An OAuth2 client already exists for this package name and SHA-1 in another project

Why am I seeing this?

This error occurs if we detect that another Firebase or Google Cloud project contains an OAuth 2.0 client ID with the same package name and SHA-1 fingerprint that you specified.

When you add Firebase to an Android application in the Firebase console, we try to generate a Google OAuth 2.0 Client ID for your app, which is used to authenticate your app with some Google APIs, such as Firebase Dynamic Links and Firebase Auth sign-in methods, including Google, Phone, and Play Games.

For security reasons, every pairing of a package name and SHA-1 certificate fingerprint used to create an OAuth 2.0 client ID must be unique across all Firebase and Google Cloud projects.

What impact can this have on my application?

The following features require that you configure a unique package and SHA-1 fingerprint:

Firebase Dynamic Links
Firebase Authentication (Google, Phone, and Play Games sign-in providers)

If you are not planning to use these features, there is no impact.

What can I do?

If you're not using Firebase Dynamic Links or Firebase authentication, you don't need to do anything. If you're adding an app and plan to add these features in the future, you can safely skip this step and complete it later.

If you are using one of these features, the simplest solution is to use a different package name or sign your app with a different key (see Authenticating your client for more information). This may not be appropriate for all cases, however.

Review the following possible scenarios and solutions:

I know which Google Cloud or Firebase project has the same package name and SHA-1, and it is no longer in use

Make sure that the OAuth 2.0 Client ID is no longer being used by any other APIs before deleting. Once deleted, it can no longer be used to make API requests.

You can remove the client from the Firebase project or the Google Cloud console. Removing from the Firebase project is preferred as it will remove the fingerprint from the Firebase project and delete the OAuth 2.0 client.

To remove the SHA-1 certificate fingerprint and OAuth 2.0 client from the Firebase console:

Open the Firebase console and navigate to Project Settings > General.
Locate your Android app and delete the SHA-1 fingerprint from SHA certificate fingerprints.
This should delete the fingerprint from your project and the OAuth 2.0 client ID from the Google Cloud console.

You can verify that the client was removed from Google Cloud console by opening the APIs & Services Credentials page, selecting your project, and ensuring that you no longer see an Android client that corresponds with the SHA-1 you just deleted listed under OAuth 2.0 Client IDs.

If the app is no longer in use and it is not associated with a Firebase project, you can delete the OAuth 2.0 client ID directly from Google Cloud console:

Open the APIs & Services Credentials page in the Google Cloud console.
Locate the client ID that corresponds to the app in the OAuth 2.0 Client IDs section and click it to open its details page.
After verifying that the SHA-1 certificate fingerprint matches the fingerprint you want to delete, click Delete.
When prompted, confirm the deletion.

I deleted the app, but I still receive an "OAuth2 client already exists" message

Deleting an app does not delete its associated OAuth 2.0 client ID. However, you can delete it from the Google Cloud console:

Open the APIs & Services Credentials page in the Google Cloud console.
Locate the client ID that corresponds to the app in the OAuth 2.0 Client IDs section and click it to open its details page.
Verify that the SHA-1 certificate fingerprint matches the fingerprint you want to delete, then, click Delete.
When prompted, confirm the deletion.

I deleted the project, but I still receive an "OAuth2 client already exists" message

Deleting a project does not delete its OAuth 2.0 client IDs. However, if it has been less than 30 days, you can restore the project, delete the OAuth 2.0 client IDs from the project, and then re-delete the project.

To restore the project:

Open the Pending Deletion page in the Google Cloud console, locate your project, select it, and click Restore. For more information about restoring projects, see Restoring a Project.
Open APIs & Services Credentials page in the Google Cloud console.
Locate the client ID that corresponds to the app in the OAuth 2.0 Client IDs section and click it to open its details page.
Verify that the SHA-1 certificate fingerprint matches the fingerprint you want to delete, then, click Delete.
When prompted, confirm the deletion.

I know which Google Cloud project contains the conflicting OAuth 2.0 client ID and I want to use it as the basis for my Firebase project

This approach is not recommended if your Firebase app is already in production or if you have Analytics or Crash data you wish to preserve.

If you just created this project or aren't very far into adding Firebase to your app, you can delete your project and instead use your existing Google project as the underlying resource for your Firebase project. To do this:

Delete your Firebase project. This action is permanent and will delete all data associated with your project.
Go to the Firebase console.
Click Add Project.
Select the existing project containing the OAuth 2.0 client ID and click Continue.

I need to retain the OAuth 2.0 client in a different project, but want to share Google sign-in

If you're planning on using Google sign-in, but not Dynamic Links or other authentication methods that require SHA-1, you can manually safelist your existing OAuth 2.0 client ID to use Google as a sign-in provider.

First, find your existing project's OAuth 2.0 client ID. To do this:

Open the Credentials page of the Google Cloud console. If the project containing the OAuth 2.0 client ID doesn't open automatically, select it from the project selector at the top of the page.
Under the OAuth 2.0 client IDs section, locate the client name containing the SHA-1 and package name you used for your Firebase project. If you're unsure which one is correct, click the name of the client to see its details.
When you have located the correct client name, copy the full value in the Client ID column.

Next, safelist this client ID for Google as a sign in provider. To do this:

Go to the Firebase console and select your project.
Select Authentication from the menu on the left.
Select the Sign-in method tab.
On the Sign-in method page, click on Google in the Sign-in providers card.
Expand the Safelist client IDs from external projects option.
Paste your client ID from the Cloud console into the text field and click Add.

I don't know which project contains the conflicting OAuth 2.0 client ID

If you don't know which project contains the conflicting OAuth 2.0 client ID, try these steps to see if you can locate it:

Go to the Credentials page of the Google Cloud console.
Under the OAuth 2.0 client IDs section, click the name of the client to see the SHA-1 and package name used to create the client ID. Repeat this until you find the correct client name or have tried all clients.

If you do not find a client name containing the matching SHA-1 and package name, select another project from the drop down menu in the upper right corner of the page and try the above procedure again.

It's also possible that another user in your organization is using the same SHA-1 certificate and package name. You may want to inquire within your organization or contact your Google Workspace admin to help find the source of the collision.

In some cases, the OAuth 2.0 client may be in a project that you or your organization do not own. If you are not able to locate the conflicting project, contact Firebase support and provide them with the conflicting package name and SHA-1 fingerprint.

Was this helpful?

How can we improve it?