Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to use access tokens to authenticate when calling
Google Cloud APIs.
Fetching access tokens
When your code runs on Knative serving it can use the
Compute Metadata Server
to fetch access tokens. You cannot query the metadata server directly from your
local computer.
Access tokens
You use access tokens when calling Google APIs.
By default, access tokens have the cloud-platform scope, which allows access
to all Google Cloud APIs, assuming Identity and Access Management also allows access. In order to
access other Google or Google Cloud APIs, you will need to fetch an access
token with the appropriate scope.
Where SCOPES is a comma separated list of OAuth scopes
requested, for example: https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/spreadsheets.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eAccess tokens are used to authenticate when calling Google Cloud APIs.\u003c/p\u003e\n"],["\u003cp\u003eCode running on Knative serving can fetch access tokens using the Compute Metadata Server.\u003c/p\u003e\n"],["\u003cp\u003eBy default, access tokens have the \u003ccode\u003ecloud-platform\u003c/code\u003e scope, providing access to all Google Cloud APIs, subject to Identity and Access Management permissions.\u003c/p\u003e\n"],["\u003cp\u003eYou can request access tokens with specific scopes using a \u003ccode\u003ecurl\u003c/code\u003e command and including a comma-separated list of OAuth scopes.\u003c/p\u003e\n"],["\u003cp\u003eOnly on certain services such as App Engine, Cloud Run functions, Cloud Run and Knative serving, you can use the query parameter \u003ccode\u003e?scopes=\u003c/code\u003e to set the scope.\u003c/p\u003e\n"]]],[],null,["# Service identity\n\nThis page describes how to use access tokens to authenticate when calling\nGoogle Cloud APIs.\n\nFetching access tokens\n----------------------\n\nWhen your code runs on Knative serving it can use the\n[Compute Metadata Server](/compute/docs/storing-retrieving-metadata)\nto fetch access tokens. You cannot query the metadata server directly from your\nlocal computer.\n\n### Access tokens\n\nYou use access tokens when calling Google APIs.\n\nBy default, access tokens have the `cloud-platform` scope, which allows access\nto all Google Cloud APIs, assuming Identity and Access Management also allows access. In order to\naccess other Google or Google Cloud APIs, you will need to fetch an access\ntoken with the appropriate scope.\n\nYou can use the Compute Metadata Server to\n[fetch access tokens](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#applications).\n\nIf you need an access token with a specific scope, you can generate one as\nfollows: \n\n```bash\ncurl \"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scopes=\u003cvar translate=\"no\"\u003e[SCOPES]\u003c/var\u003e\" \\\n -H \"Metadata-Flavor: Google\"\n```\n\nWhere \u003cvar translate=\"no\"\u003eSCOPES\u003c/var\u003e is a comma separated list of OAuth scopes\nrequested, for example: `https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/spreadsheets`.\n\nConsult the full list of [Google OAuth scopes](https://developers.google.com/identity/protocols/googlescopes)\nto find which scopes you need.\n| **Note:** the `?scopes=` query parameter is only available on App Engine, Cloud Run functions, Cloud Run, and Knative serving.\n\nNext steps\n----------\n\nLearn how to [manage access](/anthos/run/archive/docs/securing/managing-access) to your services."]]
