ユーザーを認証するには、クライアント アプリケーションが HTTP リクエストの承認ヘッダー内の JSON Web Token(JWT)をバックエンド API に送信する必要があります。API Gateway は API に代わってトークンを検証するので、ユーザーが自分で API にコードを追加して認証を処理する必要はありません。ただし、選択した認証方法をサポートするようにゲートウェイの API 構成を行う必要があります。
securityDefinitions:firebase:authorizationUrl:""flow:"implicit"type:"oauth2"# Replace YOUR-PROJECT-ID with your project IDx-google-issuer:"https://securetoken.google.com/YOUR-PROJECT-ID"x-google-jwks_uri:"https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"x-google-audiences:"YOUR-PROJECT-ID"
security セクションを追加します。API 全体に適用する場合は API レベルに、特定のメソッドに適用する場合はメソッドレベルに追加します。
security:
- firebase: []
API 構成には複数のセキュリティ定義を定義できますが、各定義の発行者は異なっている必要があります。security セクションを API レベルとメソッド レベルの両方で指定した場合、API レベルの設定よりもメソッド レベルの設定が優先されます。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-03 UTC。"],[[["\u003cp\u003eAPI Gateway handles user authentication by validating a JSON Web Token (JWT) sent in the authorization header of HTTP requests, eliminating the need for custom authentication code in the API.\u003c/p\u003e\n"],["\u003cp\u003eTo support Firebase authentication, the API config must include a security definition with specific fields like \u003ccode\u003ex-google-issuer\u003c/code\u003e, \u003ccode\u003ex-google-jwks_uri\u003c/code\u003e, and \u003ccode\u003ex-google-audiences\u003c/code\u003e, adhering to the OpenAPI 2.0 security scheme.\u003c/p\u003e\n"],["\u003cp\u003eClient applications need to include specific JWT claims in the authorization header, such as \u003ccode\u003eiss\u003c/code\u003e, \u003ccode\u003esub\u003c/code\u003e, \u003ccode\u003eaud\u003c/code\u003e, \u003ccode\u003eiat\u003c/code\u003e, and \u003ccode\u003eexp\u003c/code\u003e, when sending requests to the API.\u003c/p\u003e\n"],["\u003cp\u003eAPI Gateway uses the JWT issuer's JSON Web Key Set (JWKS) to validate JWTs and caches the JWKS for five minutes, refreshing it at the end of each interval.\u003c/p\u003e\n"],["\u003cp\u003eAuthenticated requests can include the token in the \u003ccode\u003eAuthorization: Bearer\u003c/code\u003e header, or alternatively as an \u003ccode\u003eaccess_token\u003c/code\u003e query parameter if the header cannot be used.\u003c/p\u003e\n"]]],[],null,["# Using Firebase to authenticate users\n====================================\n\nThis page describes how to support user authentication in API Gateway.\n\nTo authenticate a user, a client application must send a\n[JSON Web Token (JWT)](https://jwt.io/) in the authorization header of the\nHTTP request to your backend API. API Gateway\nvalidates the token on behalf of your API, so you don't have to add any code in\nyour API to process the authentication. However, you do need to configure the\nAPI config for your gateway to support your chosen authentication methods.\n\nAPI Gateway validates a JWT in a performant way by using the JWT\nissuer's [JSON Web Key Set (JWKS)](https://tools.ietf.org/html/rfc7517). The location of the JWKS is specified in the `x-google-jwks_uri` field of the gateway's API config. API Gateway caches the JWKS for five\nminutes and refreshes it every five minutes.\n\nBefore you begin\n----------------\n\n- Add authentication code to your client application, following the [Firebase authentication](https://firebase.google.com/docs/auth/) documentation. Firebase supports authentication by using passwords, phone numbers, and popular federated identity providers like Google, Facebook and Twitter.\n - When your client application sends an HTTP request, the authorization header in the request must contain the following JWT claims:\n - `iss` (issuer)\n - `sub` (subject)\n - `aud` (audience)\n - `iat` (issued at)\n - `exp` (expiration time)\n\nConfiguring API Gateway to support client authentication\n--------------------------------------------------------\n\n\nYou must have a [security\nrequirement object](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityRequirementObject) and a [security\ndefinitions object](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityDefinitionsObject) in your API config for API Gateway to\nvalidate the claims in the signed JWT.\n\n\u003cbr /\u003e\n\nTo support Firebase authentication:\n\n1. Add the following to the security definition in your API config, which follows the [OpenAPI 2.0 security scheme](https://swagger.io/specification/v2/#securityDefinitionsObject):\n\n securityDefinitions:\n firebase:\n authorizationUrl: \"\"\n flow: \"implicit\"\n type: \"oauth2\"\n # Replace YOUR-PROJECT-ID with your project ID\n x-google-issuer: \"https://securetoken.google.com/YOUR-PROJECT-ID\"\n x-google-jwks_uri: \"https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com\"\n x-google-audiences: \"YOUR-PROJECT-ID\"\n\n2. Add a security section at either the API level to apply to the entire\n API, or at the method level to apply to a specific method.\n\n security:\n - firebase: []\n\n\nYou can define multiple security definitions in the API config, but each\ndefinition must have a different issuer. If you use security sections at both\nthe API level and at the method level, the method-level settings override the\nAPI-level settings.\n\n\u003cbr /\u003e\n\nMaking an authenticated call to an API Gateway API\n--------------------------------------------------\n\nWhen you send a request using an authentication token, we\nrecommend that you put the token in the `Authorization:Bearer` header. For\nexample: \n\n```\ncurl --request POST \\\n --header \"Authorization: Bearer ${TOKEN}\" \\\n \"${GATEWAY_URL}/echo\"\n```\n\nHere, `GATEWAY_URL` and `TOKEN` are environment variables containing your\ndeployed gateway URL and authentication token, respectively. See\n[Making an authenticated request to an API Gateway API](/api-gateway/docs/authenticate-service-account#making_an_authenticated_request) for sample code that sends a request using the `Authorization:Bearer` header.\n\nIf you cannot use the header when sending the request, you can put the\nauthentication token in a query parameter called `access_token`. For example: \n\n curl \"${GATEWAY_URL}/echo?access_token=${TOKEN}\"\n\nReceiving authenticated results in your API\n-------------------------------------------\n\n\nAPI Gateway usually forwards all headers it receives. However, it overrides the\noriginal `Authorization` header when the backend address is specified by\n`x-google-backend` in the API config.\n\n\nAPI Gateway will send the authentication result in the `X-Apigateway-Api-Userinfo`\nto the backend API. It is recommended to use this header instead of the original\n`Authorization` header. This header is `base64url` encoded and contains\nthe JWT payload.\n\n\u003cbr /\u003e\n\nWhat's next\n-----------\n\n- [Authentication between services](/api-gateway/docs/authenticate-service-account)"]]