code translate="no" dir="ltr">generateAuthUrl</code> method to request access from Google's OAuth 2.0 server. </li> <li> Redirect the user to <code translate="no" dir="ltr">authorizationUrl</code>. <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript">res.redirect(authorizationUrl);</pre></devsite-code> </li> </ol> </section> <section> <h3 class="hide-from-toc" id="httprest_2" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> <h4 id="sample-redirect-to-googles-authorization-server" data-text="Sample redirect to Google's authorization server" tabindex="-1">Sample redirect to Google's authorization server</h4> An example URL is shown below, with line breaks and spaces for readability. <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> https://accounts.google.com/o/oauth2/v2/auth? scope=https%3A//www.googleapis.com/auth/drive.metadata.readonly%20https%3A//www.googleapis.com/auth/calendar.readonly& access_type=offline& include_granted_scopes=true& response_type=code& state=<var translate="no">state_parameter_passthrough_value</var>& redirect_uri=<var translate="no">https%3A//oauth2.example.com/code</var>& client_id=<var translate="no">client_id</var></pre></devsite-code> After you create the request URL, redirect the user to it. </section> </div> Google's OAuth 2.0 server authenticates the user and obtains consent from the user for your application to access the requested scopes. The response is sent back to your application using the redirect URL you specified. <h3 id="userconsentprompt" data-text="Step 3: Google prompts user for consent" tabindex="-1">Step 3: Google prompts user for consent</h3> In this step, the user decides whether to grant your application the requested access. At this stage, Google displays a consent window that shows the name of your application and the Google API services that it is requesting permission to access with the user's authorization credentials and a summary of the scopes of access to be granted. The user can then consent to grant access to one or more scopes requested by your application or refuse the request. Your application doesn't need to do anything at this stage as it waits for the response from Google's OAuth 2.0 server indicating whether any access was granted. That response is explained in the following step. <section aria-labelledby="authorization-errors"> <h4 id="authorization-errors" data-text="Errors" tabindex="-1">Errors</h4> Requests to Google's OAuth 2.0 authorization endpoint may display user-facing error messages instead of the expected authentication and authorization flows. Common error codes and suggested resolutions are listed below. <section aria-labelledby="authorization-errors-admin-policy-enforced"> <h5 id="authorization-errors-admin-policy-enforced" data-text="admin_policy_enforced" tabindex="-1"><code translate="no" dir="ltr">admin_policy_enforced</code></h5> The Google Account is unable to authorize one or more scopes requested due to the policies of their Google Workspace administrator. See the Google Workspace Admin help article <a href="https://support.google.com/a/answer/7281227"> Control which third-party & internal apps access Google Workspace data</a> for more information about how an administrator may restrict access to all scopes or sensitive and restricted scopes until access is explicitly granted to your OAuth client ID. </section> <section aria-labelledby="authorization-errors-disallowed-useragent"> <h5 id="authorization-errors-disallowed-useragent" data-text="disallowed_useragent" tabindex="-1"><code translate="no" dir="ltr">disallowed_useragent</code></h5> The authorization endpoint is displayed inside an embedded user-agent disallowed by Google's <a href="/identity/protocols/oauth2/policies#browsers">OAuth 2.0 Policies</a>. <devsite-selector> <section> <h6 id="android" data-text="Android" tabindex="-1">Android</h6> Android developers may encounter this error message when opening authorization requests in <a href="https://developer.android.com/reference/android/webkit/WebView" rel="external" class="external"><code translate="no" dir="ltr">android.webkit.WebView</code></a>. Developers should instead use Android libraries such as <a href="/identity/sign-in/android">Google Sign-In for Android</a> or OpenID Foundation's <a href="https://openid.github.io/AppAuth-Android/" rel="external" class="external">AppAuth for Android</a>. Web developers may encounter this error when an Android app opens a general web link in an embedded user-agent and a user navigates to Google's OAuth 2.0 authorization endpoint from your site. Developers should allow general links to open in the default link handler of the operating system, which includes both <a href="https://developer.android.com/training/app-links" rel="external" class="external">Android App Links</a> handlers or the default browser app. The <a href="https://developer.chrome.com/docs/android/custom-tabs/overview/" rel="external" class="external">Android Custom Tabs</a> library is also a supported option. </section> <section> <h6 id="ios" data-text="iOS" tabindex="-1">iOS</h6> iOS and macOS developers may encounter this error when opening authorization requests in <a href="https://developer.apple.com/documentation/webkit/wkwebview" rel="external" class="external"><code translate="no" dir="ltr">WKWebView</code></a>. Developers should instead use iOS libraries such as <a href="/identity/sign-in/ios">Google Sign-In for iOS</a> or OpenID Foundation's <a href="https://openid.github.io/AppAuth-iOS/" rel="external" class="external">AppAuth for iOS</a>. Web developers may encounter this error when an iOS or macOS app opens a general web link in an embedded user-agent and a user navigates to Google's OAuth 2.0 authorization endpoint from your site. Developers should allow general links to open in the default link handler of the operating system, which includes both <a href="https://developer.apple.com/ios/universal-links/" rel="external" class="external">Universal Links</a> handlers or the default browser app. The <a href="https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller" rel="external" class="external"><code translate="no" dir="ltr">SFSafariViewController</code></a> library is also a supported option. </section> </devsite-selector> </section> <section aria-labelledby="authorization-errors-org-internal"> <h5 id="authorization-errors-org-internal" data-text="org_internal" tabindex="-1"><code translate="no" dir="ltr">org_internal</code></h5> The OAuth client ID in the request is part of a project limiting access to Google Accounts in a specific <a href="https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#organizations"> Google Cloud Organization</a>. For more information about this configuration option see the <a href="https://support.google.com/cloud/answer/10311615#user-type">User type</a> section in the Setting up your OAuth consent screen help article. </section> <section aria-labelledby="authorization-errors-invalid-client"> <h5 id="authorization-errors-invalid-client" data-text="invalid_client" tabindex="-1"><code translate="no" dir="ltr">invalid_client</code></h5> The OAuth client secret is incorrect. Review the <a href="/identity/protocols/oauth2/javascript-implicit-flow#creatingcred">OAuth client configuration</a>, including the client ID and secret used for this request. </section> <section aria-labelledby="authorization-errors-invalid-grant"> <h5 id="authorization-errors-invalid-grant" data-text="invalid_grant" tabindex="-1"><code translate="no" dir="ltr">invalid_grant</code></h5> <a href="#offline">When refreshing an access token</a> or using <a href="#incrementalAuth">incremental authorization</a>, the token may have expired or has been invalidated. Authenticate the user again and ask for user consent to obtain new tokens. If you are continuing to see this error, ensure that your application has been configured correctly and that you are using the correct tokens and parameters in your request. Otherwise, the user account may have been deleted or disabled. </section> <section aria-labelledby="authorization-errors-redirect-uri-mismatch"> <h5 id="authorization-errors-redirect-uri-mismatch" data-text="redirect_uri_mismatch" tabindex="-1"><code translate="no" dir="ltr">redirect_uri_mismatch</code></h5> The <code translate="no" dir="ltr">redirect_uri</code> passed in the authorization request does not match an authorized redirect URI for the OAuth client ID. Review authorized redirect URIs in the Google API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>. The <code translate="no" dir="ltr">redirect_uri</code> parameter may refer to the OAuth out-of-band (OOB) flow that has been deprecated and is no longer supported. Refer to the <a href="/identity/protocols/oauth2/resources/oob-migration">migration guide</a> to update your integration. </section> <section aria-labelledby="authorization-errors-invalid-request"> <h5 id="authorization-errors-invalid-request" data-text="invalid_request" tabindex="-1"><code translate="no" dir="ltr">invalid_request</code></h5> There was something wrong with the request you made. This could be due to a number of reasons: <ul> <li>The request was not properly formatted</li> <li>The request was missing required parameters</li> <li> The request uses an authorization method that Google doesn't support. Verify your OAuth integration uses a recommended integration method</li> </ul> </section> </section> <h3 id="handlingresponse" data-text="Step 4: Handle the OAuth 2.0 server response" tabindex="-1">Step 4: Handle the OAuth 2.0 server response</h3> <aside class="note" id="checkstate">Important: Before handling the OAuth 2.0 response on the server, you should confirm that the <code translate="no" dir="ltr">state</code> received from Google matches the <code translate="no" dir="ltr">state</code> sent in the authorization request. This verification helps to ensure that the user, not a malicious script, is making the request and reduces the risk of <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-10.12">CSRF attacks</a>. </aside> The OAuth 2.0 server responds to your application's access request by using the URL specified in the request. If the user approves the access request, then the response contains an authorization code. If the user does not approve the request, the response contains an error message. The authorization code or error message that is returned to the web server appears on the query string, as shown below: An error response: <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> https://oauth2.example.com/auth?error=access_denied</pre></devsite-code> An authorization code response: <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> https://oauth2.example.com/auth?code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7</pre></devsite-code> <aside class="note" id="protectauthcode">Important: If your response endpoint renders an HTML page, any resources on that page will be able to see the authorization code in the URL. Scripts can read the URL directly, and the URL in the <code translate="no" dir="ltr">Referer</code> HTTP header may be sent to any or all resources on the page. Carefully consider whether you want to send authorization credentials to all resources on that page (especially third-party scripts such as social plugins and analytics). To avoid this issue, we recommend that the server first handle the request, then redirect to another URL that doesn't include the response parameters.