Using OAuth 2.0 for Server to Server Applications | Authorization

<!doctype html> <html lang="en" dir="ltr"> <head> <meta name="google-signin-client-id" content="721724668570-nbkv1cfusk7kk4eni4pjvepaus73b13t.apps.googleusercontent.com"> <meta name="google-signin-scope" content="profile email https://www.googleapis.com/auth/developerprofiles https://www.googleapis.com/auth/developerprofiles.award"> <meta property="og:site_name" content="Google for Developers"> <meta property="og:type" content="website"><meta name="theme-color" content="#009688"><meta charset="utf-8"> <meta content="IE=Edge" http-equiv="X-UA-Compatible"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="manifest" href="/_pwa/developers/manifest.json" crossorigin="use-credentials"> <link rel="preconnect" href="//www.gstatic.com" crossorigin> <link rel="preconnect" href="//fonts.gstatic.com" crossorigin> <link rel="preconnect" href="//fonts.googleapis.com" crossorigin> <link rel="preconnect" href="//apis.google.com" crossorigin> <link rel="preconnect" href="//www.google-analytics.com" crossorigin><link rel="stylesheet" href="//fonts.googleapis.com/css?family=Google+Sans:400,500|Roboto:400,400italic,500,500italic,700,700italic|Roboto+Mono:400,500,700&display=swap"> <link rel="stylesheet" href="//fonts.googleapis.com/css2?family=Material+Icons&family=Material+Symbols+Outlined&display=block"><link rel="stylesheet" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/css/app.css"> <link rel="shortcut icon" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/favicon-new.png"> <link rel="apple-touch-icon" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png"><link rel="canonical" href="https://developers.google.com/identity/protocols/oauth2/service-account"><link rel="search" type="application/opensearchdescription+xml" title="Google for Developers" href="https://developers.google.com/s/opensearch.xml"> <link rel="alternate" hreflang="en" href="https://developers.google.com/identity/protocols/oauth2/service-account" /><link rel="alternate" hreflang="x-default" href="https://developers.google.com/identity/protocols/oauth2/service-account" /><link rel="alternate" hreflang="ar" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=ar" /><link rel="alternate" hreflang="bn" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=bn" /><link rel="alternate" hreflang="zh-Hans" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=zh-cn" /><link rel="alternate" hreflang="zh-Hant" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=zh-tw" /><link rel="alternate" hreflang="fa" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=fa" /><link rel="alternate" hreflang="fr" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=fr" /><link rel="alternate" hreflang="de" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=de" /><link rel="alternate" hreflang="he" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=he" /><link rel="alternate" hreflang="hi" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=hi" /><link rel="alternate" hreflang="id" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=id" /><link rel="alternate" hreflang="it" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=it" /><link rel="alternate" hreflang="ja" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=ja" /><link rel="alternate" hreflang="ko" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=ko" /><link rel="alternate" hreflang="pl" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=pl" /><link rel="alternate" hreflang="pt-BR" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=pt-br" /><link rel="alternate" hreflang="ru" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=ru" /><link rel="alternate" hreflang="es-419" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=es-419" /><link rel="alternate" hreflang="th" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=th" /><link rel="alternate" hreflang="tr" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=tr" /><link rel="alternate" hreflang="vi" href="https://developers.google.com/identity/protocols/oauth2/service-account?hl=vi" /><title>Using OAuth 2.0 for Server to Server Applications  |  Authorization  |  Google for Developers</title> <meta property="og:title" content="Using OAuth 2.0 for Server to Server Applications  |  Authorization  |  Google for Developers"><meta property="og:url" content="https://developers.google.com/identity/protocols/oauth2/service-account"><meta property="og:image" content="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/opengraph/teal.png"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="675"><meta property="og:locale" content="en"><meta name="twitter:card" content="summary_large_image"><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Article", "headline": "Using OAuth 2.0 for Server to Server Applications" } </script><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [{ "@type": "ListItem", "position": 1, "name": "Google Identity", "item": "https://developers.google.com/identity" },{ "@type": "ListItem", "position": 2, "name": "Authorization", "item": "https://developers.google.com/identity/authorization" },{ "@type": "ListItem", "position": 3, "name": "Using OAuth 2.0 for Server to Server Applications", "item": "https://developers.google.com/identity/protocols/oauth2/service-account" }] } </script> <link rel="stylesheet" href="/extras.css"></head> <body class="" template="page" theme="teal" type="article" layout="docs" concierge='closed' display-toc pending> <devsite-progress type="indeterminate" id="app-progress"></devsite-progress> <section class="devsite-wrapper"> <devsite-cookie-notification-bar></devsite-cookie-notification-bar><devsite-header role="banner"> <div class="devsite-header--inner nocontent"> <div class="devsite-top-logo-row-wrapper-wrapper"> <div class="devsite-top-logo-row-wrapper"> <div class="devsite-top-logo-row"> <button type="button" id="devsite-hamburger-menu" class="devsite-header-icon-button button-flat material-icons gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Navigation menu button" visually-hidden aria-label="Open menu"> </button> <div class="devsite-product-name-wrapper"> <span class="devsite-product-name"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item devsite-has-google-wordmark"> <a href="https://developers.google.com/identity" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Upper Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Google Identity" > <svg class="devsite-google-wordmark" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 148 48"> <title>Google</title> <path class="devsite-google-wordmark-svg-path" d="M19.58,37.65c-9.87,0-18.17-8.04-18.17-17.91c0-9.87,8.3-17.91,18.17-17.91c5.46,0,9.35,2.14,12.27,4.94l-3.45,3.45c-2.1-1.97-4.93-3.49-8.82-3.49c-7.21,0-12.84,5.81-12.84,13.02c0,7.21,5.64,13.02,12.84,13.02c4.67,0,7.34-1.88,9.04-3.58c1.4-1.4,2.32-3.41,2.66-6.16H19.58v-4.89h16.47c0.18,0.87,0.26,1.92,0.26,3.06c0,3.67-1.01,8.21-4.24,11.44C28.93,35.9,24.91,37.65,19.58,37.65z M61.78,26.12c0,6.64-5.1,11.53-11.36,11.53s-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53S61.78,19.43,61.78,26.12z M56.8,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C53.84,33.11,56.8,30.22,56.8,26.12z M87.25,26.12c0,6.64-5.1,11.53-11.36,11.53c-6.26,0-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53C82.15,14.59,87.25,19.43,87.25,26.12zM82.28,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C79.32,33.11,82.28,30.22,82.28,26.12z M112.09,15.29v20.7c0,8.52-5.02,12.01-10.96,12.01c-5.59,0-8.95-3.76-10.22-6.81l4.41-1.83c0.79,1.88,2.71,4.1,5.81,4.1c3.8,0,6.16-2.36,6.16-6.77v-1.66h-0.18c-1.14,1.4-3.32,2.62-6.07,2.62c-5.76,0-11.05-5.02-11.05-11.49c0-6.51,5.28-11.57,11.05-11.57c2.75,0,4.93,1.22,6.07,2.58h0.18v-1.88H112.09z M107.64,26.16c0-4.06-2.71-7.03-6.16-7.03c-3.49,0-6.42,2.97-6.42,7.03c0,4.02,2.93,6.94,6.42,6.94C104.93,33.11,107.64,30.18,107.64,26.16z M120.97,3.06v33.89h-5.07V3.06H120.97z M140.89,29.92l3.93,2.62c-1.27,1.88-4.32,5.11-9.61,5.11c-6.55,0-11.28-5.07-11.28-11.53c0-6.86,4.77-11.53,10.71-11.53c5.98,0,8.91,4.76,9.87,7.34l0.52,1.31l-15.42,6.38c1.18,2.31,3.01,3.49,5.59,3.49C137.79,33.11,139.58,31.84,140.89,29.92zM128.79,25.77l10.31-4.28c-0.57-1.44-2.27-2.45-4.28-2.45C132.24,19.04,128.66,21.31,128.79,25.77z"/> </svg>Identity </a> </li> </ul> </span> </div> <div class="devsite-top-logo-row-middle"> <div class="devsite-header-upper-tabs"> <devsite-tabs class="upper-tabs"> <nav class="devsite-tabs-wrapper" aria-label="Upper tabs"> <tab class="devsite-dropdown "> <a href="https://developers.google.com/identity/authentication" track-metadata-eventdetail="https://developers.google.com/identity/authentication" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - authentication" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" > Authentication </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Authentication" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/authentication" track-metadata-position="nav - authentication" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Sign In with Google SDKs</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/android-credential-manager" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/android-credential-manager" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Credential Manager for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/gsi/web/guides/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/gsi/web/guides/overview" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Sign In with Google for Web (including One Tap) </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/ios/start" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/ios/start" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Google Sign-In for iOS and macOS </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Industry standards</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/passkeys" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/passkeys" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Passkeys </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/openid-connect/openid-connect" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/openid-connect/openid-connect" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> OpenID Connect </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Legacy Sign In</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/one-tap/android/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/one-tap/android/overview" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> One Tap sign-up/sign-in for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/android/legacy-start-integrating" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/android/legacy-start-integrating" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Google Sign-In for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/web/sign-in" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/web/sign-in" track-metadata-position="nav - authentication" track-metadata-module="tertiary nav" track-metadata-module_headline="sign in with google sdks" tooltip > <div class="devsite-nav-item-title"> Google Sign-In for Web </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown devsite-active "> <a href="https://developers.google.com/identity/authorization" track-metadata-eventdetail="https://developers.google.com/identity/authorization" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - authorization" track-metadata-module="primary nav" aria-label="Authorization, selected" data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" > Authorization </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Authorization" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/authorization" track-metadata-position="nav - authorization" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Call Google APIs</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/android/authorize-access" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/android/authorize-access" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Authorizing for Android </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/oauth2/web/guides/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/oauth2/web/guides/overview" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Authorizing for Web </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sign-in/ios/api-access" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sign-in/ios/api-access" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Authorizing for iOS/macOS </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/protocols/oauth2" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/protocols/oauth2" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Using OAuth 2.0 </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Share data with Google apps and devices</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/account-linking" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/account-linking" track-metadata-position="nav - authorization" track-metadata-module="tertiary nav" track-metadata-module_headline="call google apis" tooltip > <div class="devsite-nav-item-title"> Google Account Linking </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown "> <a href="https://developers.google.com/identity/credential-management" track-metadata-eventdetail="https://developers.google.com/identity/credential-management" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - credential management" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" > Credential management </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Credential management" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/credential-management" track-metadata-position="nav - credential management" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Android</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/android-credential-manager" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/android-credential-manager" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Credential Manager </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/blockstore/android" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/blockstore/android" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Blockstore </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Digital Asset Links </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developer.android.com/guide/topics/text/autofill" track-type="nav" track-metadata-eventdetail="https://developer.android.com/guide/topics/text/autofill" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Android autofill framework </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Web</li> <li class="devsite-nav-item"> <a href="https://web.dev/sign-in-form-best-practices/" track-type="nav" track-metadata-eventdetail="https://web.dev/sign-in-form-best-practices/" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Autocomplete </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Cross-platform</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/credential-sharing" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/credential-sharing" track-metadata-position="nav - credential management" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Seamless credential sharing </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown "> <a href="https://developers.google.com/identity/credential-verification" track-metadata-eventdetail="https://developers.google.com/identity/credential-verification" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - credential