Setting up OAuth 2.0
To use OAuth 2.0 in your application, you need an OAuth 2.0 client ID, which your application uses when requesting an OAuth 2.0 access token.
To create an OAuth 2.0 client ID in the console:
- Go to the API Console.
- From the projects list, select a project or create a new one.
- If the APIs & services page isn't already open, open the console left side menu and select APIs & services.
- On the left, click Credentials.
- Click New Credentials, then select OAuth client ID.
Note: If you're unsure whether OAuth 2.0 is appropriate for your project, select Help me choose and follow the instructions to pick the right credentials.
- Select the appropriate application type for your project and enter any additional information required. Application types are described in more detail in the following sections.
- If this is your first time creating a client ID, you can also configure your consent screen by clicking Consent Screen. (The following procedure explains how to set up the Consent screen.) You won't be prompted to configure the consent screen after you do it the first time.
- Click Create client ID
To delete a client ID, go to the Credentials page, check the box next to the ID, and then click Delete.User consent
When you use OAuth 2.0 for authentication, your users are authenticated after they agree to terms that are presented to them on a user consent screen. Google verifies public applications that use OAuth 2.0 and:
- Use Google APIs that use sensitive scopes.
- Have an application logo added on the OAuth consent screen.
- Exceed the domain threshold per project.
If your application uses sensitive scopes without verification, the unverified app screen displays before the consent screen for users who are outside of your G Suite organization. To remove the unverified app screen, you can request OAuth developer verification by our team when you complete the Google API Console OAuth consent screen page.
To set up your project's consent screen and request verification:
- Go to the Google API Console OAuth consent screen page.
- Add required information like a product name and support email address.
- Click Add Scope.
- On the dialog that appears, select the scopes your project uses. Sensitive scopes display a lock icon next to the API name.
- When you're finished adding details to the OAuth consent screen, click Submit for verification.
- A Verification required window displays.
- Add scopes justification, a contact email address, and any other information that can help the team with verification, then click Submit.
Note: The consent screen settings within the console are set at the project level, so the information that you specify on the Consent screen page applies across the entire project.
When a project goes through verification, the current status displays under Verification status:
- Being verified: an OAuth developer verification is in progress.
- Published: your OAuth consent screen passed the verification and your project is verified.
- Failed verification: your OAuth consent screen didn't pass the verification. Your last approved consent screen is still in use. You'll receive more information at the contact email you provided, or you can contact the Trust and Security team at firstname.lastname@example.org.
For more information about user authentication, see the OAuth 2.0 documentation.
- A public application allows access to users outside of your organization (@your-organization.com).
- Access can be from consumer accounts, like @gmail.com, or other organizations, like @partner-organization.com.
- Public applications need to go through verification as detailed above.
- An internal application will only allow access to users from your organization (@your-organization.com).
For more information about setting up organizations and organization access, see the GCP Organizations documentation.
To protect you and your users, Google restricts your OAuth 2.0 application to using Authorized Domains. If you have verified the domain with Google, you can use any Top Private Domain as an Authorized Domain.
After you add an Authorized Domain, you can use any of its subdomains or pages, and any other associated country codes. For example, if you have added https://google.com you can use https://flights.google.com, https://google.com/flights, and https://google.co.uk/flights.
Service accounts, web applications, and installed applications
For information about setting up service accounts, web applications, or installed applications, see the following topics.Service accounts
A service account is used in an application that calls APIs on behalf of an application that does not access user information. This type of application needs to prove its own identity, but it does not need a user to authorize requests.
For example, if your project employs server-to-server interactions such as those between a web application and Google Cloud Storage, then you need a private key and other service account credentials. To generate these credentials, or to view the email address and public keys that you've already generated, do the following:
- Open the API Console Credentials page.
- If it's not already selected, select the project that you're creating credentials for.
- To set up a new service account, click New credentials and then select Service account key.