</aside> <h4 id="sample-oauth-2.0-server-response" data-text="Sample OAuth 2.0 server response" tabindex="-1">Sample OAuth 2.0 server response</h4> You can test this flow by clicking on the following sample URL, which requests read-only access to view metadata for files in your Google Drive and read-only access to view your Google Calendar events: <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> <a href="https://accounts.google.com/o/oauth2/v2/auth?scope=https%3A//www.googleapis.com/auth/drive.metadata.readonly%20https%3A//www.googleapis.com/auth/calendar.readonly&state=state_parameter_passthrough_value&redirect_uri=https%3A//oauth2.example.com/code&access_type=offline&response_type=code&client_id=583306224539-atbcaa8ne8g85e8kc006o6vmq99qiid0.apps.googleusercontent.com">https://accounts.google.com/o/oauth2/v2/auth? scope=https%3A//www.googleapis.com/auth/drive.metadata.readonly%20https%3A//www.googleapis.com/auth/calendar.readonly& access_type=offline& include_granted_scopes=true& response_type=code& state=<var translate="no">state_parameter_passthrough_value</var>& redirect_uri=<var translate="no">https%3A//oauth2.example.com/code</var>& client_id=<var translate="no">client_id</var></a></pre></devsite-code> After completing the OAuth 2.0 flow, you should be redirected to <code translate="no" dir="ltr">http://localhost/oauth2callback</code>, which will likely yield a <code translate="no" dir="ltr">404 NOT FOUND</code> error unless your local machine serves a file at that address. The next step provides more detail about the information returned in the URI when the user is redirected back to your application. <h3 id="exchange-authorization-code" data-text="Step 5: Exchange authorization code for refresh and access tokens" tabindex="-1">Step 5: Exchange authorization code for refresh and access tokens</h3> After the web server receives the authorization code, it can exchange the authorization code for an access token. <div class="ds-selector-tabs" data-ds-scope="lang"> <section> <h3 class="hide-from-toc" id="php_3" data-text="PHP" tabindex="-1">PHP</h3> To exchange an authorization code for an access token, use the <code translate="no" dir="ltr">fetchAccessTokenWithAuthCode</code> method: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP">$access_token = $client->fetchAccessTokenWithAuthCode($_GET['code']);</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="python_3" data-text="Python" tabindex="-1">Python</h3> On your callback page, use the <code translate="no" dir="ltr">google-auth</code> library to verify the authorization server response. Then, use the <code translate="no" dir="ltr">flow.fetch_token</code> method to exchange the authorization code in that response for an access token: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python">state = flask.session['state'] flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file( 'client_secret.json', scopes=['https://www.googleapis.com/auth/drive.metadata.readonly'], state=state) flow.redirect_uri = flask.url_for('oauth2callback', _external=True) authorization_response = flask.request.url flow.fetch_token(authorization_response=authorization_response) # Store the credentials in the session. # ACTION ITEM for developers: # Store user's access and refresh tokens in your data store if # incorporating this code into your real app. credentials = flow.credentials flask.session['credentials'] = { 'token': credentials.token, 'refresh_token': credentials.refresh_token, 'token_uri': credentials.token_uri, 'client_id': credentials.client_id, 'client_secret': credentials.client_secret, 'granted_scopes': credentials.granted_scopes}</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="ruby_3" data-text="Ruby" tabindex="-1">Ruby</h3> On your callback page, use the <code translate="no" dir="ltr">googleauth</code> library to verify the authorization server response. Use the <code translate="no" dir="ltr">authorizer.handle_auth_callback_deferred</code> method to save the authorization code and redirect back to the URL that originally requested authorization. This defers the exchange of the code by temporarily stashing the results in the user's session. <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby"> target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request) redirect target_url</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="node.js_3" data-text="Node.js" tabindex="-1">Node.js</h3> To exchange an authorization code for an access token, use the <code translate="no" dir="ltr">getToken</code> method: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript">const url = require('url'); // Receive the callback from Google's OAuth 2.0 server. app.get('/oauth2callback', async (req, res) => { let q = url.parse(req.url, true).query; if (q.error) { // An error response e.g. error=access_denied console.log('Error:' + q.error); } else if (q.state !== req.session.state) { //check state value console.log('State mismatch. Possible CSRF attack'); res.end('State mismatch. Possible CSRF attack'); } else { // Get access and refresh tokens (if access_type is offline) let { tokens } = await oauth2Client.getToken(q.code); oauth2Client.setCredentials(tokens); });</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="httprest_3" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> To exchange an authorization code for an access token, call the <code translate="no" dir="ltr">https://oauth2.googleapis.com/token</code> endpoint and set the following parameters: <table class="responsive"> <thead> <tr> <th colspan="2">Fields</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">client_id</code></td> <td>The client ID obtained from the API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>.</td> </tr> <tr> <td><code translate="no" dir="ltr">client_secret</code></td> <td>The client secret obtained from the API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a>.</td> </tr> <tr> <td><code translate="no" dir="ltr">code</code></td> <td>The authorization code returned from the initial request.</td> </tr> <tr> <td><code translate="no" dir="ltr">grant_type</code></td> <td><a href="https://tools.ietf.org/html/rfc6749#section-4.1.3">As defined in the OAuth 2.0 specification</a>, this field's value must be set to <code translate="no" dir="ltr">authorization_code</code>.</td> </tr> <tr> <td><code translate="no" dir="ltr">redirect_uri</code></td> <td>One of the redirect URIs listed for your project in the API Console <a href="https://console.developers.google.com/apis/credentials">Credentials page</a> for the given <code translate="no" dir="ltr">client_id</code>.</td> </tr> </tbody> </table> The following snippet shows a sample request: <div></div><devsite-code><pre class="notranslate" dir="ltr" is-upgraded>POST /token HTTP/1.1 Host: oauth2.googleapis.com Content-Type: application/x-www-form-urlencoded code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7& client_id=<var class="apiparam" translate="no">your_client_id</var>& client_secret=<var class="apiparam" translate="no">your_client_secret</var>& redirect_uri=https%3A//oauth2.example.com/code& grant_type=authorization_code</pre></devsite-code> Google responds to this request by returning a JSON object that contains a short-lived access token and a refresh token. Note that the refresh token is only returned if your application set the <code translate="no" dir="ltr">access_type</code> parameter to <code translate="no" dir="ltr">offline</code> in <a href="#creatingclient">the initial request to Google's authorization server</a>. The response contains the following fields: <table class="responsive details"> <thead> <tr> <th colspan="2">Fields</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">access_token</code></td> <td>The token that your application sends to authorize a Google API request.</td> </tr> <tr> <td><code translate="no" dir="ltr">expires_in</code></td> <td>The remaining lifetime of the access token in seconds.</td> </tr> <tr> <td><code translate="no" dir="ltr">refresh_token</code></td> <td>A token that you can use to obtain a new access token. Refresh tokens are valid until the user revokes access. Again, this field is only present in this response if you set the <code translate="no" dir="ltr">access_type</code> parameter to <code translate="no" dir="ltr">offline</code> in the initial request to Google's authorization server. </td> </tr> <tr> <td><code translate="no" dir="ltr">scope</code></td> <td>The scopes of access granted by the <code translate="no" dir="ltr">access_token</code> expressed as a list of space-delimited, case-sensitive strings.</td> </tr> <tr> <td><code translate="no" dir="ltr">token_type</code></td> <td>The type of token returned. At this time, this field's value is always set to <code translate="no" dir="ltr">Bearer</code>.</td> </tr> </tbody> </table> <aside class="key-point">Important: Your application should store both tokens in a secure, long-lived location that is accessible between different invocations of your application. The refresh token enables your application to obtain a new access token if the one that you have expires. As such, if your application loses the refresh token, the user will need to repeat the OAuth 2.0 consent flow so that your application can obtain a new refresh token.</aside> The following snippet shows a sample response: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript">{ "access_token": "1/fFAGRNJru1FTz70BzhT3Zg", "expires_in": 3920, "token_type": "Bearer", "scope": "https://www.googleapis.com/auth/drive.metadata.readonly https://www.googleapis.com/auth/calendar.readonly", "refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI" }</pre></devsite-code> <aside class="note">Note: Your application should ignore any unrecognized fields included in the response.</aside> </section> </div> <section aria-labelledby="exchange-errors"> <h4 id="exchange-errors" data-text="Errors" tabindex="-1">Errors</h4> When exchanging the authorization code for an access token you may encounter the following error instead of the expected response. Common error codes and suggested resolutions are listed below. <section aria-labelledby="exchange-errors-invalid-grant"> <h5 id="exchange-errors-invalid-grant" data-text="invalid_grant" tabindex="-1"><code translate="no" dir="ltr">invalid_grant</code></h5> The supplied authorization code is invalid or in the wrong format. Request a new code by <a href="#creatingclient">restarting the OAuth process</a> to prompt the user for consent again. </section> </section> <h3 id="check-granted-scopes" data-text="Step 6: Check which scopes users granted" tabindex="-1">Step 6: Check which scopes users granted</h3> When requesting multiple scopes at once, users may not grant all scopes your app requests. Your app should always check which scopes were granted by the user and handle any denial of scopes by disabling relevant features. Review <a href="/identity/protocols/oauth2/resources/granular-permissions">How to handle granular permissions</a> for more information. <div class="ds-selector-tabs" data-ds-scope="lang"> <section> <h3 class="hide-from-toc" id="php_4" data-text="PHP" tabindex="-1">PHP</h3> To check which scopes the user has granted, use the <code translate="no" dir="ltr">getGrantedScope()</code> method: <div></div><devsite-code><pre class="devsite-click-to-copy" lang-php translate="no" dir="ltr" is-upgraded syntax="PHP">// Space-separated string of granted scopes if it exists, otherwise null. $granted_scopes = $client->getOAuth2Service()->getGrantedScope(); // Determine which scopes user granted and build a dictionary $granted_scopes_dict = [ 'Drive' => str_contains($granted_scopes, Google\Service\Drive::DRIVE_METADATA_READONLY), 'Calendar' => str_contains($granted_scopes, Google\Service\Calendar::CALENDAR_READONLY) ];</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="python_4" data-text="Python" tabindex="-1">Python</h3> The returned <code translate="no" dir="ltr">credentials</code> object has a <code translate="no" dir="ltr">granted_scopes</code> property, which is a list of scopes the user has granted to your app. <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python">credentials = flow.credentials flask.session['credentials'] = { 'token': credentials.token, 'refresh_token': credentials.refresh_token, 'token_uri': credentials.token_uri, 'client_id': credentials.client_id, 'client_secret': credentials.client_secret, 'granted_scopes': credentials.granted_scopes}</pre></devsite-code> The following function checks which scopes the user has granted to your app. <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python">def check_granted_scopes(credentials): features = {} if 'https://www.googleapis.com/auth/drive.metadata.readonly' in credentials['granted_scopes']: features['drive'] = True else: features['drive'] = False if 'https://www.googleapis.com/auth/calendar.readonly' in credentials['granted_scopes']: features['calendar'] = True else: features['calendar'] = False return features</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="ruby_4" data-text="Ruby" tabindex="-1">Ruby</h3> When requesting multiple scopes at once, check which scopes were granted through the <code translate="no" dir="ltr">scope</code> property of the <code translate="no" dir="ltr">credentials</code> object. <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby"># User authorized the request. Now, check which scopes were granted. if credentials.scope.include?(Google::Apis::DriveV3::AUTH_DRIVE_METADATA_READONLY) # User authorized read-only Drive activity permission. # Calling the APIs, etc else # User didn't authorize read-only Drive activity permission. # Update UX and application accordingly end # Check if user authorized Calendar read permission. if credentials.scope.include?(Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY) # User authorized Calendar read permission. # Calling the APIs, etc. else # User didn't authorize Calendar read permission. # Update UX and application accordingly end</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="node.js_4" data-text="Node.js" tabindex="-1">Node.js</h3> When requesting multiple scopes at once, check which scopes were granted through the <code translate="no" dir="ltr">scope</code> property of the <code translate="no" dir="ltr">tokens</code> object. <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript">// User authorized the request. Now, check which scopes were granted. if (tokens.scope.includes('https://www.googleapis.com/auth/drive.metadata.readonly')) { // User authorized read-only Drive activity permission. // Calling the APIs, etc. } else { // User didn't authorize read-only Drive activity permission. // Update UX and application accordingly } // Check if user authorized Calendar read permission. if (tokens.scope.includes('https://www.googleapis.com/auth/calendar.readonly')) { // User authorized Calendar read permission. // Calling the APIs, etc. } else { // User didn't authorize Calendar read permission. // Update UX and application accordingly }</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="httprest_4" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> To check whether the user has granted your application access to a particular scope, exam the <code translate="no" dir="ltr">scope</code> field in the access token response. The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings. For example, the following sample access token response indicates that the user has granted your application access to the read-only Drive activity and Calendar events permissions: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Carbon"> { "access_token": "1/fFAGRNJru1FTz70BzhT3Zg", "expires_in": 3920, "token_type": "Bearer", "scope": "https://www.googleapis.com/auth/drive.metadata.readonly https://www.googleapis.com/auth/calendar.readonly", "refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI" }</pre></devsite-code> </section> </div> <h2 id="callinganapi" data-text="Call Google APIs" tabindex="-1">Call Google APIs</h2> <div class="ds-selector-tabs" data-ds-scope="lang"> <section> <h3 class="hide-from-toc" id="php_5" data-text="PHP" tabindex="-1">PHP</h3> Use the access token to call Google APIs by completing the following steps: <ol> <li>If you need to apply an access token to a new <code translate="no" dir="ltr">Google\Client</code> object — for example, if you stored the access token in a user session — use the <code translate="no" dir="ltr">setAccessToken</code> method: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP">$client->setAccessToken($access_token);</pre></devsite-code> </li> <li>Build a service object for the API that you want to call. You build a service object by providing an authorized <code translate="no" dir="ltr">Google\Client</code> object to the constructor for the API you want to call. For example, to call the Drive API: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP">$drive = new Google\Service\Drive($client);</pre></devsite-code> </li> <li>Make requests to the API service using the <a href="https://github.com/googleapis/google-api-php-client/blob/master/docs/start.md"> interface provided by the service object</a>. For example, to list the files in the authenticated user's Google Drive: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP">$files = $drive->files->listFiles(array());</pre></devsite-code> </li> </ol> </section> <section> <h3 class="hide-from-toc" id="python_5" data-text="Python" tabindex="-1">Python</h3> After obtaining an access token, your application can use that token to authorize API requests on behalf of a given user account or service account. Use the user-specific authorization credentials to build a service object for the API that you want to call, and then use that object to make authorized API requests. <ol> <li>Build a service object for the API that you want to call. You build a service object by calling the <code translate="no" dir="ltr">googleapiclient.discovery</code> library's <code translate="no" dir="ltr">build</code> method with the name and version of the API and the user credentials: For example, to call version 3 of the Drive API: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python">from googleapiclient.discovery import build drive = build('drive', 'v2', credentials=credentials)</pre></devsite-code> </li> <li>Make requests to the API service using the <a href="https://github.com/googleapis/google-api-python-client/blob/master/docs/start.md#building-and-calling-a-service" class="external">interface provided by the service object</a>. For example, to list the files in the authenticated user's Google Drive: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python">files = drive.files().list().execute()</pre></devsite-code> </li> </ol> </section> <section> <h3 class="hide-from-toc" id="ruby_5" data-text="Ruby" tabindex="-1">Ruby</h3> After obtaining an access token, your application can use that token to make API requests on behalf of a given user account or service account. Use the user-specific authorization credentials to build a service object for the API that you want to call, and then use that object to make authorized API requests. <ol> <li>Build a service object for the API that you want to call. For example, to call version 3 of the Drive API: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby">drive = Google::Apis::DriveV3::DriveService.new</pre></devsite-code> </li> <li>Set the credentials on the service: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby">drive.authorization = credentials</pre></devsite-code> </li> <li>Make requests to the API service using the <a href="https://github.com/googleapis/google-api-ruby-client" class="external">interface provided by the service object</a>. For example, to list the files in the authenticated user's Google Drive: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby">files = drive.list_files</pre></devsite-code> </li> </ol> Alternately, authorization can be provided on a per-method basis by supplying the <code translate="no" dir="ltr">options</code> parameter to a method: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby">files = drive.list_files(options: { authorization: credentials })</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="node.js_5" data-text="Node.js" tabindex="-1">Node.js</h3> After obtaining an access token and setting it to the <code translate="no" dir="ltr">OAuth2</code> object, use the object to call Google APIs. Your application can use that token to authorize API requests on behalf of a given user account or service account. Build a service object for the API that you want to call. For example, the following code uses the Google Drive API to list filenames in the user's Drive. <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript">const { google } = require('googleapis'); // Example of using Google Drive API to list filenames in user's Drive. const drive = google.drive('v3'); drive.files.list({ auth: oauth2Client, pageSize: 10, fields: 'nextPageToken, files(id, name)', }, (err1, res1) => { if (err1) return console.log('The API returned an error: ' + err1); const files = res1.data.files; if (files.length) { console.log('Files:'); files.map((file) => { console.log(`${file.name} (${file.id})`); }); } else { console.log('No files found.'); } });</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="httprest_5" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> After your application obtains an access token, you can use the token to make calls to a Google API on behalf of a given user account if the scope(s) of access required by the API have been granted. To do this, include the access token in a request to the API by including either an <code translate="no" dir="ltr">access_token</code> query parameter or an <code translate="no" dir="ltr">Authorization</code> HTTP header <code translate="no" dir="ltr">Bearer</code> value. When possible, the HTTP header is preferable, because query strings tend to be visible in server logs. In most cases you can use a client library to set up your calls to Google APIs (for example, when <a href="/drive/api/v2/reference#Files">calling the Drive Files API</a>). You can try out all the Google APIs and view their scopes at the <a href="https://developers.google.com/oauthplayground/">OAuth 2.0 Playground</a>. <h4 id="http-get-examples" data-text="HTTP GET examples" tabindex="-1">HTTP GET examples</h4> A call to the <a href="/drive/v2/reference/files/list"> <code translate="no" dir="ltr">drive.files</code></a> endpoint (the Drive Files API) using the <code translate="no" dir="ltr">Authorization: Bearer</code> HTTP header might look like the following. Note that you need to specify your own access token: <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> GET /drive/v2/files HTTP/1.1 Host: www.googleapis.com Authorization: Bearer <var translate="no">access_token</var></pre></devsite-code> Here is a call to the same API for the authenticated user using the <code translate="no" dir="ltr">access_token</code> query string parameter: <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> GET https://www.googleapis.com/drive/v2/files?access_token=<var translate="no">access_token</var></pre></devsite-code> <h4 id="curl-examples" data-text="curl examples" tabindex="-1"><code translate="no" dir="ltr">curl</code> examples</h4> You can test these commands with the <code translate="no" dir="ltr">curl</code> command-line application. Here's an example that uses the HTTP header option (preferred): <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> curl -H "Authorization: Bearer <var translate="no">access_token</var>" https://www.googleapis.com/drive/v2/files</pre></devsite-code> Or, alternatively, the query string parameter option: <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> curl https://www.googleapis.com/drive/v2/files?access_token=<var translate="no">access_token</var></pre></devsite-code> </section> </div> <h2 id="example" data-text="Complete example" tabindex="-1">Complete example</h2> The following example prints a JSON-formatted list of files in a user's Google Drive after the user authenticates and gives consent for the application to access the user's Drive metadata. <div class="ds-selector-tabs" data-ds-scope="lang"> <section> <h3 class="hide-from-toc" id="php_6" data-text="PHP" tabindex="-1">PHP</h3> To run this example: <ol> <li>In the API Console, add the URL of the local machine to the list of redirect URLs. For example, add <code translate="no" dir="ltr">http://localhost:8080</code>.</li> <li>Create a new directory and change to it. For example: <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> mkdir ~/php-oauth2-example cd ~/php-oauth2-example</pre></devsite-code></li> <li>Install the <a href="https://github.com/googleapis/google-api-php-client">Google API Client Library for PHP</a> using <a href="https://getcomposer.org/">Composer</a>: <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> composer require google/apiclient:^2.15.0</pre></devsite-code></li> <li>Create the files <code translate="no" dir="ltr">index.php</code> and <code translate="no" dir="ltr">oauth2callback.php</code> with the following content.</li> <li>Run the example with the PHP's built-in test web server: <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> php -S localhost:8080 ~/php-oauth2-example</pre></devsite-code></li> </ol> <h4 id="index.php" data-text="index.php" tabindex="-1">index.php</h4> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP"><?php require_once __DIR__.'/vendor/autoload.php'; session_start(); $client = new Google\Client(); $client->setAuthConfig('client_secret.json'); // User granted permission as an access token is in the session. if (isset($_SESSION['access_token']) && $_SESSION['access_token']) { $client->setAccessToken($_SESSION['access_token']); // Check if user granted Drive permission if ($_SESSION['granted_scopes_dict']['Drive']) { echo "Drive feature is enabled."; echo ""; $drive = new Drive($client); $files = array(); $response = $drive->files->listFiles(array()); foreach ($response->files as $file) { echo "File: " . $file->name . " (" . $file->id . ")"; echo ""; } } else { echo "Drive feature is NOT enabled."; echo ""; } // Check if user granted Calendar permission if ($_SESSION['granted_scopes_dict']['Calendar']) { echo "Calendar feature is enabled."; echo ""; } else { echo "Calendar feature is NOT enabled."; echo ""; } } else { // Redirect users to outh2call.php which redirects users to Google OAuth 2.0 $redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php'; header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL)); } ?></pre></devsite-code> <h4 id="oauth2callback.php" data-text="oauth2callback.php" tabindex="-1">oauth2callback.php</h4> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP"><?php require_once __DIR__.'/vendor/autoload.php'; session_start(); $client = new Google\Client(); // Required, call the setAuthConfig function to load authorization credentials from // client_secret.json file. $client->setAuthConfigFile('client_secret.json'); $client->setRedirectUri('http://' . $_SERVER['HTTP_HOST']. $_SERVER['PHP_SELF']); // Required, to set the scope value, call the addScope function. $client->addScope([Google\Service\Drive::DRIVE_METADATA_READONLY, Google\Service\Calendar::CALENDAR_READONLY]); // Enable incremental authorization. Recommended as a best practice. $client->setIncludeGrantedScopes(true); // Recommended, offline access will give you both an access and refresh token so that // your app can refresh the access token without user interaction. $client->setAccessType("offline"); // Generate a URL for authorization as it doesn't contain code and error if (!isset($_GET['code']) && !isset($_GET['error'])) { // Generate and set state value $state = bin2hex(random_bytes(16)); $client->setState($state); $_SESSION['state'] = $state; // Generate a url that asks permissions. $auth_url = $client->createAuthUrl(); header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL)); } // User authorized the request and authorization code is returned to exchange access and // refresh tokens. if (isset($_GET['code'])) { // Check the state value if (!isset($_GET['state']) || $_GET['state'] !