verification" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" > Credential verification </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Credential verification" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/credential-verification" track-metadata-position="nav - credential verification" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Android</li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/sms-retriever/overview" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/sms-retriever/overview" track-metadata-position="nav - credential verification" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Verify users by SMS </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/identity/phone-number-hint/android" track-type="nav" track-metadata-eventdetail="https://developers.google.com/identity/phone-number-hint/android" track-metadata-position="nav - credential verification" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Phone Number Hint </div> </a> </li> </ul> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-title" role="heading" tooltip>Web</li> <li class="devsite-nav-item"> <a href="https://web.dev/web-otp/" track-type="nav" track-metadata-eventdetail="https://web.dev/web-otp/" track-metadata-position="nav - credential verification" track-metadata-module="tertiary nav" track-metadata-module_headline="android" tooltip > <div class="devsite-nav-item-title"> Verify phone numbers on the web </div> </a> </li> </ul> </div> </div> </div> </tab> </nav> </devsite-tabs> </div> <devsite-search enable-signin enable-search enable-suggestions enable-query-completion project-name="Authorization" tenant-name="Google for Developers" project-scope="/identity/authorization" url-scoped="https://developers.google.com/s/results/identity/authorization" > <form class="devsite-search-form" action="https://developers.google.com/s/results" method="GET"> <div class="devsite-search-container"> <button type="button" search-open class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Open search"></button> <div class="devsite-searchbox"> <input aria-activedescendant="" aria-autocomplete="list" aria-label="Search" aria-expanded="false" aria-haspopup="listbox" autocomplete="off" class="devsite-search-field devsite-search-query" name="q" placeholder="Search" role="combobox" type="text" value="" > <div class="devsite-search-image material-icons" aria-hidden="true"> </div> <div class="devsite-search-shortcut-icon-container" aria-hidden="true"> <kbd class="devsite-search-shortcut-icon">/</kbd> </div> </div> </div> </form> <button type="button" search-close class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Close search"></button> </devsite-search> </div> <devsite-language-selector> <ul role="presentation"> <li role="presentation"> <a role="menuitem" lang="en" >English</a> </li> <li role="presentation"> <a role="menuitem" lang="de" >Deutsch</a> </li> <li role="presentation"> <a role="menuitem" lang="es" >Español</a> </li> <li role="presentation"> <a role="menuitem" lang="es_419" >Español – América Latina</a> </li> <li role="presentation"> <a role="menuitem" lang="fr" >Français</a> </li> <li role="presentation"> <a role="menuitem" lang="id" >Indonesia</a> </li> <li role="presentation"> <a role="menuitem" lang="it" >Italiano</a> </li> <li role="presentation"> <a role="menuitem" lang="pl" >Polski</a> </li> <li role="presentation"> <a role="menuitem" lang="pt_br" >Português – Brasil</a> </li> <li role="presentation"> <a role="menuitem" lang="vi" >Tiếng Việt</a> </li> <li role="presentation"> <a role="menuitem" lang="tr" >Türkçe</a> </li> <li role="presentation"> <a role="menuitem" lang="ru" >Русский</a> </li> <li role="presentation"> <a role="menuitem" lang="he" >עברית</a> </li> <li role="presentation"> <a role="menuitem" lang="ar" >العربيّة</a> </li> <li role="presentation"> <a role="menuitem" lang="fa" >فارسی</a> </li> <li role="presentation"> <a role="menuitem" lang="hi" >हिंदी</a> </li> <li role="presentation"> <a role="menuitem" lang="bn" >বাংলা</a> </li> <li role="presentation"> <a role="menuitem" lang="th" >ภาษาไทย</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_cn" >中文 – 简体</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_tw" >中文 – 繁體</a> </li> <li role="presentation"> <a role="menuitem" lang="ja" >日本語</a> </li> <li role="presentation"> <a role="menuitem" lang="ko" >한국어</a> </li> </ul> </devsite-language-selector> <devsite-user enable-profiles fp-auth id="devsite-user"> <span class="button devsite-top-button" aria-hidden="true" visually-hidden>Sign in</span> </devsite-user> </div> </div> </div> <div class="devsite-collapsible-section "> <div class="devsite-header-background"> <div class="devsite-product-id-row" > <div class="devsite-product-description-row"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item "> <a href="https://developers.google.com/identity/authorization" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Lower Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Authorization" > Authorization </a> </li> </ul> </div> </div> <div class="devsite-doc-set-nav-row"> <devsite-tabs class="lower-tabs"> <nav class="devsite-tabs-wrapper" aria-label="Lower tabs"> <tab class="devsite-active"> <a href="https://developers.google.com/identity/protocols/oauth2" track-metadata-eventdetail="https://developers.google.com/identity/protocols/oauth2" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - oauth 2.0" track-metadata-module="primary nav" aria-label="OAuth 2.0, selected" data-category="Site-Wide Custom Events" data-label="Tab: OAuth 2.0" track-name="oauth 2.0" > OAuth 2.0 </a> </tab> <tab > <a href="https://developers.google.com/identity/authorization/android" track-metadata-eventdetail="https://developers.google.com/identity/authorization/android" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - android" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Android" track-name="android" > Android </a> </tab> <tab > <a href="https://developers.google.com/identity/oauth2/web/guides/overview" track-metadata-eventdetail="https://developers.google.com/identity/oauth2/web/guides/overview" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - web" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Web" track-name="web" > Web </a> </tab> <tab > <a href="https://developers.google.com/identity/account-linking" track-metadata-eventdetail="https://developers.google.com/identity/account-linking" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - google account linking" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Google Account Linking" track-name="google account linking" > Google Account Linking </a> </tab> </nav> </devsite-tabs> </div> </div> </div> </div> </devsite-header> <devsite-book-nav scrollbars > <div class="devsite-book-nav-filter" > <span class="filter-list-icon material-icons" aria-hidden="true"></span> <input type="text" placeholder="Filter" aria-label="Type to filter" role="searchbox"> <span class="filter-clear-button hidden" data-title="Clear filter" aria-label="Clear filter" role="button" tabindex="0"></span> </div> <nav class="devsite-book-nav devsite-nav nocontent" aria-label="Side menu"> <div class="devsite-mobile-header"> <button type="button" id="devsite-close-nav" class="devsite-header-icon-button button-flat material-icons gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close navigation" aria-label="Close navigation"> </button> <div class="devsite-product-name-wrapper"> <span class="devsite-product-name"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item devsite-has-google-wordmark"> <a href="https://developers.google.com/identity" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Upper Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Google Identity" > <svg class="devsite-google-wordmark" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 148 48"> <title>Google</title> <path class="devsite-google-wordmark-svg-path" d="M19.58,37.65c-9.87,0-18.17-8.04-18.17-17.91c0-9.87,8.3-17.91,18.17-17.91c5.46,0,9.35,2.14,12.27,4.94l-3.45,3.45c-2.1-1.97-4.93-3.49-8.82-3.49c-7.21,0-12.84,5.81-12.84,13.02c0,7.21,5.64,13.02,12.84,13.02c4.67,0,7.34-1.88,9.04-3.58c1.4-1.4,2.32-3.41,2.66-6.16H19.58v-4.89h16.47c0.18,0.87,0.26,1.92,0.26,3.06c0,3.67-1.01,8.21-4.24,11.44C28.93,35.9,24.91,37.65,19.58,37.65z M61.78,26.12c0,6.64-5.1,11.53-11.36,11.53s-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53S61.78,19.43,61.78,26.12z M56.8,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C53.84,33.11,56.8,30.22,56.8,26.12z M87.25,26.12c0,6.64-5.1,11.53-11.36,11.53c-6.26,0-11.36-4.89-11.36-11.53c0-6.68,5.1-11.53,11.36-11.53C82.15,14.59,87.25,19.43,87.25,26.12zM82.28,26.12c0-4.15-2.96-6.99-6.39-6.99c-3.43,0-6.39,2.84-6.39,6.99c0,4.11,2.96,6.99,6.39,6.99C79.32,33.11,82.28,30.22,82.28,26.12z M112.09,15.29v20.7c0,8.52-5.02,12.01-10.96,12.01c-5.59,0-8.95-3.76-10.22-6.81l4.41-1.83c0.79,1.88,2.71,4.1,5.81,4.1c3.8,0,6.16-2.36,6.16-6.77v-1.66h-0.18c-1.14,1.4-3.32,2.62-6.07,2.62c-5.76,0-11.05-5.02-11.05-11.49c0-6.51,5.28-11.57,11.05-11.57c2.75,0,4.93,1.22,6.07,2.58h0.18v-1.88H112.09z M107.64,26.16c0-4.06-2.71-7.03-6.16-7.03c-3.49,0-6.42,2.97-6.42,7.03c0,4.02,2.93,6.94,6.42,6.94C104.93,33.11,107.64,30.18,107.64,26.16z M120.97,3.06v33.89h-5.07V3.06H120.97z M140.89,29.92l3.93,2.62c-1.27,1.88-4.32,5.11-9.61,5.11c-6.55,0-11.28-5.07-11.28-11.53c0-6.86,4.77-11.53,10.71-11.53c5.98,0,8.91,4.76,9.87,7.34l0.52,1.31l-15.42,6.38c1.18,2.31,3.01,3.49,5.59,3.49C137.79,33.11,139.58,31.84,140.89,29.92zM128.79,25.77l10.31-4.28c-0.57-1.44-2.27-2.45-4.28-2.45C132.24,19.04,128.66,21.31,128.79,25.77z"/> </svg>Identity </a> </li> </ul> </span> </div> </div> <div class="devsite-book-nav-wrapper"> <div class="devsite-mobile-nav-top"> <ul class="devsite-nav-list"> <li class="devsite-nav-item"> <a href="/identity/authentication" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authentication" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Authentication </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Authentication" track-name="authentication" > <span class="devsite-nav-text" tooltip menu="Authentication"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Authentication"> </span> </span> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/identity/authorization" class="devsite-nav-title gc-analytics-event devsite-nav-active" data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorization" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Authorization </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Authorization" track-name="authorization" > <span class="devsite-nav-text" tooltip menu="Authorization"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Authorization"> </span> </span> </li> </ul> <ul class="devsite-nav-responsive-tabs"> <li class="devsite-nav-item"> <a href="/identity/protocols/oauth2" class="devsite-nav-title gc-analytics-event devsite-nav-has-children devsite-nav-active" data-category="Site-Wide Custom Events" data-label="Tab: OAuth 2.0" track-name="oauth 2.0" data-category="Site-Wide Custom Events" data-label="Responsive Tab: OAuth 2.0" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip menu="_book"> OAuth 2.0 </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="_book"> </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/authorization/android" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Android" track-name="android" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Android" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Android </span> <span class="devsite-nav-icon material-icons" data-icon="forward" > </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/oauth2/web/guides/overview" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Web" track-name="web" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Web" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Web </span> <span class="devsite-nav-icon material-icons" data-icon="forward" > </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/account-linking" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Google Account Linking" track-name="google account linking" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Account Linking" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Account Linking </span> <span class="devsite-nav-icon material-icons" data-icon="forward" > </span> </a> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/identity/credential-management" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential management" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Credential management </span> <span class="devsite-nav-icon material-icons" data-icon="forward" > </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Credential management" track-name="credential management" > <span class="devsite-nav-text" tooltip menu="Credential management"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Credential management"> </span> </span> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/identity/credential-verification" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential verification" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Credential verification </span> </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> <span class="devsite-nav-title" tooltip data-category="Site-Wide Custom Events" data-label="Tab: Credential verification" track-name="credential verification" > <span class="devsite-nav-text" tooltip menu="Credential verification"> More </span> <span class="devsite-nav-icon material-icons" data-icon="forward" menu="Credential verification"> </span> </span> </li> </ul> </li> </ul> </div> <div class="devsite-mobile-nav-bottom"> <ul class="devsite-nav-list" menu="_book"> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2" ><span class="devsite-nav-text" tooltip>Overview</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/cross-client-identity" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/cross-client-identity" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/cross-client-identity" ><span class="devsite-nav-text" tooltip>Cross-client Identity</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/scopes" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/scopes" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/scopes" ><span class="devsite-nav-text" tooltip>OAuth 2.0 Scopes</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/policies" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/policies" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/policies" ><span class="devsite-nav-text" tooltip>OAuth 2.0 Policies</span></a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> <span class="devsite-nav-text" tooltip>Access to Google APIs</span> </div></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/web-server" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/web-server" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/web-server" ><span class="devsite-nav-text" tooltip>for Server-side Web Apps</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/javascript-implicit-flow" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/javascript-implicit-flow" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/javascript-implicit-flow" ><span class="devsite-nav-text" tooltip>for JavaScript Web Apps</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/native-app" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/native-app" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/native-app" ><span class="devsite-nav-text" tooltip>for