Accessing the Admin API

Before users or applications can use the App Engine Admin API, you as a Google Cloud project owner must first enable the API in your project and then create credentials that users or applications can use to authorize HTTP requests.

For example, an owner must first create an initial Google Cloud project and then create credentials in that project before anyone can send HTTP requests to the Admin API. After the owner sets up and configures the initial project, that project can then be used for administrative purposes to programmatically create and manage other resources, for example:

  • Creating other Google Cloud projects.
  • Creating App Engine applications for all newly created projects.
  • Deploying app versions to newly created App Engine applications.
  • Managing resources in all of the versions that you deployed.

Before you begin

To complete the following task, you must be an owner of the Google Cloud project where you want to enable the Admin API for users and applications to access.

Configuring your project and creating credentials

To configure your Google Cloud project and create credentials:

  1. Enable both the App Engine Admin API and Cloud Storage API in your Google Cloud project:

    Enable both APIs

  2. Create credentials that users and applications use to access the Admin API in your project.

    To create credentials, review the Google Cloud Platform Auth Guide and then choose the OAuth 2.0 authorization flow that meets your app's requirements.


To demonstrate an authentication flow, the examples below use the client-side OAuth 2.0 flow to obtain a token. The token is used to authorize requests to the Admin API using the cURL command-line tool to deploy the example app to the App Engine application of the project [MY_PROJECT_ID].

Authentication example

In this example, the client-side authorization flow known as the implicit grant flow, requires the user to authorize the client application for access to the Admin API on behalf of the user. The access token that is returned is valid for approximately 60 minutes or generally while the user is active on your application.

HTTP request

The following URL uses a client ID that was created in the Google Cloud console to request an access token and then redirect the user to an authorized URI where your app receives the token:


  • [MY_CLIENT_ID] is a Client ID from one of your credentials in the Google Cloud console.
  • [MY_REDIRECT_URI] is the corresponding Authorized redirect URIs from the same credential in the Google Cloud console. If no redirect URI is specified, you must specify a trusted URI, for example The redirect URI defines where the HTTP response is sent. For production, you must specify your application's auth endpoint, which handles responses from the OAuth 2.0 server. For more information, see Using OAuth 2.0 for Web Server Applications.

HTTP response

When the application uses the URL to request authorization, the access token is returned in a response, for example:[MY_ACCESS_TOKEN]&

Where [MY_ACCESS_TOKEN] is the returned access token that you requested.

After you obtain an access token, you can use it to access the Admin API. For example, your application's auth endpoint can programmatically extract the access token from the response. See the following example for how to manually use your token in a cURL command.

HTTP request example using cURL

The following cURL command demonstrates how you can use your [MY_ACCESS_TOKEN] access token to make an HTTP POST request. This cURL command deploys the resources defined in the app.json configuration file to the v1 version of the default service in the application of project MY_PROJECT_ID.

curl -X POST -T "app.json" -H "Content-Type: application/json" -H "Authorization: Bearer [MY_ACCESS_TOKEN]"[MY_PROJECT_ID]/services/default/versions

What's next