== $_SESSION['state']) { die('State mismatch. Possible CSRF attack.'); } // Get access and refresh tokens (if access_type is offline) $token = $client->fetchAccessTokenWithAuthCode($_GET['code']); /** Save access and refresh token to the session variables. * ACTION ITEM: In a production app, you likely want to save the * refresh token in a secure persistent storage instead. */ $_SESSION['access_token'] = $token; $_SESSION['refresh_token'] = $client->getRefreshToken(); // Space-separated string of granted scopes if it exists, otherwise null. $granted_scopes = $client->getOAuth2Service()->getGrantedScope(); // Determine which scopes user granted and build a dictionary $granted_scopes_dict = [ 'Drive' => str_contains($granted_scopes, Google\Service\Drive::DRIVE_METADATA_READONLY), 'Calendar' => str_contains($granted_scopes, Google\Service\Calendar::CALENDAR_READONLY) ]; $_SESSION['granted_scopes_dict'] = $granted_scopes_dict; $redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/'; header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL)); } // An error response e.g. error=access_denied if (isset($_GET['error'])) { echo "Error: ". $_GET['error']; } ?></pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="python_6" data-text="Python" tabindex="-1">Python</h3> This example uses the <a href="https://palletsprojects.com/p/flask/">Flask</a> framework. It runs a web application at <code translate="no" dir="ltr">http://localhost:8080</code> that lets you test the OAuth 2.0 flow. If you go to that URL, you should see five links: <ul> <li>Call Drive API: This link points to a page that tries to execute a sample API request if users granted the permission. If necessary, it starts the authorization flow. If successful, the page displays the API response.</li> <li>Mock page to call Calendar API: This link points to a maockpage that tries to execute a sample Calendar API request if users granted the permission. If necessary, it starts the authorization flow. If successful, the page displays the API response.</li> <li>Test the auth flow directly: This link points to a page that tries to send the user through the <a href="#redirecting">authorization flow</a>. The app requests permission to submit authorized API requests on the user's behalf.</li> <li>Revoke current credentials: This link points to a page that <a href="#tokenrevoke"> revokes</a> permissions that the user has already granted to the application.</li> <li>Clear Flask session credentials: This link clears authorization credentials that are stored in the Flask session. This lets you see what would happen if a user who had already granted permission to your app tried to execute an API request in a new session. It also lets you see the API response your app would get if a user had revoked permissions granted to your app, and your app still tried to authorize a request with a revoked access token.</li> </ul> <aside class="note">Note: To run this code locally, you must have followed the directions in the <a href="#prerequisites">prerequisites</a> section, including setting <code translate="no" dir="ltr">http://localhost:8080</code> as a valid redirect URI for your credentials and downloading the client_secret.json file for those credentials to your working directory.</aside> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python"># -*- coding: utf-8 -*- import os import flask import requests import google.oauth2.credentials import google_auth_oauthlib.flow import googleapiclient.discovery # This variable specifies the name of a file that contains the OAuth 2.0 # information for this application, including its client_id and client_secret. CLIENT_SECRETS_FILE = "client_secret.json" # The OAuth 2.0 access scope allows for access to the # authenticated user's account and requires requests to use an SSL connection. SCOPES = ['https://www.googleapis.com/auth/drive.metadata.readonly', 'https://www.googleapis.com/auth/calendar.readonly'] API_SERVICE_NAME = 'drive' API_VERSION = 'v2' app = flask.Flask(__name__) # Note: A secret key is included in the sample so that it works. # If you use this code in your application, replace this with a truly secret # key. See https://flask.palletsprojects.com/quickstart/#sessions. app.secret_key = 'REPLACE ME - this value is here as a placeholder.' @app.route('/') def index(): return print_index_table() @app.route('/drive') def drive_api_request(): if 'credentials' not in flask.session: return flask.redirect('authorize') features = flask.session['features'] if features['drive']: # Load credentials from the session. credentials = google.oauth2.credentials.Credentials( **flask.session['credentials']) drive = googleapiclient.discovery.build( API_SERVICE_NAME, API_VERSION, credentials=credentials) files = drive.files().list().execute() # Save credentials back to session in case access token was refreshed. # ACTION ITEM: In a production app, you likely want to save these # credentials in a persistent database instead. flask.session['credentials'] = credentials_to_dict(credentials) return flask.jsonify(**files) else: # User didn't authorize read-only Drive activity permission. # Update UX and application accordingly return 'Drive feature is not enabled.' @app.route('/calendar') def calendar_api_request(): if 'credentials' not in flask.session: return flask.redirect('authorize') features = flask.session['features'] if features['calendar']: # User authorized Calendar read permission. # Calling the APIs, etc. return ('User granted the Google Calendar read permission. '+ 'This sample code does not include code to call Calendar') else: # User didn't authorize Calendar read permission. # Update UX and application accordingly return 'Calendar feature is not enabled.' @app.route('/authorize') def authorize(): # Create flow instance to manage the OAuth 2.0 Authorization Grant Flow steps. flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file( CLIENT_SECRETS_FILE, scopes=SCOPES) # The URI created here must exactly match one of the authorized redirect URIs # for the OAuth 2.0 client, which you configured in the API Console. If this # value doesn't match an authorized URI, you will get a 'redirect_uri_mismatch' # error. flow.redirect_uri = flask.url_for('oauth2callback', _external=True) authorization_url, state = flow.authorization_url( # Enable offline access so that you can refresh an access token without # re-prompting the user for permission. Recommended for web server apps. access_type='offline', # Enable incremental authorization. Recommended as a best practice. include_granted_scopes='true') # Store the state so the callback can verify the auth server response. flask.session['state'] = state return flask.redirect(authorization_url) @app.route('/oauth2callback') def oauth2callback(): # Specify the state when creating the flow in the callback so that it can # verified in the authorization server response. state = flask.session['state'] flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file( CLIENT_SECRETS_FILE, scopes=SCOPES, state=state) flow.redirect_uri = flask.url_for('oauth2callback', _external=True) # Use the authorization server's response to fetch the OAuth 2.0 tokens. authorization_response = flask.request.url flow.fetch_token(authorization_response=authorization_response) # Store credentials in the session. # ACTION ITEM: In a production app, you likely want to save these # credentials in a persistent database instead. credentials = flow.credentials credentials = credentials_to_dict(credentials) flask.session['credentials'] = credentials # Check which scopes user granted features = check_granted_scopes(credentials) flask.session['features'] = features return flask.redirect('/') @app.route('/revoke') def revoke(): if 'credentials' not in flask.session: return ('You need to <a href="/authorize">authorize</a> before ' + 'testing the code to revoke credentials.') credentials = google.oauth2.credentials.Credentials( **flask.session['credentials']) revoke = requests.post('https://oauth2.googleapis.com/revoke', params={'token': credentials.token}, headers = {'content-type': 'application/x-www-form-urlencoded'}) status_code = getattr(revoke, 'status_code') if status_code == 200: return('Credentials successfully revoked.' + print_index_table()) else: return('An error occurred.' + print_index_table()) @app.route('/clear') def clear_credentials(): if 'credentials' in flask.session: del flask.session['credentials'] return ('Credentials have been cleared. ' + print_index_table()) def credentials_to_dict(credentials): return {'token': credentials.token, 'refresh_token': credentials.refresh_token, 'token_uri': credentials.token_uri, 'client_id': credentials.client_id, 'client_secret': credentials.client_secret, 'granted_scopes': credentials.granted_scopes} def check_granted_scopes(credentials): features = {} if 'https://www.googleapis.com/auth/drive.metadata.readonly' in credentials['granted_scopes']: features['drive'] = True else: features['drive'] = False if 'https://www.googleapis.com/auth/calendar.readonly' in credentials['granted_scopes']: features['calendar'] = True else: features['calendar'] = False return features def print_index_table(): return ('<table>' + '<tr><td><a href="/test">Test an API request</a></td>' + '<td>Submit an API request and see a formatted JSON response. ' + ' Go through the authorization flow if there are no stored ' + ' credentials for the user.</td></tr>' + '<tr><td><a href="/authorize">Test the auth flow directly</a></td>' + '<td>Go directly to the authorization flow. If there are stored ' + ' credentials, you still might not be prompted to reauthorize ' + ' the application.</td></tr>' + '<tr><td><a href="/revoke">Revoke current credentials</a></td>' + '<td>Revoke the access token associated with the current user ' + ' session. After revoking credentials, if you go to the test ' + ' page, you should see an <code>invalid_grant</code> error.' + '</td></tr>' + '<tr><td><a href="/clear">Clear Flask session credentials</a></td>' + '<td>Clear the access token currently stored in the user session. ' + ' After clearing the token, if you <a href="/test">test the ' + ' API request</a> again, you should go back to the auth flow.' + '</td></tr></table>') if __name__ == '__main__': # When running locally, disable OAuthlib's HTTPs verification. # ACTION ITEM for developers: # When running in production *do not* leave this option enabled. os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1' # This disables the requested scopes and granted scopes check. # If users only grant partial request, the warning would not be thrown. os.environ['OAUTHLIB_RELAX_TOKEN_SCOPE'] = '1' # Specify a hostname and port that are set as a valid redirect URI # for your API project in the Google API Console. app.run('localhost', 8080, debug=True)</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="ruby_6" data-text="Ruby" tabindex="-1">Ruby</h3> This example uses the <a href="http://www.sinatrarb.com/">Sinatra</a> framework. <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby">require 'googleauth' require 'googleauth/web_user_authorizer' require 'googleauth/stores/redis_token_store' require 'google/apis/drive_v3' require 'google/apis/calendar_v3' require 'sinatra' configure do enable :sessions # Required, call the from_file method to retrieve the client ID from a # client_secret.json file. set :client_id, Google::Auth::ClientId.from_file('/path/to/client_secret.json') # Required, scope value # Access scopes for two non-Sign-In scopes: Read-only Drive activity and Google Calendar. scope = ['Google::Apis::DriveV3::AUTH_DRIVE_METADATA_READONLY', 'Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY'] # Required, Authorizers require a storage instance to manage long term persistence of # access and refresh tokens. set :token_store, Google::Auth::Stores::RedisTokenStore.new(redis: Redis.new) # Required, indicate where the API server will redirect the user after the user completes # the authorization flow. The redirect URI is required. The value must exactly # match one of the authorized redirect URIs for the OAuth 2.0 client, which you # configured in the API Console. If this value doesn't match an authorized URI, # you will get a 'redirect_uri_mismatch' error. set :callback_uri, '/oauth2callback' # To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI # from the client_secret.json file. To get these credentials for your application, visit # https://console.cloud.google.com/apis/credentials. set :authorizer, Google::Auth::WebUserAuthorizer.new(settings.client_id, settings.scope, settings.token_store, callback_uri: settings.callback_uri) end get '/' do # NOTE: Assumes the user is already authenticated to the app user_id = request.session['user_id'] # Fetch stored credentials for the user from the given request session. # nil if none present credentials = settings.authorizer.get_credentials(user_id, request) if credentials.nil? # Generate a url that asks the user to authorize requested scope(s). # Then, redirect user to the url. redirect settings.authorizer.get_authorization_url(request: request) end # User authorized the request. Now, check which scopes were granted. if credentials.scope.include?(Google::Apis::DriveV3::AUTH_DRIVE_METADATA_READONLY) # User authorized read-only Drive activity permission. # Example of using Google Drive API to list filenames in user's Drive. drive = Google::Apis::DriveV3::DriveService.new files = drive.list_files(options: { authorization: credentials }) "<pre>#{JSON.pretty_generate(files.to_h)}</pre>" else # User didn't authorize read-only Drive activity permission. # Update UX and application accordingly end # Check if user authorized Calendar read permission. if credentials.scope.include?(Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY) # User authorized Calendar read permission. # Calling the APIs, etc. else # User didn't authorize Calendar read permission. # Update UX and application accordingly end end # Receive the callback from Google's OAuth 2.0 server. get '/oauth2callback' do # Handle the result of the oauth callback. Defers the exchange of the code by # temporarily stashing the results in the user's session. target_url = Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request) redirect target_url end</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="node.js_6" data-text="Node.js" tabindex="-1">Node.js</h3> To run this example: <ol> <li> In the API Console, add the URL of the local machine to the list of redirect URLs. For example, add <code translate="no" dir="ltr">http://localhost</code>. </li> <li> Make sure you have maintenance LTS, active LTS, or current release of Node.js installed. </li> <li> Create a new directory and change to it. For example: <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> mkdir ~/nodejs-oauth2-example cd ~/nodejs-oauth2-example</pre></devsite-code> </li> <li> Install the <a href="https://github.com/googleapis/google-api-nodejs-client">Google API Client Library</a> for Node.js using <a href="https://www.npmjs.com/">npm</a>: <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded>npm install googleapis</pre></devsite-code> </li> <li> Create the files <code translate="no" dir="ltr">main.js</code> with the following content. </li> <li> Run the example: <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded>node .\main.js</pre></devsite-code> </li> </ol> <h4 id="main.js" data-text="main.js" tabindex="-1">main.js</h4> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript">const http = require('http'); const https = require('https'); const url = require('url'); const { google } = require('googleapis'); const crypto = require('crypto'); const express = require('express'); const session = require('express-session'); /** * To use OAuth2 authentication, we need access to a CLIENT_ID, CLIENT_SECRET, AND REDIRECT_URI. * To get these credentials for your application, visit * https://console.cloud.google.com/apis/credentials. */ const oauth2Client = new google.auth.OAuth2( YOUR_CLIENT_ID, YOUR_CLIENT_SECRET, YOUR_REDIRECT_URL ); // Access scopes for two non-Sign-In scopes: Read-only Drive activity and Google Calendar. const scopes = [ 'https://www.googleapis.com/auth/drive.metadata.readonly', 'https://www.googleapis.com/auth/calendar.readonly' ]; /* Global variable that stores user credential in this code example. * ACTION ITEM for developers: * Store user's refresh token in your data store if * incorporating this code into your real app. * For more information on handling refresh tokens, * see https://github.com/googleapis/google-api-nodejs-client#handling-refresh-tokens */ let userCredential = null; async function main() { const app = express(); app.use(session({ secret: 'your_secure_secret_key', // Replace with a strong secret resave: false, saveUninitialized: false, })); // Example on redirecting user to Google's OAuth 2.0 server. app.get('/', async (req, res) => { // Generate a secure random state value. const state = crypto.randomBytes(32).toString('hex'); // Store state in the session req.session.state = state; // Generate a url that asks permissions for the Drive activity and Google Calendar scope const authorizationUrl = oauth2Client.generateAuthUrl({ // 'online' (default) or 'offline' (gets refresh_token) access_type: 'offline', /** Pass in the scopes array defined above. * Alternatively, if only one scope is needed, you can pass a scope URL as a string */ scope: scopes, // Enable incremental authorization. Recommended as a best practice. include_granted_scopes: true, // Include the state parameter to reduce the risk of CSRF attacks. state: state }); res.redirect(authorizationUrl); }); // Receive the callback from Google's OAuth 2.0 server. app.get('/oauth2callback', async (req, res) => { // Handle the OAuth 2.0 server response let q = url.parse(req.url, true).query; if (q.error) { // An error response e.g. error=access_denied console.log('Error:' + q.error); } else if (q.state !== req.session.state) { //check state value console.log('State mismatch. Possible CSRF attack'); res.end('State mismatch. Possible CSRF attack'); } else { // Get access and refresh tokens (if access_type is offline) let { tokens } = await oauth2Client.getToken(q.code); oauth2Client.setCredentials(tokens); /** Save credential to the global variable in case access token was refreshed. * ACTION ITEM: In a production app, you likely want to save the refresh token * in a secure persistent database instead. */ userCredential = tokens; // User authorized the request. Now, check which scopes were granted. if (tokens.scope.includes('https://www.googleapis.com/auth/drive.metadata.readonly')) { // User authorized read-only Drive activity permission. // Example of using Google Drive API to list filenames in user's Drive. const drive = google.drive('v3'); drive.files.list({ auth: oauth2Client, pageSize: 10, fields: 'nextPageToken, files(id, name)', }, (err1, res1) => { if (err1) return console.log('The API returned an error: ' + err1); const files = res1.data.files; if (files.length) { console.log('Files:'); files.map((file) => { console.log(`${file.name} (${file.id})`); }); } else { console.log('No files found.'); } }); } else { // User didn't authorize read-only Drive activity permission. // Update UX and application accordingly } // Check if user authorized Calendar read permission. if (tokens.scope.includes('https://www.googleapis.com/auth/calendar.readonly')) { // User authorized Calendar read permission. // Calling the APIs, etc. } else { // User didn't authorize Calendar read permission. // Update UX and application accordingly } } }); // Example on revoking a token app.get('/revoke', async (req, res) => { // Build the string for the POST request let postData = "token=" + userCredential.access_token; // Options for POST request to Google's OAuth 2.0 server to revoke a token let postOptions = { host: 'oauth2.googleapis.com', port: '443', path: '/revoke', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData) } }; // Set up the request const postReq = https.request(postOptions, function (res) { res.setEncoding('utf8'); res.on('data', d => { console.log('Response: ' + d); }); }); postReq.on('error', error => { console.log(error) }); // Post the request with data postReq.write(postData); postReq.end(); }); const server = http.createServer(app); server.listen(8080); } main().catch(console.error);</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="httprest_6" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> This Python example uses the <a href="https://palletsprojects.com/p/flask/">Flask</a> framework and the <a href="https://requests.readthedocs.io/">Requests</a> library to demonstrate the OAuth 2.0 web flow. We recommend using the Google API Client Library for Python for this flow. (The example in the Python tab does use the client library.) <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python">import json import flask import requests app = flask.Flask(__name__) # To get these credentials (CLIENT_ID CLIENT_SECRET) and for your application, visit # https://console.cloud.google.com/apis/credentials. CLIENT_ID = '123456789.apps.googleusercontent.com' CLIENT_SECRET = 'abc123' # Read from a file or environmental variable in a real app # Access scopes for two non-Sign-In scopes: Read-only Drive activity and Google Calendar. SCOPE = 'https://www.googleapis.com/auth/drive.metadata.readonly https://www.googleapis.com/auth/calendar.readonly' # Indicate where the API server will redirect the user after the user completes # the authorization flow. The redirect URI is required. The value must exactly # match one of the authorized redirect URIs for the OAuth 2.0 client, which you # configured in the API Console. If this value doesn't match an authorized URI, # you will get a 'redirect_uri_mismatch' error. REDIRECT_URI = 'http://example.com/oauth2callback' @app.route('/') def index(): if 'credentials' not in flask.session: return flask.redirect(flask.url_for('oauth2callback')) credentials = json.loads(flask.session['credentials']) if credentials['expires_in'] <= 0: return flask.redirect(flask.url_for('oauth2callback')) else: # User authorized the request. Now, check which scopes were granted. if 'https://www.googleapis.com/auth/drive.metadata.readonly' in credentials['scope']: # User authorized read-only Drive activity permission. # Example of using Google Drive API to list filenames in user's Drive. headers = {'Authorization': 'Bearer {}'.format(credentials['access_token'])} req_uri = 'https://www.googleapis.com/drive/v2/files' r = requests.get(req_uri, headers=headers).text else: # User didn't authorize read-only Drive activity permission. # Update UX and application accordingly r = 'User did not authorize Drive permission.' # Check if user authorized Calendar read permission. if 'https://www.googleapis.com/auth/calendar.readonly' in credentials['scope']: # User authorized Calendar read permission. # Calling the APIs, etc. r += 'User authorized Calendar permission.' else: # User didn't authorize Calendar read permission. # Update UX and application accordingly r += 'User did not authorize Calendar permission.' return r @app.route('/oauth2callback') def oauth2callback(): if 'code' not in flask.request.args: state = str(uuid.uuid4()) flask.session['state'] = state # Generate a url that asks permissions for the Drive activity # and Google Calendar scope. Then, redirect user to the url. auth_uri = ('https://accounts.google.com/o/oauth2/v2/auth?response_type=code' '&client_id={}&redirect_uri={}&scope={}&state={}').format(CLIENT_ID, REDIRECT_URI, SCOPE, state) return flask.redirect(auth_uri) else: if 'state' not in flask.request.args or flask.request.args['state'] != flask.session['state']: return 'State mismatch. Possible CSRF attack.', 400 auth_code = flask.request.args.get('code') data = {'code': auth_code, 'client_id': CLIENT_ID, 'client_secret': CLIENT_SECRET, 'redirect_uri': REDIRECT_URI, 'grant_type': 'authorization_code'} # Exchange authorization code for access and refresh tokens (if access_type is offline) r = requests.post('https://oauth2.googleapis.com/token', data=data) flask.session['credentials'] = r.text return flask.redirect(flask.url_for('index')) if __name__ == '__main__': import uuid app.secret_key = str(uuid.uuid4()) app.debug = False app.run()</pre></devsite-code> </section> </div> <h2 id="uri-validation" data-text="Redirect URI validation rules" tabindex="-1">Redirect URI validation rules</h2> Google applies the following validation rules to redirect URIs in order to help developers keep their applications secure. Your redirect URIs must adhere to these rules. See <a href="https://tools.ietf.org/html/rfc3986#section-3">RFC 3986 section 3</a> for the definition of domain, host, path, query, scheme and userinfo, mentioned below. <table> <thead> <tr> <th colspan="2">Validation rules</th> </tr> </thead> <tbody> <tr id="no-http-scheme"> <td><a href="https://tools.ietf.org/html/rfc3986#section-3.1">Scheme</a></td> <td> Redirect URIs must use the HTTPS scheme, not plain HTTP. Localhost URIs (including localhost IP address URIs) are exempt from this rule. </td> </tr> <tr id="no-raw-ip-host"> <td><a href="https://tools.ietf.org/html/rfc3986#section-3.2.2">Host</a></td> <td> Hosts cannot be raw IP addresses. Localhost IP addresses are exempted from this rule. </td> </tr> <tr id="no-shortened-url"> <td><a href="https://tools.ietf.org/html/rfc1034">Domain</a></td> <td> <li>Host TLDs (<a href="https://tools.ietf.org/id/draft-liman-tld-names-00.html">Top Level Domains</a>) must belong to the <a href="https://publicsuffix.org/list/">public suffix list</a>.</li> <li>Host domains cannot be <code translate="no" dir="ltr">“googleusercontent.com”</code>.</li> <li>Redirect URIs cannot contain URL shortener domains (e.g. <code translate="no" dir="ltr">goo.gl</code>) unless the app owns the domain. Furthermore, if an app that owns a shortener domain chooses to redirect to that domain, that redirect URI must either contain <code translate="no" dir="ltr">“/google-callback/”</code> in its path or end with <code translate="no" dir="ltr">“/google-callback”</code>.</li> </td> </tr> <tr id="no-userinfo"> <td><a href="https://tools.ietf.org/html/rfc3986#section-3.2.1">Userinfo</a></td> <td> Redirect URIs cannot contain the userinfo subcomponent. </td> </tr> <tr id="path-restrictions"> <td><a href="https://tools.ietf.org/html/rfc3986#section-3.3">Path</a></td> <td> Redirect URIs cannot contain a path traversal (also called directory backtracking), which is represented by an <code translate="no" dir="ltr">“/..”</code> or <code translate="no" dir="ltr">“\..”