Mobile & Desktop Apps</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/limited-input-device" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/limited-input-device" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/limited-input-device" ><span class="devsite-nav-text" tooltip>for TV & Device Apps</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/service-account" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/service-account" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/service-account" ><span class="devsite-nav-text" tooltip>for Service Accounts</span></a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> <span class="devsite-nav-text" tooltip>Prepare your app for production</span> </div></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/production-readiness/policy-compliance" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/production-readiness/policy-compliance" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/production-readiness/policy-compliance" ><span class="devsite-nav-text" tooltip>Comply with OAuth 2.0 policies</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/production-readiness/brand-verification" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/production-readiness/brand-verification" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/production-readiness/brand-verification" ><span class="devsite-nav-text" tooltip>Submit for brand verification</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/production-readiness/sensitive-scope-verification" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/production-readiness/sensitive-scope-verification" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/production-readiness/sensitive-scope-verification" ><span class="devsite-nav-text" tooltip>Sensitive scope verification</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/production-readiness/restricted-scope-verification" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/production-readiness/restricted-scope-verification" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/production-readiness/restricted-scope-verification" ><span class="devsite-nav-text" tooltip>Restricted scope verification</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/production-readiness/google-workspace" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/production-readiness/google-workspace" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/production-readiness/google-workspace" ><span class="devsite-nav-text" tooltip>Additional considerations for Google Workspace</span></a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> <span class="devsite-nav-text" tooltip>Resources</span> </div></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/resources/best-practices" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/resources/best-practices" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/resources/best-practices" ><span class="devsite-nav-text" tooltip>Best practices</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/resources/granular-permissions" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/resources/granular-permissions" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/resources/granular-permissions" ><span class="devsite-nav-text" tooltip>How to handle granular permissions</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/resources/oob-migration" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/resources/oob-migration" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/resources/oob-migration" ><span class="devsite-nav-text" tooltip>Out-of-band (OOB) Migration</span></a></li> <li class="devsite-nav-item"><a href="/identity/protocols/oauth2/resources/loopback-migration" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/oauth2/resources/loopback-migration" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/oauth2/resources/loopback-migration" ><span class="devsite-nav-text" tooltip>Loopback IP Address Migration for Mobile and Chrome Apps</span></a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> <span class="devsite-nav-text" tooltip>Related topics</span> </div></li> <li class="devsite-nav-item"><a href="/identity/protocols/risc" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /identity/protocols/risc" track-type="bookNav" track-name="click" track-metadata-eventdetail="/identity/protocols/risc" ><span class="devsite-nav-text" tooltip>Cross-Account Protection (RISC)</span></a></li> <li class="devsite-nav-item devsite-nav-external"><a href="https://webauthn.guide/" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: https://webauthn.guide/" track-type="bookNav" track-name="click" track-metadata-eventdetail="https://webauthn.guide/" ><span class="devsite-nav-text" tooltip>WebAuthn</span><span class="devsite-nav-icon material-icons" data-icon="external" data-title="External" aria-hidden="true"></span></a></li> </ul> <ul class="devsite-nav-list" menu="Authentication" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Sign In with Google SDKs </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/android-credential-manager" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential Manager for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Credential Manager for Android </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/gsi/web/guides/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Sign In with Google for Web (including One Tap)" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Sign In with Google for Web (including One Tap) </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/ios/start" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Sign-In for iOS and macOS" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Sign-In for iOS and macOS </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Industry standards </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/passkeys" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Passkeys" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Passkeys </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/openid-connect/openid-connect" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: OpenID Connect" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > OpenID Connect </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Legacy Sign In </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/one-tap/android/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: One Tap sign-up/sign-in for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > One Tap sign-up/sign-in for Android </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/android/legacy-start-integrating" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Sign-In for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Sign-In for Android </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/web/sign-in" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Sign-In for Web" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Sign-In for Web </span> </a> </li> </ul> <ul class="devsite-nav-list" menu="Authorization" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Call Google APIs </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/android/authorize-access" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorizing for Android" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Authorizing for Android </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/oauth2/web/guides/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorizing for Web" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Authorizing for Web </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/sign-in/ios/api-access" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Authorizing for iOS/macOS" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Authorizing for iOS/macOS </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/protocols/oauth2" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Using OAuth 2.0" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Using OAuth 2.0 </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Share data with Google apps and devices </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/account-linking" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Account Linking" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Google Account Linking </span> </a> </li> </ul> <ul class="devsite-nav-list" menu="Credential management" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Android </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/android-credential-manager" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Credential Manager" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Credential Manager </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/blockstore/android" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Blockstore" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Blockstore </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/smartlock-passwords/android/associate-apps-and-sites" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Digital Asset Links" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Digital Asset Links </span> </a> </li> <li class="devsite-nav-item"> <a href="https://developer.android.com/guide/topics/text/autofill" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Android autofill framework" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Android autofill framework </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Web </span> </span> </li> <li class="devsite-nav-item"> <a href="https://web.dev/sign-in-form-best-practices/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Autocomplete" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Autocomplete </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Cross-platform </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/credential-sharing" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Seamless credential sharing" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Seamless credential sharing </span> </a> </li> </ul> <ul class="devsite-nav-list" menu="Credential verification" aria-label="Side menu" hidden> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Android </span> </span> </li> <li class="devsite-nav-item"> <a href="/identity/sms-retriever/overview" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Verify users by SMS" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Verify users by SMS </span> </a> </li> <li class="devsite-nav-item"> <a href="/identity/phone-number-hint/android" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Phone Number Hint" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Phone Number Hint </span> </a> </li> <li class="devsite-nav-item devsite-nav-heading"> <span class="devsite-nav-title" tooltip > <span class="devsite-nav-text" tooltip > Web </span> </span> </li> <li class="devsite-nav-item"> <a href="https://web.dev/web-otp/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Verify phone numbers on the web" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> <span class="devsite-nav-text" tooltip > Verify phone numbers on the web </span> </a> </li> </ul> </div> </div> </nav> </devsite-book-nav> <section id="gc-wrapper"> <main role="main" class="devsite-main-content" has-book-nav > <devsite-content> <article class="devsite-article"> <div class="devsite-article-meta nocontent" role="navigation"> <ul class="devsite-breadcrumb-list" aria-label="Breadcrumb"> <li class="devsite-breadcrumb-item "> <a href="https://developers.google.com/" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="" > Home </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/products" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="2" track-type="globalNav" track-name="breadcrumb" track-metadata-position="2" track-metadata-eventdetail="" > Products </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/identity" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="3" track-type="globalNav" track-name="breadcrumb" track-metadata-position="3" track-metadata-eventdetail="Google Identity" > Google Identity </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/identity/authorization" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="4" track-type="globalNav" track-name="breadcrumb" track-metadata-position="4" track-metadata-eventdetail="Authorization" > Authorization </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://developers.google.com/identity/protocols/oauth2" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="5" track-type="globalNav" track-name="breadcrumb" track-metadata-position="5" track-metadata-eventdetail="" > OAuth 2.0 </a> </li> </ul> <devsite-thumb-rating position="header"> </devsite-thumb-rating> </div> <devsite-feedback position="header" project-name="Authorization" product-id="5186570" bucket="Identity guides" context="External devsite feedback" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="header" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png" > <button> Send feedback </button> </devsite-feedback> <h1 class="devsite-page-title" tabindex="-1"> Using OAuth 2.0 for Server to Server Applications </h1> <devsite-feature-tooltip ack-key="AckCollectionsBookmarkTooltipDismiss" analytics-category="Site-Wide Custom Events" analytics-action-show="Callout Profile displayed" analytics-action-close="Callout Profile dismissed" analytics-label="Create Collection Callout" class="devsite-page-bookmark-tooltip nocontent" dismiss-button="true" id="devsite-collections-dropdown" dismiss-button-text="Dismiss" close-button-text="Got it"> <devsite-bookmark></devsite-bookmark> <span slot="popout-heading"> Stay organized with collections </span> <span slot="popout-contents"> Save and categorize content based on your preferences. </span> </devsite-feature-tooltip> <div class="devsite-page-title-meta"><devsite-view-release-notes></devsite-view-release-notes></div> <devsite-toc class="devsite-nav" depth="2" devsite-toc-embedded > </devsite-toc> <div class="devsite-article-body clearfix "> <aside class="note"><b>Important:</b> If you are working with Google Cloud Platform, unless you plan to build your own client library, use service accounts and a Cloud Client Library instead of performing authorization explicitly as described in this document. For more information, see <a href="https://cloud.google.com/docs/authentication/" class="external">Authentication Overview</a> in the Google Cloud Platform documentation.</aside> <section> <p>The Google OAuth 2.0 system supports server-to-server interactions such as those between a web application and a Google service. For this scenario you need a <dfn>service account</dfn>, which is an account that belongs to your application instead of to an individual end user. Your application calls Google APIs on behalf of the service account, so users aren't directly involved. This scenario is sometimes called "two-legged OAuth," or "2LO." (The related term "three-legged OAuth" refers to scenarios in which your application calls Google APIs on behalf of end users, and in which user consent is sometimes required.)</p> <p>Typically, an application uses a service account when the application uses Google APIs to work with its own data rather than a user's data. For example, an application that uses Google Cloud Datastore for data persistence would use a service account to authenticate its calls to the Google Cloud Datastore API.