GoogleCredential
object from the service account's credentials and the scopes your application needs access to. For example:setServiceAccountUser
method of the GoogleCredential
factory. For example:GoogleCredential
object to call Google APIs in your application.Credentials
object from the service account's credentials and the scopes your application needs access to. For example: with_subject
method of an existing ServiceAccountCredentials
object. For example:.
) character.Name | Description |
---|---|
iss | The email address of the service account. |
scope | A space-delimited list of the permissions that the application requests. |
aud | A descriptor of the intended target of the assertion. When making an access token request this value is always https://oauth2.googleapis.com/token . |
exp | The expiration time of the assertion, specified as seconds since 00:00:00 UTC, January 1, 1970. This value has a maximum of 1 hour after the issued time. |
iat | The time the assertion was issued, specified as seconds since 00:00:00 UTC, January 1, 1970. |
sub
field.Name | Description |
---|---|
sub | The email address of the user for which the application is requesting delegated access. |
sub
field will be an error.sub
field is shown below:RS256
in the alg
field in the JWT header..
) character. The result is the JWT. It should be the following (line breaks added for clarity):POST
request, and the body is URL encoded. The URL is shown below:POST
request:Name | Description |
---|---|
grant_type | Use the following string, URL-encoded as necessary: urn:ietf:params:oauth:grant-type:jwt-bearer |
assertion | The JWT, including signature. |
POST
request used in an access token request:curl
:expires_in
value.GoogleCredential
object to call Google APIs by completing the following steps:GoogleCredential
object. For example: Credentials
object to call Google APIs by completing the following steps:build
function with the name and version of the API and the authorized Credentials
object. For example, to call version 1beta3 of the Cloud SQL Administration API: access_token
query parameter or an Authorization
HTTP header Bearer
value. When possible, the HTTP header is preferable, because query strings tend to be visible in server logs. In most cases you can use a client library to set up your calls to Google APIs (for example, when calling the Drive Files API).drive.files
endpoint (the Drive Files API) using the Authorization: Bearer
HTTP header might look like the following. Note that you need to specify your own access token:access_token
query string parameter:curl
examplescurl
command-line application. Here's an example that uses the HTTP header option (preferred):expires_in
value. When an access token expires, then the application should generate another JWT, sign it, and request another access token.firestore.yaml
, has the following contents: kid
field in the header, specify your service account's private key ID. You can find this value in the private_key_id
field of your service account JSON file.iss
and sub
fields, specify your service account's email address. You can find this value in the client_email
field of your service account JSON file.aud
field, specify https://SERVICE_NAME/
, using the values from the service definition file.iat
field, specify the current Unix time, and for the exp
field, specify the time exactly 3600 seconds later, when the JWT will expire.