</code> or their URL encoding. </td> </tr> <tr id="query-restrictions"> <td><a href="https://tools.ietf.org/html/rfc3986#section-3.4">Query</a></td> <td> Redirect URIs cannot contain <a href="https://tools.ietf.org/html/rfc6749#section-10.15">open redirects</a>. </td> </tr> <tr id="no-fragments"> <td><a href="https://tools.ietf.org/html/rfc3986#section-3.5">Fragment</a></td> <td> Redirect URIs cannot contain the fragment component. </td> </tr> <tr id="disallowed-chars"> <td>Characters</td> <td> Redirect URIs cannot contain certain characters including: <ul> <li>Wildcard characters (<code translate="no" dir="ltr">'*'</code>)</li> <li>Non-printable ASCII characters</li> <li>Invalid percent encodings (any percent encoding that does not follow URL-encoding form of a percent sign followed by two hexadecimal digits)</li> <li>Null characters (an encoded NULL character, e.g., <code translate="no" dir="ltr">%00</code>, <code translate="no" dir="ltr">%C0%80</code>)</li> </ul> </td> </tr> </tbody> </table> <h2 id="incrementalAuth" data-text="Incremental authorization" tabindex="-1">Incremental authorization</h2> In the OAuth 2.0 protocol, your app requests authorization to access resources, which are identified by scopes. It is considered a best user-experience practice to request authorization for resources at the time you need them. To enable that practice, Google's authorization server supports incremental authorization. This feature lets you request scopes as they are needed and, if the user grants permission for the new scope, returns an authorization code that may be exchanged for a token containing all scopes the user has granted the project. For example, an app that lets people sample music tracks and create mixes might need very few resources at sign-in time, perhaps nothing more than the name of the person signing in. However, saving a completed mix would require access to their Google Drive. Most people would find it natural if they only were asked for access to their Google Drive at the time the app actually needed it. In this case, at sign-in time the app might request the <code translate="no" dir="ltr">openid</code> and <code translate="no" dir="ltr">profile</code> scopes to perform basic sign-in, and then later request the <code translate="no" dir="ltr">https://www.googleapis.com/auth/drive.file</code> scope at the time of the first request to save a mix. To implement incremental authorization, you complete the normal flow for requesting an access token but make sure that the authorization request includes previously granted scopes. This approach allows your app to avoid having to manage multiple access tokens. The following rules apply to an access token obtained from an incremental authorization: <ul> <li>The token can be used to access resources corresponding to any of the scopes rolled into the new, combined authorization.</li> <li>When you use the refresh token for the combined authorization to obtain an access token, the access token represents the combined authorization and can be used for any of the <code translate="no" dir="ltr">scope</code> values included in the response.</li> <li>The combined authorization includes all scopes that the user granted to the API project even if the grants were requested from different clients. For example, if a user granted access to one scope using an application's desktop client and then granted another scope to the same application via a mobile client, the combined authorization would include both scopes.</li> <li>If you revoke a token that represents a combined authorization, access to all of that authorization's scopes on behalf of the associated user are revoked simultaneously.</li> </ul> <aside class="caution">Caution: choosing to include granted scopes will automatically add scopes previously granted by the user to your authorization request. A warning or error page may be displayed if your app is not currently approved to request all scopes that may be returned in the response. See <a href="https://support.google.com/cloud/answer/7454865" class="external">Unverified apps</a> for more information.</aside> The language-specific code samples in <a href="#creatingclient">Step 1: Set authorization parameters</a> and the sample HTTP/REST redirect URL in <a href="#redirecting">Step 2: Redirect to Google's OAuth 2.0 server</a> all use incremental authorization. The code samples below also show the code that you need to add to use incremental authorization. <div class="ds-selector-tabs" data-ds-scope="lang"> <section> <h3 class="hide-from-toc" id="php_7" data-text="PHP" tabindex="-1">PHP</h3> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP">$client->setIncludeGrantedScopes(true);</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="python_7" data-text="Python" tabindex="-1">Python</h3> In Python, set the <code translate="no" dir="ltr">include_granted_scopes</code> keyword argument to <code translate="no" dir="ltr">true</code> to ensure that an authorization request includes previously granted scopes. It is very possible that <code translate="no" dir="ltr">include_granted_scopes</code> will not be the only keyword argument that you set, as shown in the example below. <div></div><devsite-code><pre class="devsite-click-to-copy devsite-code-highlight" translate="no" dir="ltr" is-upgraded syntax="Python">authorization_url, state = flow.authorization_url( # Enable offline access so that you can refresh an access token without # re-prompting the user for permission. Recommended for web server apps. access_type='offline', # Enable incremental authorization. Recommended as a best practice. include_granted_scopes='true')</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="ruby_7" data-text="Ruby" tabindex="-1">Ruby</h3> <div></div><devsite-code><pre class="devsite-click-to-copy devsite-code-highlight" translate="no" dir="ltr" is-upgraded syntax="Ruby">auth_client.update!( :additional_parameters => {"include_granted_scopes" => "true"} )</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="node.js_7" data-text="Node.js" tabindex="-1">Node.js</h3> <div></div><devsite-code><pre class="devsite-click-to-copy devsite-code-highlight" translate="no" dir="ltr" is-upgraded syntax="JavaScript">const authorizationUrl = oauth2Client.generateAuthUrl({ // 'online' (default) or 'offline' (gets refresh_token) access_type: 'offline', /** Pass in the scopes array defined above. * Alternatively, if only one scope is needed, you can pass a scope URL as a string */ scope: scopes, // Enable incremental authorization. Recommended as a best practice. include_granted_scopes: true });</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="httprest_7" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded>GET https://accounts.google.com/o/oauth2/v2/auth? client_id=your_client_id& response_type=code& state=state_parameter_passthrough_value& scope=https%3A//www.googleapis.com/auth/drive.metadata.readonly%20https%3A//www.googleapis.com/auth/calendar.readonly& redirect_uri=https%3A//oauth2.example.com/code& prompt=consent& include_granted_scopes=true</pre></devsite-code> </section> </div> <h2 id="offline" data-text="Refreshing an access token (offline access)" tabindex="-1">Refreshing an access token (offline access)</h2> Access tokens periodically expire and become invalid credentials for a related API request. You can refresh an access token without prompting the user for permission (including when the user is not present) if you requested offline access to the scopes associated with the token. <ul> <li> If you use a Google API Client Library, the <a href="#creatingclient">client object</a> refreshes the access token as needed as long as you configure that object for offline access. </li> <li>If you are not using a client library, you need to set the <code translate="no" dir="ltr">access_type</code> HTTP query parameter to <code translate="no" dir="ltr">offline</code> when <a href="#redirecting">redirecting the user to Google's OAuth 2.0 server</a>. In that case, Google's authorization server returns a refresh token when you <a href="#exchange-authorization-code">exchange an authorization code</a> for an access token. Then, if the access token expires (or at any other time), you can use a refresh token to obtain a new access token.</li> </ul> Requesting offline access is a requirement for any application that needs to access a Google API when the user is not present. For example, an app that performs backup services or executes actions at predetermined times needs to be able to refresh its access token when the user is not present. The default style of access is called <code translate="no" dir="ltr">online</code>. Server-side web applications, installed applications, and devices all obtain refresh tokens during the authorization process. Refresh tokens are not typically used in client-side (JavaScript) web applications. <div class="ds-selector-tabs" data-ds-scope="lang"> <section> <h3 class="hide-from-toc" id="php_8" data-text="PHP" tabindex="-1">PHP</h3> If your application needs offline access to a Google API, set the API client's access type to <code translate="no" dir="ltr">offline</code>: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP">$client->setAccessType("offline");</pre></devsite-code> After a user grants offline access to the requested scopes, you can continue to use the API client to access Google APIs on the user's behalf when the user is offline. The client object will refresh the access token as needed. </section> <section> <h3 class="hide-from-toc" id="python_8" data-text="Python" tabindex="-1">Python</h3> In Python, set the <code translate="no" dir="ltr">access_type</code> keyword argument to <code translate="no" dir="ltr">offline</code> to ensure that you will be able to refresh the access token without having to re-prompt the user for permission. It is very possible that <code translate="no" dir="ltr">access_type</code> will not be the only keyword argument that you set, as shown in the example below. <div></div><devsite-code><pre class="devsite-click-to-copy devsite-code-highlight" translate="no" dir="ltr" is-upgraded syntax="Python">authorization_url, state = flow.authorization_url( # Enable offline access so that you can refresh an access token without # re-prompting the user for permission. Recommended for web server apps. access_type='offline', # Enable incremental authorization. Recommended as a best practice. include_granted_scopes='true')</pre></devsite-code> After a user grants offline access to the requested scopes, you can continue to use the API client to access Google APIs on the user's behalf when the user is offline. The client object will refresh the access token as needed. </section> <section> <h3 class="hide-from-toc" id="ruby_8" data-text="Ruby" tabindex="-1">Ruby</h3> If your application needs offline access to a Google API, set the API client's access type to <code translate="no" dir="ltr">offline</code>: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby">auth_client.update!( :additional_parameters => {"access_type" => "offline"} )</pre></devsite-code> After a user grants offline access to the requested scopes, you can continue to use the API client to access Google APIs on the user's behalf when the user is offline. The client object will refresh the access token as needed. </section> <section> <h3 class="hide-from-toc" id="node.js_8" data-text="Node.js" tabindex="-1">Node.js</h3> If your application needs offline access to a Google API, set the API client's access type to <code translate="no" dir="ltr">offline</code>: <div></div><devsite-code><pre class="devsite-click-to-copy devsite-code-highlight" translate="no" dir="ltr" is-upgraded syntax="JavaScript">const authorizationUrl = oauth2Client.generateAuthUrl({ // 'online' (default) or 'offline' (gets refresh_token) access_type: 'offline', /** Pass in the scopes array defined above. * Alternatively, if only one scope is needed, you can pass a scope URL as a string */ scope: scopes, // Enable incremental authorization. Recommended as a best practice. include_granted_scopes: true });</pre></devsite-code> After a user grants offline access to the requested scopes, you can continue to use the API client to access Google APIs on the user's behalf when the user is offline. The client object will refresh the access token as needed. Access tokens expire. This library will automatically use a refresh token to obtain a new access token if it is about to expire. An easy way to make sure you always store the most recent tokens is to use the tokens event: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript">oauth2Client.on('tokens', (tokens) => { if (tokens.refresh_token) { // store the refresh_token in your secure persistent database console.log(tokens.refresh_token); } console.log(tokens.access_token); });</pre></devsite-code> This tokens event only occurs in the first authorization, and you need to have set your <code translate="no" dir="ltr">access_type</code> to <code translate="no" dir="ltr">offline</code> when calling the <code translate="no" dir="ltr">generateAuthUrl</code> method to receive the refresh token. If you have already given your app the requisiste permissions without setting the appropriate constraints for receiving a refresh token, you will need to re-authorize the application to receive a fresh refresh token. To set the <code translate="no" dir="ltr">refresh_token</code> at a later time, you can use the <code translate="no" dir="ltr">setCredentials</code> method: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript">oauth2Client.setCredentials({ refresh_token: `STORED_REFRESH_TOKEN` });</pre></devsite-code> Once the client has a refresh token, access tokens will be acquired and refreshed automatically in the next call to the API. </section> <section> <h3 class="hide-from-toc" id="httprest_8" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> To refresh an access token, your application sends an HTTPS <code class="notranslate" dir="ltr">POST</code> request to Google's authorization server (<code translate="no" dir="ltr">https://oauth2.googleapis.com/token</code>) that includes the following parameters: <table class="responsive"> <thead> <tr> <th colspan="2">Fields</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">client_id</code></td> <td>The client ID obtained from the <a href="https://console.developers.google.com/">API Console</a>.