</p> <p>Google Workspace domain administrators can also <a href="#delegatingauthority">grant service accounts domain-wide authority</a> to access user data on behalf of users in the domain.</p> <p>This document describes how an application can complete the server-to-server OAuth 2.0 flow by using either a Google APIs client library (recommended) or HTTP.</p> <aside>With some Google APIs, you can make authorized API calls using a signed JWT instead of using OAuth 2.0, which can save you a network request. See <a href="#jwt-auth">Addendum: Service account authorization without OAuth</a>.</aside> </section> <section> <h2 id="overview" data-text="Overview" tabindex="-1">Overview</h2> <p>To support server-to-server interactions, first create a service account for your project in the API Console. If you want to access user data for users in your Google Workspace account, then delegate domain-wide access to the service account.</p> <p>Then, your application prepares to make authorized API calls by using the service account's credentials to request an access token from the OAuth 2.0 auth server.</p> <p>Finally, your application can use the access token to call Google APIs.</p> <aside class="note"><p><b>Recommendation:</b> Your application can complete these tasks either by using the Google APIs client library for your language, or by directly interacting with the OAuth 2.0 system using HTTP. However, the mechanics of server-to-server authentication interactions require applications to create and cryptographically sign JSON Web Tokens (JWTs), and it's easy to make serious errors that can have a severe impact on the security of your application.</p> <p>For this reason, we strongly encourage you to use libraries, such as the Google APIs client libraries, that abstract the cryptography away from your application code.</p></aside> </section> <section> <h2 id="creatinganaccount" data-text="Creating a service account" tabindex="-1">Creating a service account</h2> <p>A service account's credentials include a generated email address that is unique and at least one public/private key pair. If domain-wide delegation is enabled, then a client ID is also part of the service account's credentials.</p> <p>If your application runs on Google App Engine, a service account is set up automatically when you create your project.</p> <p>If your application runs on Google Compute Engine, a service account is also set up automatically when you create your project, but you must specify the scopes that your application needs access to when you create a Google Compute Engine instance. For more information, see <a href="https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#using" class="external">Preparing an instance to use service accounts</a>.</p> <p>If your application doesn't run on Google App Engine or Google Compute Engine, you must obtain these credentials in the Google API Console. To generate service-account credentials, or to view the public credentials that you've already generated, do the following: </p> <p>First, create a service account:</p> <ol> <li>Open the <a href="https://console.developers.google.com/iam-admin/serviceaccounts"><b>Service accounts</b> page</a>.</li> <li>If prompted, select a project, or create a new one.</li> <li>Click <span class="material-icons" aria-hidden="true" translate="no">add</span> <b>Create service account</b>.</li> <li>Under <b>Service account details</b>, type a name, ID, and description for the service account, then click <b>Create and continue</b>.</li> <li>Optional: Under <b>Grant this service account access to project</b>, select the IAM roles to grant to the service account.</li> <li>Click <b>Continue</b>.</li> <li>Optional: Under <b>Grant users access to this service account</b>, add the users or groups that are allowed to use and manage the service account.</li> <li>Click <b>Done</b>.</li> </ol> <p>Next, create a service account key:</p> <ol> <li>Click the email address for the service account you created.</li> <li>Click the <b>Keys</b> tab.</li> <li>In the <b>Add key</b> drop-down list, select <b>Create new key</b>.</li> <li>Click <b>Create</b>.</li> </ol> <p>Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of the private key. You are responsible for storing it securely. If you lose this key pair, you will need to generate a new one.</p> <p>You can return to the <a href="https://console.developers.google.com/"> API Console</a> at any time to view the email address, public key fingerprints, and other information, or to generate additional public/private key pairs. For more details about service account credentials in the API Console, see <a href="https://cloud.google.com/iam/docs/understanding-service-accounts" class="external">Service accounts</a> in the API Console help file.</p> <p>Take note of the service account's email address and store the service account's private key file in a location accessible to your application. Your application needs them to make authorized API calls.</p> <aside class="note"><b>Note:</b> You must store and manage private keys securely in both development and production environments. Google does not keep a copy of your private keys, only your public keys. See <a href="/identity/protocols/oauth2/policies#secure-credentials">the Handle client credentials securely section of OAuth 2.0 Policies</a> for more information. </aside> <h3 id="delegatingauthority" data-text="Delegating domain-wide authority to the service account" tabindex="-1">Delegating domain-wide authority to the service account</h3> <p>Using a Google Workspace account, a Workspace administrator of the organization can authorize an application to access Workspace user data on behalf of users in the Google Workspace domain. For example, an application that uses the Google Calendar API to add events to the calendars of all users in a Google Workspace domain would use a service account to access the Google Calendar API on behalf of users. Authorizing a service account to access data on behalf of users in a domain is sometimes referred to as "delegating domain-wide authority" to a service account.</p> <aside class="note"><b>Note:</b> When you use Google Workspace Marketplace to install an application for your domain, the required permissions are automatically granted to the application during installation. You do not need to manually authorize the service accounts that the application uses.</aside> <aside class="note"><b>Note:</b> Although you can use service accounts in applications that run from a Google Workspace domain, service accounts are not members of your Google Workspace account and aren't subject to domain policies set by Google Workspace administrators. For example, a policy set in the Google Workspace Admin console to restrict the ability of Google Workspace end users to share documents outside of the domain would not apply to service accounts.</aside> <p>To delegate domain-wide authority to a service account, a super administrator of the Google Workspace domain must complete the following steps:</p> <ol> <li>From your Google Workspace domain's <a href="https://admin.google.com" class="external"> Admin console</a>, go to <b>Main menu <span class="material-icons" aria-hidden="true" translate="no">menu</span> > Security > Access and data control > API Controls</b>. </li> <li>In the <b>Domain wide delegation</b> pane, select <b>Manage Domain Wide Delegation</b>.</li> <li>Click <b>Add new</b>.</li> <li>In the <b>Client ID</b> field, enter the service account's <b>Client ID</b>. You can find your service account's client ID in the <a href="https://console.developers.google.com/iam-admin/serviceaccounts"><b>Service accounts</b> page</a>.</li> <li>In the <b>OAuth scopes (comma-delimited)</b> field, enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide full access to the Google Drive API and the Google Calendar API, enter: <kbd>https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar</kbd>. <li>Click <b>Authorize</b>.</li> </ol> <p>Your application now has the authority to make API calls as users in your Workspace domain (to "impersonate" users). When you prepare to make these delegated API calls, you will explicitly specify the user to impersonate.</p> <aside class="note"><b>Note:</b> It usually takes a few minutes for impersonation access to be granted after the client ID was added, but in some cases, it might take up to 24 hours to propagate to all users of your Google Account.</aside> </section> <section> <h2 id="authorizingrequests" data-text="Preparing to make a delegated API call" tabindex="-1">Preparing to make a delegated API call</h2> <div class="ds-selector-tabs"> <section> <h3 id="java" data-text="Java" tabindex="-1">Java</h3> <p>After you obtain the client email address and private key from the API Console, use the <a href="https://github.com/googleapis/google-api-java-client/blob/master/docs/oauth-2.0.md#service-accounts" class="external">Google APIs Client Library for Java</a> to create a <code translate="no" dir="ltr">GoogleCredential</code> object from the service account's credentials and the scopes your application needs access to. For example:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Java"><span class="devsite-syntax-kn">import</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-nn">com.google.api.client.googleapis.auth.oauth2.GoogleCredential</span><span class="devsite-syntax-p">;</span> <span class="devsite-syntax-kn">import</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-nn">com.google.api.services.sqladmin.SQLAdminScopes</span><span class="devsite-syntax-p">;</span> <span class="devsite-syntax-c1">// ...</span> <span class="devsite-syntax-n">GoogleCredential</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">credential</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">GoogleCredential</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">fromStream</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-k">new</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">FileInputStream</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"MyProject-1234.json"</span><span class="devsite-syntax-p">))</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">createScoped</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">Collections</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">singleton</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">SQLAdminScopes</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">SQLSERVICE_ADMIN</span><span class="devsite-syntax-p">));</span></pre></devsite-code> <p>If you are developing an app on Google Cloud Platform, you can use the <a href="https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application" class="external">application default credentials</a> instead, which can simplify the process.</p> <h4 id="delegate-domain-wide-authority" data-text="Delegate domain-wide authority" tabindex="-1">Delegate domain-wide authority</h4> <p>If you have delegated domain-wide access to the service account and you want to impersonate a user account, specify the email address of the user account with the <code translate="no" dir="ltr">createDelegated</code> method of the <code translate="no" dir="ltr">GoogleCredential</code> object. For example:</p> <div></div><devsite-code><pre class="devsite-click-to-copy devsite-code-highlight" translate="no" dir="ltr" is-upgraded syntax="Java"><span class="devsite-syntax-n">GoogleCredential</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">credential</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">GoogleCredential</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">fromStream</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-k">new</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">FileInputStream</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"MyProject-1234.json"</span><span class="devsite-syntax-p">))</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">createScoped</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">Collections</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">singleton</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">SQLAdminScopes</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">SQLSERVICE_ADMIN</span><span class="devsite-syntax-p">))</span> <span class="devsite-syntax-w"> </span><strong><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">createDelegated</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"workspace-user@example.com"</span><span class="devsite-syntax-p">);</span></strong></pre></devsite-code> <p>The code above uses the <code translate="no" dir="ltr">GoogleCredential</code> object to call its <code translate="no" dir="ltr">createDelegated()</code> method. The argument for the <code translate="no" dir="ltr">createDelegated()</code> method must be a user which belongs to your Workspace account. Your code making the request will use this credential to call Google APIs using your service account.</p> </section> <section> <h3 id="python" data-text="Python" tabindex="-1">Python</h3> <p>After you obtain the client email address and private key from the API Console, use the <a href="https://github.com/googleapis/google-api-python-client/blob/master/docs/oauth.md" class="external">Google APIs Client Library for Python</a> to complete the following steps:</p> <ol> <li>Create a <code translate="no" dir="ltr">Credentials</code> object from the service account's credentials and the scopes your application needs access to. For example: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python"><span class="devsite-syntax-kn">from</span> <span class="devsite-syntax-nn">google.oauth2</span> <span class="devsite-syntax-kn">import</span> <span class="devsite-syntax-n">service_account</span> <span class="devsite-syntax-n">SCOPES</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-p">[</span><span class="devsite-syntax-s1">'https://www.googleapis.com/auth/sqlservice.admin'</span><span class="devsite-syntax-p">]</span> <span class="devsite-syntax-n">SERVICE_ACCOUNT_FILE</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-s1">'/path/to/service.json'</span> <span class="devsite-syntax-n">credentials</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">service_account</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">Credentials</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">from_service_account_file</span><span class="devsite-syntax-p">(</span> <span class="devsite-syntax-n">SERVICE_ACCOUNT_FILE</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-n">scopes</span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-n">SCOPES</span><span class="devsite-syntax-p">)</span></pre></devsite-code> <p>If you are developing an app on Google Cloud Platform, you can use the <a href="https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application" class="external">application default credentials</a> instead, which can simplify the process.</p></li> <li>Delegate domain-wide authority <p>If you have delegated domain-wide access to the service account and you want to impersonate a user account, use the <code translate="no" dir="ltr">with_subject</code> method of an existing <code translate="no" dir="ltr">ServiceAccountCredentials</code> object. For example:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python"><span class="devsite-syntax-n">delegated_credentials</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">credentials</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">with_subject</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s1">'user@example.org'</span><span class="devsite-syntax-p">)</span></pre></devsite-code></li> </ol> <p>Use the Credentials object to call Google APIs in your application.