- Choose the service account to use for the key.
- Choose whether to download the service account's public/private key as a standard P12 file, or as a JSON file that can be loaded by a Google API client library.
Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely.
Your project needs the private key when requesting an OAuth 2.0 access token in server-to-server interactions. Google does not keep a copy of this private key, and this screen is the only place to obtain this particular private key. When you click Download private key, the PKCS #12-formatted private key is downloaded to your local machine. As the screen indicates, you must securely store this key yourself.
The name of the downloaded private key is the key's thumbprint. When inspecting the key on your computer, or using the key in your application, you need to provide the password
notasecret. Note that while the password for all Google-issued private keys is the same (
notasecret), each key is cryptographically unique.
You can generate multiple public-private key pairs for a single service account. This makes it easier to update credentials or roll them over without application downtime. However, you cannot delete a key pair if it is the only one created for that service account.
Use the email address when granting the service account access to supported Google APIs.
For more details, see the OAuth 2.0 Service Accounts documentation.
Note: When you use a service account, you are subject to the Terms of Service for each product, both as an end user and as a developer.
The Google Service accounts documentation contains more detailed information about service accounts.
A web application is accessed by web browsers over a network.
- Applications that use languages and frameworks like PHP, Java, Python, Ruby, and .NET must specify authorized redirect URIs. The redirect URIs are the endpoints to which the OAuth 2.0 server can send responses.
If your application is going to be installed on a device or computer (such as a system running Microsoft Windows, Apple OS X, Apple iOS, or Android), you can use either of two OAuth 2.0 flows, as described in Google's OAuth 2.0 Installed Applications and Devices documentation.Chrome
Note: Currently, obtaining OAuth 2.0 access tokens via AccountManager works for Android Ice Cream Sandwich (4.0) and newer versions.
You need to specify your Android app's package name and SHA1 fingerprint.
- In the Package name field, enter your Android app's package name.
- In a terminal, run the Keytool utility to get the SHA1 fingerprint for your digitally signed
.apkfile's public certificate.
keytool -exportcert -alias androiddebugkey -keystore path-to-debug-or-production-keystore -list -v
Note: For the
debug.keystore, the password is android. For Eclipse, the debug keystore is typically located at
The Keytool prints the fingerprint to the shell. For example:
$ keytool -exportcert -alias androiddebugkey -keystore ~/.android/debug.keystore -list -v
Enter keystore password: Type "android" if using debug.keystore
Alias name: androiddebugkey
Creation date: Aug 27, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: CN=Android Debug, O=Android, C=US
Issuer: CN=Android Debug, O=Android, C=US
Serial number: 503bd581
Valid from: Mon Aug 27 13:16:01 PDT 2012 until: Wed Aug 20 13:16:01 PDT 2042
Signature algorithm name: SHA1withRSA
Copy the SHA1 fingerprint, which is bold in the example above.
Important: When you prepare to release your app to your users, follow these steps again and create a new OAuth 2.0 client ID for your production app. For production apps, use your own private key to sign the production app's
.apkfile. For more information, see Signing your applications.
- Paste the SHA1 fingerprint into the form where requested.
- Click Create.
If your application accesses APIs directly from iOS, you will need the application's Bundle ID and (optionally) its Apple App Store ID:
- The application's Bundle ID is the bundle identifier as listed in the app's
.plistfile. For example:
- The application's App Store ID is in the app's iTunes URL, if the app was published in the Apple iTunes App Store. For example, in the app URL
http://itunes.apple.com/us/app/google+/id447119634, the App Store ID is
- The application's Team ID is a 10-character string that Apple assigns to your team. For information about your Team ID, see Locating your Team ID in the Apple App Distribution Guide.
After creating your iOS credentials and obtaining a Client ID, you use the Installed Application OAuth 2.0 flow to communicate with Google APIs.
The console does not require any additional information to create OAuth 2.0 credentials for other types of installed applications.