</td> </tr> <tr> <td><code translate="no" dir="ltr">client_secret</code></td> <td>The client secret obtained from the <a href="https://console.developers.google.com/">API Console</a>. </td> </tr> <tr> <td><code translate="no" dir="ltr">grant_type</code></td> <td>As <a href="https://tools.ietf.org/html/rfc6749#section-6" class="external">defined in the OAuth 2.0 specification</a>, this field's value must be set to <code translate="no" dir="ltr">refresh_token</code>.</td> </tr> <tr> <td><code translate="no" dir="ltr">refresh_token</code></td> <td>The refresh token returned from the authorization code exchange.</td> </tr> </tbody> </table> The following snippet shows a sample request: <div></div><devsite-code><pre class="notranslate" dir="ltr" is-upgraded> POST /token HTTP/1.1 Host: oauth2.googleapis.com Content-Type: application/x-www-form-urlencoded client_id=<var translate="no">your_client_id</var>& client_secret=<var translate="no">your_client_secret</var>& refresh_token=<var translate="no">refresh_token</var>& grant_type=refresh_token</pre></devsite-code> As long as the user has not revoked the access granted to the application, the token server returns a JSON object that contains a new access token. The following snippet shows a sample response: <div></div><devsite-code><pre class="devsite-click-to-copy notranslate" dir="ltr" is-upgraded syntax="JavaScript">{ "access_token": "1/fFAGRNJru1FTz70BzhT3Zg", "expires_in": 3920, "scope": "https://www.googleapis.com/auth/drive.metadata.readonly https://www.googleapis.com/auth/calendar.readonly", "token_type": "Bearer" }</pre></devsite-code> Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working. </section> </div> <h2 id="tokenrevoke" data-text="Revoking a token" tabindex="-1">Revoking a token</h2> In some cases a user may wish to revoke access given to an application. A user can revoke access by visiting <a href="https://myaccount.google.com/permissions" class="external"> Account Settings</a>. See the <a href="https://support.google.com/accounts/answer/3466521#remove-access" class="external">Remove site or app access section of the Third-party sites & apps with access to your account</a> support document for more information. It is also possible for an application to programmatically revoke the access given to it. Programmatic revocation is important in instances where a user unsubscribes, removes an application, or the API resources required by an app have significantly changed. In other words, part of the removal process can include an API request to ensure the permissions previously granted to the application are removed. <div class="ds-selector-tabs" data-ds-scope="lang"> <section> <h3 class="hide-from-toc" id="php_9" data-text="PHP" tabindex="-1">PHP</h3> To programmatically revoke a token, call <code translate="no" dir="ltr">revokeToken()</code>: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="PHP">$client->revokeToken();</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="python_9" data-text="Python" tabindex="-1">Python</h3> To programmatically revoke a token, make a request to <code translate="no" dir="ltr">https://oauth2.googleapis.com/revoke</code> that includes the token as a parameter and sets the <code translate="no" dir="ltr">Content-Type</code> header: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python">requests.post('https://oauth2.googleapis.com/revoke', params={'token': credentials.token}, headers = {'content-type': 'application/x-www-form-urlencoded'})</pre></devsite-code> </section> <section> <h3 class="hide-from-toc" id="ruby_9" data-text="Ruby" tabindex="-1">Ruby</h3> To programmatically revoke a token, make an HTTP request to the <code translate="no" dir="ltr">oauth2.revoke</code> endpoint: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Ruby">uri = URI('https://oauth2.googleapis.com/revoke') response = Net::HTTP.post_form(uri, 'token' => auth_client.access_token)</pre></devsite-code> The token can be an access token or a refresh token. If the token is an access token and it has a corresponding refresh token, the refresh token will also be revoked. If the revocation is successfully processed, then the status code of the response is <code translate="no" dir="ltr">200</code>. For error conditions, a status code <code translate="no" dir="ltr">400</code> is returned along with an error code. </section> <section> <h3 class="hide-from-toc" id="node.js_9" data-text="Node.js" tabindex="-1">Node.js</h3> To programmatically revoke a token, make an HTTPS POST request to <code translate="no" dir="ltr">/revoke</code> endpoint: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript">const https = require('https'); // Build the string for the POST request let postData = "token=" + userCredential.access_token; // Options for POST request to Google's OAuth 2.0 server to revoke a token let postOptions = { host: 'oauth2.googleapis.com', port: '443', path: '/revoke', method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': Buffer.byteLength(postData) } }; // Set up the request const postReq = https.request(postOptions, function (res) { res.setEncoding('utf8'); res.on('data', d => { console.log('Response: ' + d); }); }); postReq.on('error', error => { console.log(error) }); // Post the request with data postReq.write(postData); postReq.end();</pre></devsite-code> The token parameter can be an access token or a refresh token. If the token is an access token and it has a corresponding refresh token, the refresh token will also be revoked. If the revocation is successfully processed, then the status code of the response is <code translate="no" dir="ltr">200</code>. For error conditions, a status code <code translate="no" dir="ltr">400</code> is returned along with an error code. </section> <section> <h3 class="hide-from-toc" id="httprest_9" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> To programmatically revoke a token, your application makes a request to <code translate="no" dir="ltr">https://oauth2.googleapis.com/revoke</code> and includes the token as a parameter: <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> curl -d -X -POST --header "Content-type:application/x-www-form-urlencoded" \ https://oauth2.googleapis.com/revoke?token=<var translate="no">{token}</var></pre></devsite-code> The token can be an access token or a refresh token. If the token is an access token and it has a corresponding refresh token, the refresh token will also be revoked. If the revocation is successfully processed, then the HTTP status code of the response is <code translate="no" dir="ltr">200</code>. For error conditions, an HTTP status code <code translate="no" dir="ltr">400</code> is returned along with an error code. </section> </div> <aside class="note">Note: Following a successful revocation response, it might take some time before the revocation has full effect.</aside> <section> <h2 id="cross-account-protection" data-text="Implementing Cross-Account Protection" tabindex="-1">Implementing Cross-Account Protection</h2> An additional step you should take to protect your users' accounts is implementing Cross-Account Protection by utilizing Google's Cross-Account Protection Service. This service lets you subscribe to security event notifications which provide information to your application about major changes to the user account. You can then use the information to take action depending on how you decide to respond to events. Some examples of the event types sent to your app by Google's Cross-Account Protection Service are: <ul> <li> <code translate="no" dir="ltr">https://schemas.openid.net/secevent/risc/event-type/sessions-revoked</code> </li> <li> <code translate="no" dir="ltr">https://schemas.openid.net/secevent/oauth/event-type/token-revoked</code> </li> <li> <code translate="no" dir="ltr">https://schemas.openid.net/secevent/risc/event-type/account-disabled</code> </li> </ul> See the <a href="https://developers.google.com/identity/protocols/risc"> Protect user accounts with Cross-Account Protection page </a> for more information on how to implement Cross Account Protection and for the full list of available events. </section> </div> <devsite-recommendations display="in-page" hidden yield> </devsite-recommendations> <devsite-thumb-rating position="footer"> </devsite-thumb-rating> <devsite-feedback position="footer" project-name="Authorization" product-id="5186570" bucket="Identity guides" context="External devsite feedback" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="footer" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png" > <button> Send feedback </button> </devsite-feedback> <devsite-recommendations id="recommendations-link" yield></devsite-recommendations> <div class="devsite-floating-action-buttons"> </div> </article> <devsite-content-footer class="nocontent"> Except as otherwise noted, the content of this page is licensed under the <a href="https://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 License</a>, and code samples are licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache 2.0 License</a>. For details, see the <a href="https://developers.google.com/site-policies">Google Developers Site Policies</a>. Java is a registered trademark of Oracle and/or its affiliates. Last updated 2024-11-14 UTC. </devsite-content-footer> <devsite-notification > </devsite-notification> <div class="devsite-content-data"> <template class="devsite-thumb-rating-feedback"> <devsite-feedback position="thumb-rating" project-name="Authorization" product-id="5186570" bucket="Identity guides" context="External devsite feedback" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="thumb-rating" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png" > <button> Need to tell us more? </button> </devsite-feedback> </template> <template class="devsite-content-data-template"> [[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-14 UTC."],[],[]] </template> </div> </devsite-content> </main> <devsite-footer-promos class="devsite-footer"> <nav class="devsite-footer-promos nocontent" aria-label="Promotions"> <ul class="devsite-footer-promos-list"> <li class="devsite-footer-promo"> <a href="//github.com/googlesamples" class="devsite-footer-promo-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Promo Link (index 1)" > <picture> <img class="devsite-footer-promo-icon" src="/static/site-assets/logo-github.svg" loading="lazy" alt="GitHub"> </picture> GitHub </a> <div class="devsite-footer-promo-description">Fork our samples and try them yourself</div> </li> <li class="devsite-footer-promo"> <a href="//stackoverflow.com/questions/tagged/google-oauth" class="devsite-footer-promo-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Promo Link (index 2)" > <picture> <img class="devsite-footer-promo-icon" src="/static/site-assets/logo-stack-overflow.svg" loading="lazy" alt="Stack Overflow"> </picture> Stack Overflow </a> <div class="devsite-footer-promo-description">Ask a question under the google-oauth tag</div> </li> <li class="devsite-footer-promo"> <a href="//googledevelopers.blogspot.com/search/label/oauth" class="devsite-footer-promo-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Promo Link (index 3)" > <picture> <img class="devsite-footer-promo-icon" src="/static/site-assets/developers_64dp.png" loading="lazy" alt="Blog"> </picture> Blog </a> <div class="devsite-footer-promo-description">The latest news on the Google Developers blog</div> </li> </ul> </nav> </devsite-footer-promos> <devsite-footer-linkboxes class="devsite-footer"> <nav class="devsite-footer-linkboxes nocontent" aria-label="Footer links"> <ul class="devsite-footer-linkboxes-list"> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Product Info</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/terms" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" > Terms of Service </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/terms/api-services-user-data-policy" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" > APIs User Data Policy </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/identity/branding-guidelines" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" > Branding Guidelines </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Stack Overflow</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="https://stackoverflow.com/questions/tagged/google-identity" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" > Google Identity </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//stackoverflow.com/questions/tagged/google-signin" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" > Sign In With Google </a> </li> <li class="devsite-footer-linkbox-item"> <a href="https://stackoverflow.com/questions/tagged/google-oauth" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" > Google OAuth 2.0 and OpenID Connect </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//stackoverflow.com/questions/tagged/account-linking" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" > Google Account Linking </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Developer consoles</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="//console.developers.