</p> </section> <section> <h3 id="httprest" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> <aside class="note"><p><strong>Recommendation:</strong> Although your application can complete these tasks by directly interacting with the OAuth 2.0 system using HTTP, the mechanics of server-to-server authentication interactions require applications to create and cryptographically sign JSON Web Tokens (JWTs), and it's easy to make serious errors that can have a severe impact on the security of your application.</p> <p>For this reason, we strongly encourage you to use libraries, such as the Google APIs client libraries, that abstract the cryptography away from your application code.</p></aside> <p>After you obtain the client ID and private key from the API Console, your application needs to complete the following steps:</p> <ol> <li>Create a JSON Web Token (JWT, pronounced, "jot") which includes a header, a claim set, and a signature.</li> <li>Request an access token from the Google OAuth 2.0 Authorization Server.</li> <li>Handle the JSON response that the Authorization Server returns.</li> </ol> <p>The sections that follow describe how to complete these steps.</p> <p>If the response includes an access token, you can use the access token to <a href="#callinganapi">call a Google API</a>. (If the response does not include an access token, your JWT and token request might not be properly formed, or the service account might not have permission to access the requested scopes.)</p> <p>When the access token <a href="#expiration">expires</a>, your application generates another JWT, signs it, and requests another access token.</p> <figure id="fig4"> <img src="/static/identity/protocols/oauth2/images/flows/jwt.png" width="325" height="302" alt="Your server application uses a JWT to request a token from the Google Authorization Server, then uses the token to call a Google API endpoint. No end user is involved."> </figure> <p>The rest of this section describes the specifics of creating a JWT, signing the JWT, forming the access token request, and handling the response.</p> <section> <h4 id="creatingjwt" data-text="Creating a JWT" tabindex="-1">Creating a JWT</h4> <p id="jwtcontents">A JWT is composed of three parts: a header, a claim set, and a signature. The header and claim set are JSON objects. These JSON objects are serialized to UTF-8 bytes, then encoded using the Base64url encoding. This encoding provides resilience against encoding changes due to repeated encoding operations. The header, claim set, and signature are concatenated together with a period (<code translate="no" dir="ltr">.</code>) character.</p> <p>A JWT is composed as follows:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> {Base64url encoded header}.{Base64url encoded claim set}.{Base64url encoded signature}</pre></devsite-code> <p>The base string for the signature is as follows:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> {Base64url encoded header}.{Base64url encoded claim set}</pre></devsite-code> <h5 id="formingheader" data-text="Forming the JWT header" tabindex="-1">Forming the JWT header</h5> <p>The header consists of three fields that indicate the signing algorithm, the format of the assertion, and the [key ID of the service account key](https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys) that was used to sign the JWT. Algorithm and format are mandatory, and each field has only one value. As additional algorithms and formats are introduced, this header will change accordingly. The key ID is optional and if an incorrect Key ID is specified GCP will try all keys associated with the service account to verify the token and reject the token if no valid key is found. Google reserves the right to reject tokens with incorrect key IDs in the future.</p> <p>Service accounts rely on the RSA SHA-256 algorithm and the JWT token format. As a result, the JSON representation of the header is as follows:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript"><span class="devsite-syntax-p">{</span><span class="devsite-syntax-s2">"alg"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-s2">"RS256"</span><span class="devsite-syntax-p">,</span><span class="devsite-syntax-s2">"typ"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-s2">"JWT"</span><span class="devsite-syntax-p">,</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"kid"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-s2">"370ab79b4513eb9bad7c9bd16a95cb76b5b2a56a"</span><span class="devsite-syntax-p">}</span></pre></devsite-code> <p>The Base64url representation of this is as follows:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsICJraWQiOiIzNzBhYjc5YjQ1MTNlYjliYWQ3YzliZDE2YTk1Y2I3NmI1YjJhNTZhIn0=</pre></devsite-code> <h5 id="formingclaimset" data-text="Forming the JWT claim set" tabindex="-1">Forming the JWT claim set</h5> <p>The JWT claim set contains information about the JWT, including the permissions being requested (scopes), the target of the token, the issuer, the time the token was issued, and the lifetime of the token. Most of the fields are mandatory. Like the JWT header, the JWT claim set is a JSON object and is used in the calculation of the signature.</p> <h6 id="required-claims" data-text="Required claims" tabindex="-1">Required claims</h6> <p>The required claims in the JWT claim set are shown below. They may appear in any order in the claim set.</p> <table> <thead> <tr> <th>Name</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">iss</code></td> <td>The email address of the service account.</td> </tr> <tr> <td><code translate="no" dir="ltr">scope</code></td> <td>A space-delimited list of the permissions that the application requests.</td> </tr> <tr> <td><code translate="no" dir="ltr">aud</code></td> <td>A descriptor of the intended target of the assertion. When making an access token request this value is always <code translate="no" dir="ltr">https://oauth2.googleapis.com/token</code>.</td> </tr> <tr> <td><code translate="no" dir="ltr">exp</code></td> <td>The expiration time of the assertion, specified as seconds since 00:00:00 UTC, January 1, 1970. This value has a maximum of 1 hour after the issued time.</td> </tr> <tr> <td><code translate="no" dir="ltr">iat</code></td> <td>The time the assertion was issued, specified as seconds since 00:00:00 UTC, January 1, 1970.</td> </tr> </tbody> </table> <p>The JSON representation of the required fields in a JWT claim set is shown below:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript"><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iss"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"scope"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://www.googleapis.com/auth/devstorage.read_only"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"aud"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://oauth2.googleapis.com/token"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"exp"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mf">1328554385</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iat"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mf">1328550785</span> <span class="devsite-syntax-p">}</span></pre></devsite-code> <h6 id="additionalclaims" data-text="Additional claims" tabindex="-1">Additional claims</h6> <p>In some enterprise cases, an application can use domain-wide delegation to act on behalf of a particular user in an organization. Permission to perform this type of impersonation must be granted before an application can impersonate a user, and is usually handled by a super administrator. For more information, see <a href="https://support.google.com/a/answer/162106" class="external">Control API access with domain-wide delegation</a>.</p> <p>To obtain an access token that grants an application delegated access to a resource, include the email address of the user in the JWT claim set as the value of the <code translate="no" dir="ltr">sub</code> field.</p> <table> <thead> <tr> <th>Name</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">sub</code></td> <td>The email address of the user for which the application is requesting delegated access.</td> </tr> </tbody> </table> <p>If an application does not have permission to impersonate a user, the response to an access token request that includes the <code translate="no" dir="ltr">sub</code> field will be an <a href="#error-codes">error</a>.</p> <p>An example of a JWT claim set that includes the <code translate="no" dir="ltr">sub</code> field is shown below:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript"><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iss"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"sub"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"some.user@example.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"scope"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://www.googleapis.com/auth/prediction"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"aud"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://oauth2.googleapis.com/token"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"exp"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mf">1328554385</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iat"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mf">1328550785</span> <span class="devsite-syntax-p">}</span></pre></devsite-code> <h6 id="encodingclaimset" data-text="Encoding the JWT claim set" tabindex="-1">Encoding the JWT claim set</h6> <p>Like the JWT header, the JWT claim set should be serialized to UTF-8 and Base64url-safe encoded. Below is an example of a JSON representation of a JWT Claim set:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript"><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iss"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"scope"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://www.googleapis.com/auth/prediction"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"aud"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://oauth2.googleapis.com/token"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"exp"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mf">1328554385</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"iat"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mf">1328550785</span> <span class="devsite-syntax-p">}</span></pre></devsite-code> <h5 id="computingsignature" data-text="Computing the signature" tabindex="-1">Computing the signature</h5> <p><a href="https://tools.ietf.org/html/rfc7515" class="external">JSON Web Signature</a> (JWS) is the specification that guides the mechanics of generating the signature for the JWT. The input for the signature is the byte array of the following content:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> {Base64url encoded header}.{Base64url encoded claim set}</pre></devsite-code> <p>The signing algorithm in the JWT header must be used when computing the signature. The only signing algorithm supported by the Google OAuth 2.0 Authorization Server is RSA using SHA-256 hashing algorithm. This is expressed as <code translate="no" dir="ltr">RS256</code> in the <code translate="no" dir="ltr">alg</code> field in the JWT header.</p> <p>Sign the UTF-8 representation of the input using SHA256withRSA (also known as RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function) with the private key obtained from the <a href="https://console.developers.google.com/">Google API Console</a>. The output will be a byte array.</p> <p>The signature must then be Base64url encoded. The header, claim set, and signature are concatenated together with a period (<code translate="no" dir="ltr">.</code>) character. The result is the JWT. It should be the following (line breaks added for clarity):</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> {Base64url encoded header}. {Base64url encoded claim set}. {Base64url encoded signature}</pre></devsite-code> <p>Below is an example of a JWT before Base64url encoding:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> {"alg":"RS256","typ":"JWT"}. { "iss":"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com", "scope":"https://www.googleapis.com/auth/prediction", "aud":"https://oauth2.googleapis.com/token", "exp":1328554385, "iat":1328550785 }. [signature bytes]</pre></devsite-code> <p>Below is an example of a JWT that has been signed and is ready for transmission:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL29hdXRoMi92NC90b2tlbiIsImV4cCI6MTMyODU1NDM4NSwiaWF0IjoxMzI4NTUwNzg1fQ.UFUt59SUM2_AW4cRU8Y0BYVQsNTo4n7AFsNrqOpYiICDu37vVt-tw38UKzjmUKtcRsLLjrR3gFW3dNDMx_pL9DVjgVHDdYirtrCekUHOYoa1CMR66nxep5q5cBQ4y4u2kIgSvChCTc9pmLLNoIem-ruCecAJYgI9Ks7pTnW1gkOKs0x3YpiLpzplVHAkkHztaXiJdtpBcY1OXyo6jTQCa3Lk2Q3va1dPkh_d--GU2M5flgd8xNBPYw4vxyt0mP59XZlHMpztZt0soSgObf7G3GXArreF_6tpbFsS3z2t5zkEiHuWJXpzcYr5zWTRPDEHsejeBSG8EgpLDce2380ROQ</pre></devsite-code> </section> <section> <h4 id="makingrequest" data-text="Making the access token request" tabindex="-1">Making the access token request</h4> <p>After generating the signed JWT, an application can use it to request an access token. This access token request is an HTTPS <code translate="no" dir="ltr">POST</code> request, and the body is URL encoded. The URL is shown below:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> https://oauth2.googleapis.com/token</pre></devsite-code> <p>The following parameters are required in the HTTPS <code translate="no" dir="ltr">POST</code> request:</p> <table> <thead> <tr> <th>Name</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">grant_type</code></td> <td>Use the following string, URL-encoded as necessary: <code translate="no" dir="ltr">urn:ietf:params:oauth:grant-type:jwt-bearer</code></td> </tr> <tr> <td><code translate="no" dir="ltr">assertion</code></td> <td>The JWT, including signature.</td> </tr> </tbody> </table> <p>Below is a raw dump of the HTTPS <code translate="no" dir="ltr">POST</code> request used in an access token request:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> POST /token HTTP/1.1 Host: oauth2.googleapis.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU3MzM4MSwiaWF0IjoxMzI4NTY5NzgxfQ.ixOUGehweEVX_UKXv5BbbwVEdcz6AYS-6uQV6fGorGKrHf3LIJnyREw9evE-gs2bmMaQI5_UbabvI4k-mQE4kBqtmSpTzxYBL1TCd7Kv5nTZoUC1CmwmWCFqT9RE6D7XSgPUh_jF1qskLa2w0rxMSjwruNKbysgRNctZPln7cqQ</pre></devsite-code> <p>Below is the same request, using <code translate="no" dir="ltr">curl</code>:</p> <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU3MzM4MSwiaWF0IjoxMzI4NTY5NzgxfQ.RZVpzWygMLuL-n3GwjW1_yhQhrqDacyvaXkuf8HcJl8EtXYjGjMaW5oiM5cgAaIorrqgYlp4DPF_GuncFqg9uDZrx7pMmCZ_yHfxhSCXru3gbXrZvAIicNQZMFxrEEn4REVuq7DjkTMyCMGCY1dpMa8aWfTQFt3Eh7smLchaZsU ' https://oauth2.googleapis.com/token</pre></devsite-code> </section> <section> <h4 id="handlingresponse" data-text="Handling the response" tabindex="-1">Handling the response</h4> <p>If the JWT and access token request are properly formed and the service account has permission to perform the operation, then the JSON response from the Authorization Server includes an access token. The following is an example response:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JavaScript"><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"access_token"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"1/8xbJqaOZXSUZbHLl5EOtu1pxz3fmmetKx9W8CV4t79M"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"scope"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"https://www.googleapis.com/auth/prediction"</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"token_type"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"Bearer"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-s2">"expires_in"</span><span class="devsite-syntax-o">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mf">3600</span> <span class="devsite-syntax-p">}</span></pre></devsite-code> <p>Access tokens can be reused during the duration window specified by the <code translate="no" dir="ltr">expires_in</code> value.