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" > Google API Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.cloud.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" > Google Cloud Platform Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//play.google.com/apps/publish" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" > Google Play Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.firebase.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" > Firebase Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.actions.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" > Actions on Google Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//cast.google.com/publish" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" > Cast SDK Developer Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//chrome.google.com/webstore/developer/dashboard" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" > Chrome Web Store Dashboard </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.home.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" > Google Home Developer Console </a> </li> </ul> </li> </ul> </nav> </devsite-footer-linkboxes> <devsite-footer-utility class="devsite-footer"> <div class="devsite-footer-utility nocontent"> <nav class="devsite-footer-sites" aria-label="Other Google Developers websites"> <a href="https://developers.google.com/" class="devsite-footer-sites-logo-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Google Developers Link"> <picture> <img class="devsite-footer-sites-logo" src="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/lockup-google-for-developers.svg" loading="lazy" alt="Google Developers"> </picture> </a> <ul class="devsite-footer-sites-list"> <li class="devsite-footer-sites-item"> <a href="//developer.android.com" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Android Link" > Android </a> </li> <li class="devsite-footer-sites-item"> <a href="//developer.chrome.com/home" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Chrome Link" > Chrome </a> </li> <li class="devsite-footer-sites-item"> <a href="//firebase.google.com" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Firebase Link" > Firebase </a> </li> <li class="devsite-footer-sites-item"> <a href="//cloud.google.com" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Google Cloud Platform Link" > Google Cloud Platform </a> </li> <li class="devsite-footer-sites-item"> <a href="//ai.google.dev/" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Google AI Link" > Google AI </a> </li> <li class="devsite-footer-sites-item"> <a href="/products" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer All products Link" > All products </a> </li> </ul> </nav> <nav class="devsite-footer-utility-links" aria-label="Utility links"> <ul class="devsite-footer-utility-list"> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="/terms/site-terms" data-category="Site-Wide Custom Events" data-label="Footer Terms link" > Terms </a> </li> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="//policies.google.com/privacy" data-category="Site-Wide Custom Events" data-label="Footer Privacy link" > Privacy </a> </li> <li class="devsite-footer-utility-item glue-cookie-notification-bar-control"> <a class="devsite-footer-utility-link gc-analytics-event" href="#" data-category="Site-Wide Custom Events" data-label="Footer Manage cookies link" aria-hidden="true" > Manage cookies </a> </li> <li class="devsite-footer-utility-item devsite-footer-utility-button"> Sign up for the Google for Developers newsletter <a class="devsite-footer-utility-link gc-analytics-event" href="/newsletter/subscribe" data-category="Site-Wide Custom Events" data-label="Footer Subscribe link" > Subscribe </a> </li> </ul> <devsite-language-selector> <ul role="presentation"> <li role="presentation"> <a role="menuitem" lang="en" >English</a> </li> <li role="presentation"> <a role="menuitem" lang="de" >Deutsch</a> </li> <li role="presentation"> <a role="menuitem" lang="es" >Español</a> </li> <li role="presentation"> <a role="menuitem" lang="es_419" >Español – América Latina</a> </li> <li role="presentation"> <a role="menuitem" lang="fr" >Français</a> </li> <li role="presentation"> <a role="menuitem" lang="id" >Indonesia</a> </li> <li role="presentation"> <a role="menuitem" lang="it" >Italiano</a> </li> <li role="presentation"> <a role="menuitem" lang="pl" >Polski</a> </li> <li role="presentation"> <a role="menuitem" lang="pt_br" >Português – Brasil</a> </li> <li role="presentation"> <a role="menuitem" lang="vi" >Tiếng Việt</a> </li> <li role="presentation"> <a role="menuitem" lang="tr" >Türkçe</a> </li> <li role="presentation"> <a role="menuitem" lang="ru" >Русский</a> </li> <li role="presentation"> <a role="menuitem" lang="he" >עברית</a> </li> <li role="presentation"> <a role="menuitem" lang="ar" >العربيّة</a> </li> <li role="presentation"> <a role="menuitem" lang="fa" >فارسی</a> </li> <li role="presentation"> <a role="menuitem" lang="hi" >हिंदी</a> </li> <li role="presentation"> <a role="menuitem" lang="bn" >বাংলা</a> </li> <li role="presentation"> <a role="menuitem" lang="th" >ภาษาไทย</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_cn" >中文 – 简体</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_tw" >中文 – 繁體</a> </li> <li role="presentation"> <a role="menuitem" lang="ja" >日本語</a> </li> <li role="presentation"> <a role="menuitem" lang="ko" >한국어</a> </li> </ul> </devsite-language-selector> </nav> </div> </devsite-footer-utility> <devsite-panel></devsite-panel> <devsite-concierge data-info-panel data-ai-panel data-api-explorer-panel > </devsite-concierge> </section></section> <devsite-sitemask></devsite-sitemask> <devsite-snackbar></devsite-snackbar> <devsite-tooltip ></devsite-tooltip> <devsite-heading-link></devsite-heading-link> <devsite-analytics> <script type="application/json" analytics>[{"dimensions": {"dimension4": "Authorization", "dimension3": false, "dimension1": "Signed out", "dimension5": "en", "dimension11": false, "dimension6": "en"}, "gaid": "UA-24532603-1", "metrics": {"ratings_count": "metric2", "ratings_value": "metric1"}, "purpose": 1}]</script> <script type="application/json" tag-management>{"at": "True", "ga4": [{"id": "G-272J68FCRF", "purpose": 1}], "ga4p": [{"id": "G-272J68FCRF", "purpose": 1}], "gtm": [], "parameters": {"internalUser": "False", "language": {"machineTranslated": "False", "requested": "en", "served": "en"}, "pageType": "article", "projectName": "Authorization", "signedIn": "False", "tenant": "developers", "recommendations": {"sourcePage": "", "sourceType": 0, "sourceRank": 0, "sourceIdenticalDescriptions": 0, "sourceTitleWords": 0, "sourceDescriptionWords": 0, "experiment": ""}, "experiment": {"ids": ""}}}</script> </devsite-analytics> <devsite-badger></devsite-badger> <script nonce="wNt/mTEtVucPUUf1ZUckz1fcPRmfEZ"> (function(d,e,v,s,i,t,E){d['GoogleDevelopersObject']=i; t=e.createElement(v);t.async=1;t.src=s;E=e.getElementsByTagName(v)[0]; E.parentNode.insertBefore(t,E);})(window, document, 'script', 'https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/js/app_loader.js', '[1,"en",null,"/js/devsite_app_module.js","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers","https://developers-dot-devsite-v2-prod.appspot.com",null,null,["/_pwa/developers/manifest.json","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/images/video-placeholder.svg","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/favicon-new.png","https://fonts.googleapis.com/css?family=Google+Sans:400,500|Roboto:400,400italic,500,500italic,700,700italic|Roboto+Mono:400,500,700&display=swap"],1,null,[1,6,8,12,14,17,21,25,50,52,63,70,75,76,80,87,91,92,93,97,98,100,101,102,103,104,105,107,108,109,110,112,113,116,117,118,120,122,124,125,126,127,129,130,131,132,133,134,135,136,138,140,141,147,148,149,151,152,156,157,158,159,161,163,164,168,169,170,179,180,182,183,186,191,193,196],"AIzaSyAP-jjEJBzmIyKR4F-3XITp8yM9T1gEEI8","AIzaSyB6xiKGDR5O3Ak2okS4rLkauxGUG7XP0hg","developers.google.com","AIzaSyAQk0fBONSGUqCNznf6Krs82Ap1-NV6J4o","AIzaSyCCxcqdrZ_7QMeLCRY20bh_SXdAYqy70KY",null,null,null,["Experiments__reqs_query_experiments","Cloud__enable_free_trial_server_call","Concierge__enable_pushui","Profiles__enable_page_saving","Search__enable_dynamic_content_confidential_banner","Search__enable_suggestions_from_borg","Profiles__enable_developer_profiles_callout","MiscFeatureFlags__developers_footer_image","Profiles__enable_public_developer_profiles","BookNav__enable_tenant_cache_key","MiscFeatureFlags__enable_view_transitions","MiscFeatureFlags__enable_project_variables","DevPro__enable_developer_subscriptions","MiscFeatureFlags__developers_footer_dark_image","Cloud__enable_cloudx_ping","MiscFeatureFlags__enable_variable_operator","CloudShell__cloud_code_overflow_menu","MiscFeatureFlags__enable_firebase_utm","Profiles__enable_release_notes_notifications","TpcFeatures__enable_required_headers","Cloud__enable_cloud_shell","Search__enable_ai_search_summaries","Significatio__enable_by_tenant","Profiles__enable_dashboard_curated_recommendations","Profiles__enable_awarding_url","Concierge__enable_concierge_restricted","CloudShell__cloud_shell_button","Search__enable_page_map","MiscFeatureFlags__enable_explain_this_code","MiscFeatureFlags__emergency_css","Profiles__enable_profile_collections","Cloud__enable_cloud_dlp_service","Search__enable_ai_eligibility_checks","Cloud__enable_cloud_facet_chat","Profiles__require_profile_eligibility_for_signin","Search__enable_ai_search_summaries_restricted","TpcFeatures__enable_mirror_tenant_redirects","Profiles__enable_completecodelab_endpoint","Cloud__enable_llm_concierge_chat","Analytics__enable_clearcut_logging","Concierge__enable_concierge","Profiles__enable_complete_playlist_endpoint","EngEduTelemetry__enable_engedu_telemetry","Profiles__enable_recognition_badges","Cloud__enable_cloudx_experiment_ids","DevPro__enable_cloud_innovators_plus","Cloud__enable_cloud_shell_fte_user_flow","Cloud__enable_legacy_calculator_redirect"],null,null,"AIzaSyBLEMok-5suZ67qRPzx0qUtbnLmyT_kCVE","https://developerscontentserving-pa.clients6.google.com","AIzaSyCM4QpTRSqP5qI4Dvjt4OAScIN8sOUlO-k","https://developerscontentsearch-pa.clients6.google.com",1,4,null,"https://developerprofiles-pa.clients6.google.com",[1,"developers","Google for Developers","developers.google.com",null,"developers-dot-devsite-v2-prod.appspot.com",null,null,[1,1,[1],null,null,null,null,null,null,null,null,[1],null,null,null,null,null,null,[1],[1,null,null,[1,20],"/recommendations/information"],null,null,null,[1,1,1],[1,1,null,1,1]],null,[null,null,null,null,null,null,"/images/lockup-new.svg","/images/touchicon-180-new.png",null,null,null,null,1,null,null,null,null,null,null,null,null,1,null,null,null,"/images/lockup-dark-theme-new.svg",[]],[],null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,[6,1,14,15,20,22,23,29,32,36],null,[[null,null,null,[3,7,10,2,39,17,4,32,24,11,12,13,34,15,25],null,null,[1,[["docType","Choose a content type",[["Tutorial",null,null,null,null,null,null,null,null,"Tutorial"],["Guide",null,null,null,null,null,null,null,null,"Guide"],["Sample",null,null,null,null,null,null,null,null,"Sample"]]],["product","Choose a product",[["Android",null,null,null,null,null,null,null,null,"Android"],["ARCore",null,null,null,null,null,null,null,null,"ARCore"],["ChromeOS",null,null,null,null,null,null,null,null,"ChromeOS"],["Firebase",null,null,null,null,null,null,null,null,"Firebase"],["Flutter",null,null,null,null,null,null,null,null,"Flutter"],["Assistant",null,null,null,null,null,null,null,null,"Google Assistant"],["GoogleCloud",null,null,null,null,null,null,null,null,"Google Cloud"],["GoogleMapsPlatform",null,null,null,null,null,null,null,null,"Google Maps Platform"],["GooglePay",null,null,null,null,null,null,null,null,"Google Pay & Google Wallet"],["GooglePlay",null,null,null,null,null,null,null,null,"Google Play"],["Tensorflow",null,null,null,null,null,null,null,null,"TensorFlow"]]],["category","Choose a topic",[["AiAndMachineLearning",null,null,null,null,null,null,null,null,"AI and Machine Learning"],["Data",null,null,null,null,null,null,null,null,"Data"],["Enterprise",null,null,null,null,null,null,null,null,"Enterprise"],["Gaming",null,null,null,null,null,null,null,null,"Gaming"],["Mobile",null,null,null,null,null,null,null,null,"Mobile"],["Web",null,null,null,null,null,null,null,null,"Web"]]]]]],[1,1],null,1],[[["UA-24532603-1"],["UA-22084204-5"],null,null,["UA-24532603-5"],null,null,[["G-272J68FCRF"],null,null,[["G-272J68FCRF",2]]],[["UA-24532603-1",2]],null,[["UA-24532603-5",2]],null,1],[[13,10],[12,9],[11,8],[3,2],[4,3],[16,13],[6,5],[15,12],[5,4],[14,11],[1,1]],[[2,2],[1,1]]],null,4,null,null,null,null,null,null,null,null,null,null,null,null,null,"developers.devsite.google"],null,"pk_live_5170syrHvgGVmSx9sBrnWtA5luvk9BwnVcvIi7HizpwauFG96WedXsuXh790rtij9AmGllqPtMLfhe2RSwD6Pn38V00uBCydV4m"]') </script> <devsite-a11y-announce></devsite-a11y-announce> </body> </html>

CINXE.COM

Using OAuth 2.0 for Web Server Applications | Authorization | Google for Developers