</p> </section> </section> </div> </section> <section> <h2 id="callinganapi" data-text="Calling Google APIs" tabindex="-1">Calling Google APIs</h2> <div class="ds-selector-tabs"> <section> <h3 id="java_1" data-text="Java" tabindex="-1">Java</h3> <p>Use the <code translate="no" dir="ltr">GoogleCredential</code> object to call Google APIs by completing the following steps:</p> <ol> <li>Create a service object for the API that you want to call using the <code translate="no" dir="ltr">GoogleCredential</code> object. For example: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Java"><span class="devsite-syntax-n">SQLAdmin</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">sqladmin</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-k">new</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">SQLAdmin</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">Builder</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">httpTransport</span><span class="devsite-syntax-p">,</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">JSON_FACTORY</span><span class="devsite-syntax-p">,</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">credential</span><span class="devsite-syntax-p">).</span><span class="devsite-syntax-na">build</span><span class="devsite-syntax-p">();</span></pre></devsite-code> </li> <li>Make requests to the API service using the <a href="https://github.com/googleapis/google-api-java-client" class="external">interface provided by the service object</a>. For example, to list the instances of Cloud SQL databases in the exciting-example-123 project: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Java"><span class="devsite-syntax-n">SQLAdmin</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">Instances</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">List</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">instances</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">sqladmin</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">instances</span><span class="devsite-syntax-p">().</span><span class="devsite-syntax-na">list</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"exciting-example-123"</span><span class="devsite-syntax-p">).</span><span class="devsite-syntax-na">execute</span><span class="devsite-syntax-p">();</span></pre></devsite-code> </li> </ol> </section> <section> <h3 id="python_1" data-text="Python" tabindex="-1">Python</h3> <p>Use the authorized <code translate="no" dir="ltr">Credentials</code> object to call Google APIs by completing the following steps:</p> <ol> <li>Build a service object for the API that you want to call. You build a service object by calling the <code translate="no" dir="ltr">build</code> function with the name and version of the API and the authorized <code translate="no" dir="ltr">Credentials</code> object. For example, to call version 1beta3 of the Cloud SQL Administration API: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python"><span class="devsite-syntax-kn">import</span> <span class="devsite-syntax-nn">googleapiclient.discovery</span> <span class="devsite-syntax-n">sqladmin</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">googleapiclient</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">discovery</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">build</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s1">'sqladmin'</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-s1">'v1beta3'</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-n">credentials</span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-n">credentials</span><span class="devsite-syntax-p">)</span></pre></devsite-code> </li> <li>Make requests to the API service using the <a href="https://github.com/googleapis/google-api-python-client/blob/master/docs/oauth.md#service-account-credentials" class="external">interface provided by the service object</a>. For example, to list the instances of Cloud SQL databases in the exciting-example-123 project: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python"><span class="devsite-syntax-n">response</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">sqladmin</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">instances</span><span class="devsite-syntax-p">()</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">list</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">project</span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'exciting-example-123'</span><span class="devsite-syntax-p">)</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">execute</span><span class="devsite-syntax-p">()</span></pre></devsite-code> </li> </ol> </section> <section> <h3 id="httprest_1" data-text="HTTP/REST" tabindex="-1">HTTP/REST</h3> <p>After your application obtains an access token, you can use the token to make calls to a Google API on behalf of a given service account or user account if the scope(s) of access required by the API have been granted. To do this, include the access token in a request to the API by including either an <code translate="no" dir="ltr">access_token</code> query parameter or an <code translate="no" dir="ltr">Authorization</code> HTTP header <code translate="no" dir="ltr">Bearer</code> value. When possible, the HTTP header is preferable, because query strings tend to be visible in server logs. In most cases you can use a client library to set up your calls to Google APIs (for example, when <a href="/drive/api/v2/reference#Files">calling the Drive Files API</a>).</p> <p>You can try out all the Google APIs and view their scopes at the <a href="https://developers.google.com/oauthplayground/">OAuth 2.0 Playground</a>.</p> <h4 id="http-get-examples" data-text="HTTP GET examples" tabindex="-1">HTTP GET examples</h4> <p>A call to the <a href="/drive/v2/reference/files/list"> <code translate="no" dir="ltr">drive.files</code></a> endpoint (the Drive Files API) using the <code translate="no" dir="ltr">Authorization: Bearer</code> HTTP header might look like the following. Note that you need to specify your own access token:<p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> GET /drive/v2/files HTTP/1.1 Host: www.googleapis.com <strong>Authorization: Bearer <var translate="no">access_token</var></strong></pre></devsite-code> <p>Here is a call to the same API for the authenticated user using the <code translate="no" dir="ltr">access_token</code> query string parameter:</p> <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> GET https://www.googleapis.com/drive/v2/files?access_token=<var translate="no">access_token</var></pre></devsite-code> <h4 id="curl-examples" data-text="curl examples" tabindex="-1"><code translate="no" dir="ltr">curl</code> examples</h4> <p>You can test these commands with the <code translate="no" dir="ltr">curl</code> command-line application. Here's an example that uses the HTTP header option (preferred):</p> <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> curl -H "Authorization: Bearer <var translate="no">access_token</var>" https://www.googleapis.com/drive/v2/files</pre></devsite-code> <p>Or, alternatively, the query string parameter option:</p> <div></div><devsite-code><pre class="devsite-terminal" translate="no" dir="ltr" is-upgraded> curl https://www.googleapis.com/drive/v2/files?access_token=<var translate="no">access_token</var></pre></devsite-code> <section> <h4 id="expiration" data-text="When access tokens expire" tabindex="-1">When access tokens expire</h4> <p>Access tokens issued by the Google OAuth 2.0 Authorization Server expire after the duration provided by the <code translate="no" dir="ltr">expires_in</code> value. When an access token expires, then the application should generate another JWT, sign it, and request another access token.</p> </section> </section> </div> </section> <section> <h2 id="error-codes" data-text="JWT error codes" tabindex="-1">JWT error codes</h2> <table> <thead> <tr> <th><code translate="no" dir="ltr">error</code> field</th> <th><code translate="no" dir="ltr">error_description</code> field</th> <th>Meaning</th> <th>How to resolve</th> </tr> </thead> <tbody> <tr> <td><code translate="no" dir="ltr">unauthorized_client</code></td> <td><code translate="no" dir="ltr">Unauthorized client or scope in request.</code></td> <td>If you're trying to use domain-wide delegation, the service account is not authorized in the Admin console of the user's domain.</td> <td> <p>Ensure that the service account is authorized in the <a href="https://support.google.com/a/answer/162106" class="external"> Domain-wide delegation</a> page of the Admin console for the user in the <code translate="no" dir="ltr">sub</code> claim (field).</p> <p>While it usually takes a few minutes, it might take up to 24 hours for authorization to propagate to all users in your Google Account.</p> </td> </tr> <tr> <td><code translate="no" dir="ltr">unauthorized_client</code></td> <td><code translate="no" dir="ltr">Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.</code></td> <td> A service account was authorized using the client email address rather than the client ID (numeric) in the Admin console. </td> <td> In the <a href="https://support.google.com/a/answer/162106" class="external"> Domain-wide delegation</a> page in the Admin console, remove the client, and re-add it with the numeric ID. </td> </tr> <tr> <td><code translate="no" dir="ltr">access_denied</code></td> <td>(any value)</td> <td>If you're using Domain-wide delegation, one or more requested scopes aren't authorized in the Admin console.</td> <td> <p>Ensure that the service account is authorized in the <a href="https://support.google.com/a/answer/162106" class="external"> Domain-wide delegation</a> page of the Admin console for the user in the <code translate="no" dir="ltr">sub</code> claim (field), and that it includes all of the scopes you're requesting in the <code translate="no" dir="ltr">scope</code> claim of your JWT.</p> <p>While it usually takes a few minutes, it might take up to 24 hours for authorization to propagate to all users in your Google Account.</p> </td> </tr> <tr> <td><code translate="no" dir="ltr">admin_policy_enforced</code></td> <td>(any value)</td> <td>The Google Account is unable to authorize one or more scopes requested due to the policies of their Google Workspace administrator.</td> <td> <p>See the Google Workspace Admin help article <a href="https://support.google.com/a/answer/7281227">Control which third-party & internal apps access Google Workspace data</a> for more information about how an administrator may restrict access to all scopes or sensitive and restricted scopes until access is explicitly granted to your OAuth client ID.</p> </td> </tr> <tr> <td><code translate="no" dir="ltr">invalid_client</code></td> <td>(any value)</td> <td> <p>The OAuth client or JWT token is invalid or incorrectly configured.</p> <p>Refer to the error description for details.</p> </td> <td> <p>Make sure the JWT token is valid and contains correct claims.</p> <p>Check that the <a href="#creatinganaccount">OAuth client and service account</a> are configured correctly and that you are using the correct email address.</p> <p>Check that the JWT token is correct and was issued for the client ID in the request.</p> </td> </tr> <tr> <td><code translate="no" dir="ltr">invalid_grant</code></td> <td><code translate="no" dir="ltr">Not a valid email.</code></td> <td>The user doesn't exist.</td> <td>Check that the email address in the <code translate="no" dir="ltr">sub</code> claim (field) is correct.</td> </tr> <tr> <td><code translate="no" dir="ltr">invalid_grant</code></td> <td> <p><code translate="no" dir="ltr">Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your 'iat' and 'exp' values and use a clock with skew to account for clock differences between systems.</code></p> </td> <td>Usually, it means that the local system time is not correct. It could also happen if the <code translate="no" dir="ltr">exp</code> value is more than 65 mins in the future from the <code translate="no" dir="ltr">iat</code> value, or the <code translate="no" dir="ltr">exp</code> value is lower than <code translate="no" dir="ltr">iat</code> value.</td> <td> <p>Make sure that the clock on the system where the JWT is generated is correct. If necessary, sync your time with <a href="/time">Google NTP</a>.</p> </td> </tr> <tr> <td><code translate="no" dir="ltr">invalid_grant</code></td> <td><code translate="no" dir="ltr">Invalid JWT Signature.</code></td> <td> <p>The JWT assertion is signed with a private key not associated with the service account identified by the client email or the key that was used has been deleted, disabled, or has expired.</p> <p>Alternatively, the JWT assertion might be encoded incorrectly - it must be Base64-encoded, without newlines or padding equal signs.</p> </td> <td> <p>Decode the JWT claim set and verify the key that signed the assertion is associated with the service account.</p> <p>Try to use a Google-provided OAuth library to make sure the JWT is generated correctly. </p> </td> </tr> <tr> <td><code translate="no" dir="ltr">invalid_scope</code></td> <td><code translate="no" dir="ltr">Invalid OAuth scope or ID token audience provided.</code></td> <td>No scopes were requested (empty list of scopes), or one of the requested scopes doesn't exist (i.e. is invalid).</td> <td> <p>Ensure that the <code translate="no" dir="ltr">scope</code> claim (field) of the JWT is populated, and compare the scopes that it contains with the documented scopes for the APIs you want to use, to ensure there are no errors or typos.</p> <p>Note that the list of scopes in the <code translate="no" dir="ltr">scope</code> claim needs to be separated by spaces, not commas.</p> </td> </tr> <tr> <td><code translate="no" dir="ltr">disabled_client</code></td> <td><code translate="no" dir="ltr">The OAuth client was disabled.</code></td> <td>The key used to sign the JWT assertion is disabled.</td> <td> <p>Go to the <a href="https://console.developers.google.com/">Google API Console</a>, and under <b>IAM & Admin > Service Accounts</b>, enable the service account which contains the "Key ID" used to sign the assertion.</p> </td> </tr> <tr> <td><code translate="no" dir="ltr">org_internal</code></td> <td><code translate="no" dir="ltr">This client is restricted to users within its organization.</code></td> <td>The OAuth client ID in the request is part of a project limiting access to Google Accounts in a specific <a href="https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#organizations"> Google Cloud Organization</a>.</td> <td> <p>Use a service account from the organization to authenticate. Confirm the <a href="https://support.google.com/cloud/answer/10311615#user-type">user type configuration</a> for your OAuth application.</p> </td> </tr> </tbody> </table> </section> <section> <h2 id="jwt-auth" data-text="Addendum: Service account authorization without OAuth" tabindex="-1">Addendum: Service account authorization without OAuth</h2> <p>With some Google APIs, you can make authorized API calls using a signed JWT directly as a bearer token, rather than an OAuth 2.0 access token. When this is possible, you can avoid having to make a network request to Google's authorization server before making an API call.</p> <p>If the API you want to call has a service definition published in the <a href="https://github.com/googleapis/googleapis" class="external">Google APIs GitHub repository</a>, you can make authorized API calls using a JWT instead of an access token. To do so:</p> <ol> <li><a href="#creatinganaccount">Create a service account</a> as described above. Be sure to keep the JSON file you get when you create the account.</li> <li>Using any standard JWT library, such as one found at <a href="https://jwt.io/#libraries-io" class="external">jwt.io</a>, create a JWT with a header and payload like the following example: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Transact-SQL"><span class="devsite-syntax-err">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"alg"</span><span class="devsite-syntax-err">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"RS256"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"typ"</span><span class="devsite-syntax-err">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"JWT"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"kid"</span><span class="devsite-syntax-err">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"abcdef1234567890"</span> <span class="devsite-syntax-err">}</span> <span class="devsite-syntax-p">.</span> <span class="devsite-syntax-err">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"iss"</span><span class="devsite-syntax-err">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"123456-compute@developer.gserviceaccount.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"sub"</span><span class="devsite-syntax-err">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"123456-compute@developer.gserviceaccount.com"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"aud"</span><span class="devsite-syntax-err">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"https://firestore.googleapis.com/"</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"iat"</span><span class="devsite-syntax-err">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mi">1511900000</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-ss">"exp"</span><span class="devsite-syntax-err">:</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mi">1511903600</span> <span class="devsite-syntax-err">}</span></pre></devsite-code> </li> <ul> <li>For the <code translate="no" dir="ltr">kid</code> field in the header, specify your service account's private key ID. You can find this value in the <code translate="no" dir="ltr">private_key_id</code> field of your service account JSON file.</li> <li>For the <code translate="no" dir="ltr">iss</code> and <code translate="no" dir="ltr">sub</code> fields, specify your service account's email address. You can find this value in the <code translate="no" dir="ltr">client_email</code> field of your service account JSON file.</li> <li>For the <code translate="no" dir="ltr">aud</code> field, specify the API endpoint. For example: <code translate="no" dir="ltr">https://<var translate="no">SERVICE</var>.googleapis.com/</code>.</li> <li>For the <code translate="no" dir="ltr">iat</code> field, specify the current Unix time, and for the <code translate="no" dir="ltr">exp</code> field, specify the time exactly 3600 seconds later, when the JWT will expire.</li> </ul> </ol> <p>Sign the JWT with RSA-256 using the private key found in your service account JSON file.</p> <p>For example:</p> <div class="ds-selector-tabs"> <section> <h3 id="java_2" data-text="Java" tabindex="-1">Java</h3> <p>Using <a href="https://github.com/googleapis/google-api-java-client" class="external">google-api-java-client</a> and <a href="https://github.com/auth0/java-jwt" class="external">java-jwt</a>:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Java"><span class="devsite-syntax-n">GoogleCredential</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">credential</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">GoogleCredential</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">fromStream</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-k">new</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">FileInputStream</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"MyProject-1234.json"</span><span class="devsite-syntax-p">));</span> <span class="devsite-syntax-n">PrivateKey</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">privateKey</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">credential</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">getServiceAccountPrivateKey</span><span class="devsite-syntax-p">();</span> <span class="devsite-syntax-n">String</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">privateKeyId</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">credential</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">getServiceAccountPrivateKeyId</span><span class="devsite-syntax-p">();</span> <span class="devsite-syntax-kt">long</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">now</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">System</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">currentTimeMillis</span><span class="devsite-syntax-p">();</span> <span class="devsite-syntax-k">try</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">{</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">Algorithm</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">algorithm</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">Algorithm</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">RSA256</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-kc">null</span><span class="devsite-syntax-p">,</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">privateKey</span><span class="devsite-syntax-p">);</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">String</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">signedJwt</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">JWT</span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">create</span><span class="devsite-syntax-p">()</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">withKeyId</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">privateKeyId</span><span class="devsite-syntax-p">)</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">withIssuer</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"123456-compute@developer.gserviceaccount.com"</span><span class="devsite-syntax-p">)</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">withSubject</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"123456-compute@developer.gserviceaccount.com"</span><span class="devsite-syntax-p">)</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">withAudience</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-s">"https://firestore.googleapis.com/"</span><span class="devsite-syntax-p">)</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">withIssuedAt</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-k">new</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">Date</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">now</span><span class="devsite-syntax-p">))</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">withExpiresAt</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-k">new</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-n">Date</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">now</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">+</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mi">3600</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-o">*</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-mi">1000L</span><span class="devsite-syntax-p">))</span> <span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">.</span><span class="devsite-syntax-na">sign</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">algorithm</span><span class="devsite-syntax-p">);</span> <span class="devsite-syntax-p">}</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-k">catch</span><span class="devsite-syntax-w"> </span><span class="devsite-syntax-p">...</span></pre></devsite-code> </section> <section> <h3 id="python_2" data-text="Python" tabindex="-1">Python</h3> <p>Using <a href="https://github.com/jpadilla/pyjwt/" class="external">PyJWT</a>:</p> <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Python"><span class="devsite-syntax-n">iat</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">time</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">time</span><span class="devsite-syntax-p">()</span> <span class="devsite-syntax-n">exp</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">iat</span> <span class="devsite-syntax-o">+</span> <span class="devsite-syntax-mi">3600</span> <span class="devsite-syntax-n">payload</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-p">{</span><span class="devsite-syntax-s1">'iss'</span><span class="devsite-syntax-p">:</span> <span class="devsite-syntax-s1">'123456-compute@developer.gserviceaccount.com'</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-s1">'sub'</span><span class="devsite-syntax-p">:</span> <span class="devsite-syntax-s1">'123456-compute@developer.gserviceaccount.com'</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-s1">'aud'</span><span class="devsite-syntax-p">:</span> <span class="devsite-syntax-s1">'https://firestore.googleapis.com/'</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-s1">'iat'</span><span class="devsite-syntax-p">:</span> <span class="devsite-syntax-n">iat</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-s1">'exp'</span><span class="devsite-syntax-p">:</span> <span class="devsite-syntax-n">exp</span><span class="devsite-syntax-p">}</span> <span class="devsite-syntax-n">additional_headers</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-p">{</span><span class="devsite-syntax-s1">'kid'</span><span class="devsite-syntax-p">:</span> <span class="devsite-syntax-n">PRIVATE_KEY_ID_FROM_JSON</span><span class="devsite-syntax-p">}</span> <span class="devsite-syntax-n">signed_jwt</span> <span class="devsite-syntax-o">=</span> <span class="devsite-syntax-n">jwt</span><span class="devsite-syntax-o">.</span><span class="devsite-syntax-n">encode</span><span class="devsite-syntax-p">(</span><span class="devsite-syntax-n">payload</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-n">PRIVATE_KEY_FROM_JSON</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-n">headers</span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-n">additional_headers</span><span class="devsite-syntax-p">,</span> <span class="devsite-syntax-n">algorithm</span><span class="devsite-syntax-o">=</span><span class="devsite-syntax-s1">'RS256'</span><span class="devsite-syntax-p">)</span></pre></devsite-code> </section> </div> <ol> <li>Call the API, using the signed JWT as the bearer token: <div></div><devsite-code><pre translate="no" dir="ltr" is-upgraded> GET /v1/projects/abc/databases/123/indexes HTTP/1.1 Authorization: Bearer <var translate="no">SIGNED_JWT</var> Host: firestore.googleapis.com</pre></devsite-code> </li> </ol> </section> <section> <h2 id="cross-account-protection" data-text="Implementing Cross-Account Protection" tabindex="-1">Implementing Cross-Account Protection</h2> <p> An additional step you should take to protect your users' accounts is implementing Cross-Account Protection by utilizing Google's Cross-Account Protection Service. This service lets you subscribe to security event notifications which provide information to your application about major changes to the user account. You can then use the information to take action depending on how you decide to respond to events. </p> <p> Some examples of the event types sent to your app by Google's Cross-Account Protection Service are: </p> <ul> <li> <code translate="no" dir="ltr">https://schemas.openid.net/secevent/risc/event-type/sessions-revoked</code> </li> <li> <code translate="no" dir="ltr">https://schemas.openid.net/secevent/oauth/event-type/token-revoked</code> </li> <li> <code translate="no" dir="ltr">https://schemas.openid.net/secevent/risc/event-type/account-disabled</code> </li> </ul> <p> See the <a href="https://developers.google.com/identity/protocols/risc"> Protect user accounts with Cross-Account Protection page </a> for more information on how to implement Cross Account Protection and for the full list of available events. </p> </section> </div> <devsite-recommendations display="in-page" hidden yield> </devsite-recommendations> <devsite-thumb-rating position="footer"> </devsite-thumb-rating> <devsite-feedback position="footer" project-name="Authorization" product-id="5186570" bucket="Identity guides" context="External devsite feedback" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="footer" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png" > <button> Send feedback </button> </devsite-feedback> <devsite-recommendations id="recommendations-link" yield></devsite-recommendations> <div class="devsite-floating-action-buttons"> </div> </article> <devsite-content-footer class="nocontent"> <p>Except as otherwise noted, the content of this page is licensed under the <a href="https://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 License</a>, and code samples are licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache 2.0 License</a>. For details, see the <a href="https://developers.google.com/site-policies">Google Developers Site Policies</a>. Java is a registered trademark of Oracle and/or its affiliates.</p> <p>Last updated 2024-11-13 UTC.</p> </devsite-content-footer> <devsite-notification > </devsite-notification> <div class="devsite-content-data"> <template class="devsite-thumb-rating-feedback"> <devsite-feedback position="thumb-rating" project-name="Authorization" product-id="5186570" bucket="Identity guides" context="External devsite feedback" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="thumb-rating" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/touchicon-180-new.png" > <button> Need to tell us more? </button> </devsite-feedback> </template> <template class="devsite-content-data-template"> [[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-13 UTC."],[],[]] </template> </div> </devsite-content> </main> <devsite-footer-promos class="devsite-footer"> <nav class="devsite-footer-promos nocontent" aria-label="Promotions"> <ul class="devsite-footer-promos-list"> <li class="devsite-footer-promo"> <a href="//github.com/googlesamples" class="devsite-footer-promo-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Promo Link (index 1)" > <picture> <img class="devsite-footer-promo-icon" src="/static/site-assets/logo-github.svg" loading="lazy" alt="GitHub"> </picture> <span class="devsite-footer-promo-label"> GitHub </span> </a> <div class="devsite-footer-promo-description">Fork our samples and try them yourself</div> </li> <li class="devsite-footer-promo"> <a href="//stackoverflow.com/questions/tagged/google-oauth" class="devsite-footer-promo-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Promo Link (index 2)" > <picture> <img class="devsite-footer-promo-icon" src="/static/site-assets/logo-stack-overflow.svg" loading="lazy" alt="Stack Overflow"> </picture> <span class="devsite-footer-promo-label"> Stack Overflow </span> </a> <div class="devsite-footer-promo-description">Ask a question under the google-oauth tag</div> </li> <li class="devsite-footer-promo"> <a href="//googledevelopers.blogspot.com/search/label/oauth" class="devsite-footer-promo-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Promo Link (index 3)" > <picture> <img class="devsite-footer-promo-icon" src="/static/site-assets/developers_64dp.png" loading="lazy" alt="Blog"> </picture> <span class="devsite-footer-promo-label"> Blog </span> </a> <div class="devsite-footer-promo-description">The latest news on the Google Developers blog</div> </li> </ul> </nav> </devsite-footer-promos> <devsite-footer-linkboxes class="devsite-footer"> <nav class="devsite-footer-linkboxes nocontent" aria-label="Footer links"> <ul class="devsite-footer-linkboxes-list"> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Product Info</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/terms" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" > Terms of Service </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/terms/api-services-user-data-policy" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" > APIs User Data Policy </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/identity/branding-guidelines" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" > Branding Guidelines </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Stack Overflow</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="https://stackoverflow.com/questions/tagged/google-identity" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" > Google Identity </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//stackoverflow.com/questions/tagged/google-signin" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" > Sign In With Google </a> </li> <li class="devsite-footer-linkbox-item"> <a href="https://stackoverflow.com/questions/tagged/google-oauth" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" > Google OAuth 2.0 and OpenID Connect </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//stackoverflow.com/questions/tagged/account-linking" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" > Google Account Linking </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Developer consoles</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="//console.developers.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" > Google API Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.cloud.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" > Google Cloud Platform Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//play.google.com/apps/publish" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" > Google Play Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.firebase.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" > Firebase Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.actions.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" > Actions on Google Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//cast.google.com/publish" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" > Cast SDK Developer Console </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//chrome.google.com/webstore/developer/dashboard" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" > Chrome Web Store Dashboard </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//console.home.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" > Google Home Developer Console </a> </li> </ul> </li> </ul> </nav> </devsite-footer-linkboxes> <devsite-footer-utility class="devsite-footer"> <div class="devsite-footer-utility nocontent"> <nav class="devsite-footer-sites" aria-label="Other Google Developers websites"> <a href="https://developers.google.com/" class="devsite-footer-sites-logo-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Google Developers Link"> <picture> <img class="devsite-footer-sites-logo" src="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/lockup-google-for-developers.svg" loading="lazy" alt="Google Developers"> </picture> </a> <ul class="devsite-footer-sites-list"> <li class="devsite-footer-sites-item"> <a href="//developer.android.com" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Android Link" > Android </a> </li> <li class="devsite-footer-sites-item"> <a href="//developer.chrome.com/home" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Chrome Link" > Chrome </a> </li> <li class="devsite-footer-sites-item"> <a href="//firebase.google.com" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Firebase Link" > Firebase </a> </li> <li class="devsite-footer-sites-item"> <a href="//cloud.google.com" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Google Cloud Platform Link" > Google Cloud Platform </a> </li> <li class="devsite-footer-sites-item"> <a href="//ai.google.dev/" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Google AI Link" > Google AI </a> </li> <li class="devsite-footer-sites-item"> <a href="/products" class="devsite-footer-sites-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer All products Link" > All products </a> </li> </ul> </nav> <nav class="devsite-footer-utility-links" aria-label="Utility links"> <ul class="devsite-footer-utility-list"> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="/terms/site-terms" data-category="Site-Wide Custom Events" data-label="Footer Terms link" > Terms </a> </li> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="//policies.google.com/privacy" data-category="Site-Wide Custom Events" data-label="Footer Privacy link" > Privacy </a> </li> <li class="devsite-footer-utility-item glue-cookie-notification-bar-control"> <a class="devsite-footer-utility-link gc-analytics-event" href="#" data-category="Site-Wide Custom Events" data-label="Footer Manage cookies link" aria-hidden="true" > Manage cookies </a> </li> <li class="devsite-footer-utility-item devsite-footer-utility-button"> <span class="devsite-footer-utility-description">Sign up for the Google for Developers newsletter</span> <a class="devsite-footer-utility-link gc-analytics-event" href="/newsletter/subscribe" data-category="Site-Wide Custom Events" data-label="Footer Subscribe link" > Subscribe </a> </li> </ul> <devsite-language-selector> <ul role="presentation"> <li role="presentation"> <a role="menuitem" lang="en" >English</a> </li> <li role="presentation"> <a role="menuitem" lang="de" >Deutsch</a> </li> <li role="presentation"> <a role="menuitem" lang="es" >Español</a> </li> <li role="presentation"> <a role="menuitem" lang="es_419" >Español – América Latina</a> </li> <li role="presentation"> <a role="menuitem" lang="fr" >Français</a> </li> <li role="presentation"> <a role="menuitem" lang="id" >Indonesia</a> </li> <li role="presentation"> <a role="menuitem" lang="it" >Italiano</a> </li> <li role="presentation"> <a role="menuitem" lang="pl" >Polski</a> </li> <li role="presentation"> <a role="menuitem" lang="pt_br" >Português – Brasil</a> </li> <li role="presentation"> <a role="menuitem" lang="vi" >Tiếng Việt</a> </li> <li role="presentation"> <a role="menuitem" lang="tr" >Türkçe</a> </li> <li role="presentation"> <a role="menuitem" lang="ru" >Русский</a> </li> <li role="presentation"> <a role="menuitem" lang="he" >עברית</a> </li> <li role="presentation"> <a role="menuitem" lang="ar" >العربيّة</a> </li> <li role="presentation"> <a role="menuitem" lang="fa" >فارسی</a> </li> <li role="presentation"> <a role="menuitem" lang="hi" >हिंदी</a> </li> <li role="presentation"> <a role="menuitem" lang="bn" >বাংলা</a> </li> <li role="presentation"> <a role="menuitem" lang="th" >ภาษาไทย</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_cn" >中文 – 简体</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_tw" >中文 – 繁體</a> </li> <li role="presentation"> <a role="menuitem" lang="ja" >日本語</a> </li> <li role="presentation"> <a role="menuitem" lang="ko" >한국어</a> </li> </ul> </devsite-language-selector> </nav> </div> </devsite-footer-utility> <devsite-panel></devsite-panel> <devsite-concierge data-info-panel data-ai-panel data-api-explorer-panel > </devsite-concierge> </section></section> <devsite-sitemask></devsite-sitemask> <devsite-snackbar></devsite-snackbar> <devsite-tooltip ></devsite-tooltip> <devsite-heading-link></devsite-heading-link> <devsite-analytics> <script type="application/json" analytics>[{"dimensions": {"dimension1": "Signed out", "dimension3": false, "dimension6": "en", "dimension11": false, "dimension4": "Authorization", "dimension5": "en"}, "gaid": "UA-24532603-1", "metrics": {"ratings_count": "metric2", "ratings_value": "metric1"}, "purpose": 1}]</script> <script type="application/json" tag-management>{"at": "True", "ga4": [{"id": "G-272J68FCRF", "purpose": 1}], "ga4p": [{"id": "G-272J68FCRF", "purpose": 1}], "gtm": [], "parameters": {"internalUser": "False", "language": {"machineTranslated": "False", "requested": "en", "served": "en"}, "pageType": "article", "projectName": "Authorization", "signedIn": "False", "tenant": "developers", "recommendations": {"sourcePage": "", "sourceType": 0, "sourceRank": 0, "sourceIdenticalDescriptions": 0, "sourceTitleWords": 0, "sourceDescriptionWords": 0, "experiment": ""}, "experiment": {"ids": ""}}}</script> </devsite-analytics> <devsite-badger></devsite-badger> <script nonce="+yFF20Bua9Cjb6AK96A6nuq9LLUCjc"> (function(d,e,v,s,i,t,E){d['GoogleDevelopersObject']=i; t=e.createElement(v);t.async=1;t.src=s;E=e.getElementsByTagName(v)[0]; E.parentNode.insertBefore(t,E);})(window, document, 'script', 'https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/js/app_loader.js', '[1,"en",null,"/js/devsite_app_module.js","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers","https://developers-dot-devsite-v2-prod.appspot.com",null,null,["/_pwa/developers/manifest.json","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/images/video-placeholder.svg","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/developers/images/favicon-new.png","https://fonts.googleapis.com/css?family=Google+Sans:400,500|Roboto:400,400italic,500,500italic,700,700italic|Roboto+Mono:400,500,700&display=swap"],1,null,[1,6,8,12,14,17,21,25,50,52,63,70,75,76,80,87,91,92,93,97,98,100,101,102,103,104,105,107,108,109,110,112,113,117,118,120,122,124,125,126,127,129,130,131,132,133,134,135,136,138,140,141,147,148,149,151,152,156,157,158,159,161,163,164,168,169,170,179,180,182,183,186,191,193,196],"AIzaSyAP-jjEJBzmIyKR4F-3XITp8yM9T1gEEI8","AIzaSyB6xiKGDR5O3Ak2okS4rLkauxGUG7XP0hg","developers.google.com","AIzaSyAQk0fBONSGUqCNznf6Krs82Ap1-NV6J4o","AIzaSyCCxcqdrZ_7QMeLCRY20bh_SXdAYqy70KY",null,null,null,["TpcFeatures__enable_mirror_tenant_redirects","Significatio__enable_by_tenant","MiscFeatureFlags__enable_firebase_utm","Cloud__enable_llm_concierge_chat","Cloud__enable_cloud_shell_fte_user_flow","Search__enable_ai_search_summaries","CloudShell__cloud_code_overflow_menu","MiscFeatureFlags__enable_project_variables","MiscFeatureFlags__enable_explain_this_code","Search__enable_ai_eligibility_checks","Cloud__enable_cloudx_experiment_ids","Profiles__enable_complete_playlist_endpoint","Cloud__enable_cloudx_ping","Cloud__enable_cloud_facet_chat","Profiles__enable_completecodelab_endpoint","Concierge__enable_concierge","Search__enable_dynamic_content_confidential_banner","DevPro__enable_cloud_innovators_plus","MiscFeatureFlags__enable_variable_operator","Search__enable_suggestions_from_borg","Search__enable_ai_search_summaries_restricted","Analytics__enable_clearcut_logging","Profiles__enable_recognition_badges","Profiles__enable_developer_profiles_callout","TpcFeatures__enable_required_headers","Cloud__enable_cloud_shell","Concierge__enable_pushui","MiscFeatureFlags__emergency_css","Cloud__enable_cloud_dlp_service","Concierge__enable_concierge_restricted","Profiles__enable_page_saving","BookNav__enable_tenant_cache_key","Profiles__enable_public_developer_profiles","MiscFeatureFlags__developers_footer_dark_image","CloudShell__cloud_shell_button","Cloud__enable_free_trial_server_call","MiscFeatureFlags__enable_view_transitions","EngEduTelemetry__enable_engedu_telemetry","Profiles__enable_profile_collections","MiscFeatureFlags__developers_footer_image","Experiments__reqs_query_experiments","Cloud__enable_legacy_calculator_redirect","Search__enable_page_map","Profiles__enable_release_notes_notifications","DevPro__enable_developer_subscriptions","Profiles__enable_awarding_url","Profiles__enable_dashboard_curated_recommendations","Profiles__require_profile_eligibility_for_signin"],null,null,"AIzaSyBLEMok-5suZ67qRPzx0qUtbnLmyT_kCVE","https://developerscontentserving-pa.clients6.google.com","AIzaSyCM4QpTRSqP5qI4Dvjt4OAScIN8sOUlO-k","https://developerscontentsearch-pa.clients6.google.com",1,4,null,"https://developerprofiles-pa.clients6.google.com",[1,"developers","Google for Developers","developers.google.com",null,"developers-dot-devsite-v2-prod.appspot.com",null,null,[1,1,[1],null,null,null,null,null,null,null,null,[1],null,null,null,null,null,null,[1],[1,null,null,[1,20],"/recommendations/information"],null,null,null,[1,1,1],[1,1,null,1,1]],null,[null,null,null,null,null,null,"/images/lockup-new.svg","/images/touchicon-180-new.png",null,null,null,null,1,null,null,null,null,null,null,null,null,1,null,null,null,"/images/lockup-dark-theme-new.svg",[]],[],null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,[6,1,14,15,20,22,23,29,32,36],null,[[null,null,null,[3,7,10,2,39,17,4,32,24,11,12,13,34,15,25],null,null,[1,[["docType","Choose a content type",[["Tutorial",null,null,null,null,null,null,null,null,"Tutorial"],["Guide",null,null,null,null,null,null,null,null,"Guide"],["Sample",null,null,null,null,null,null,null,null,"Sample"]]],["product","Choose a product",[["Android",null,null,null,null,null,null,null,null,"Android"],["ARCore",null,null,null,null,null,null,null,null,"ARCore"],["ChromeOS",null,null,null,null,null,null,null,null,"ChromeOS"],["Firebase",null,null,null,null,null,null,null,null,"Firebase"],["Flutter",null,null,null,null,null,null,null,null,"Flutter"],["Assistant",null,null,null,null,null,null,null,null,"Google Assistant"],["GoogleCloud",null,null,null,null,null,null,null,null,"Google Cloud"],["GoogleMapsPlatform",null,null,null,null,null,null,null,null,"Google Maps Platform"],["GooglePay",null,null,null,null,null,null,null,null,"Google Pay & Google Wallet"],["GooglePlay",null,null,null,null,null,null,null,null,"Google Play"],["Tensorflow",null,null,null,null,null,null,null,null,"TensorFlow"]]],["category","Choose a topic",[["AiAndMachineLearning",null,null,null,null,null,null,null,null,"AI and Machine Learning"],["Data",null,null,null,null,null,null,null,null,"Data"],["Enterprise",null,null,null,null,null,null,null,null,"Enterprise"],["Gaming",null,null,null,null,null,null,null,null,"Gaming"],["Mobile",null,null,null,null,null,null,null,null,"Mobile"],["Web",null,null,null,null,null,null,null,null,"Web"]]]]]],[1,1],null,1],[[["UA-24532603-1"],["UA-22084204-5"],null,null,["UA-24532603-5"],null,null,[["G-272J68FCRF"],null,null,[["G-272J68FCRF",2]]],[["UA-24532603-1",2]],null,[["UA-24532603-5",2]],null,1],[[1,1],[15,12],[3,2],[12,9],[16,13],[13,10],[6,5],[4,3],[11,8],[5,4],[14,11]],[[1,1],[2,2]]],null,4,null,null,null,null,null,null,null,null,null,null,null,null,null,"developers.devsite.google"],null,"pk_live_5170syrHvgGVmSx9sBrnWtA5luvk9BwnVcvIi7HizpwauFG96WedXsuXh790rtij9AmGllqPtMLfhe2RSwD6Pn38V00uBCydV4m"]') </script> <devsite-a11y-announce></devsite-a11y-announce> </body> </html>

CINXE.COM

Using OAuth 2.0 for Server to Server Applications | Authorization | Google for Developers