Authenticating requests to the Google BigQuery API

The BigQuery API requires all requests to be authenticated as a user or a service account. This guide describes how to perform authentication in various application scenarios.

  1. Application Default Credentials
  2. Authenticating as an end user

Application Default Credentials

Application Default Credentials should be used in most cases. It allows your application to use its own default service account credentials to access BigQuery tables as its own identity. Unless your application accesses BigQuery tables only available to its end user, or requires queries be billed to the end user's Cloud Platform project rather than the application's project, you should use Application Default Credentials

Client libraries can use Application Default Credentials to easily authenticate with Google APIs and send requests to those APIs. With Application Default Credentials, you can test your application locally and deploy it without changing the underlying code. For more information, including code samples, see Google Cloud Platform Auth Guide.

The following code sample demonstrates authenticating BigQuery API Clients using Application Default Credentials:


private static Bigquery createAuthorizedClient() throws IOException {
  // Create the credential
  HttpTransport transport = new NetHttpTransport();
  JsonFactory jsonFactory = new JacksonFactory();
  GoogleCredential credential = GoogleCredential.getApplicationDefault(transport, jsonFactory);

  // Depending on the environment that provides the default credentials (e.g. Compute Engine, App
  // Engine), the credentials may require us to specify the scopes we need explicitly.
  // Check for this case, and inject the BigQuery scope if required.
  if (credential.createScopedRequired()) {
    Collection<String> bigqueryScopes = BigqueryScopes.all();
    credential = credential.createScoped(bigqueryScopes);

  return new Bigquery.Builder(transport, jsonFactory, credential)
      .setApplicationName("BigQuery Samples")


This sample uses the Google Cloud Client Library for Python.

Import the client library:

from gcloud import bigquery

Instantiate a client:

bigquery_client = bigquery.Client()


public BigqueryService CreateAuthorizedClient()
    GoogleCredential credential =
    // Inject the Bigquery scope if required.
    if (credential.IsCreateScopedRequired)
        credential = credential.CreateScoped(new[]
    return new BigqueryService(new BaseClientService.Initializer()
        HttpClientInitializer = credential,
        ApplicationName = "DotNet Bigquery Samples",


This sample uses the Google Cloud Library for PHP.

use Google\Cloud\ServiceBuilder;

$builder = new ServiceBuilder([
    'projectId' => $projectId,
$bigQuery = $builder->bigQuery();


This sample uses the Google Cloud Client Library for Node.js.

Import the client library:

// By default, gcloud will authenticate using the service account file specified
// by the GOOGLE_APPLICATION_CREDENTIALS environment variable and use the
// project specified by the GCLOUD_PROJECT environment variable. See
var BigQuery = require('@google-cloud/bigquery');

Instantiate a client:

var bigquery = BigQuery();


This sample uses the Google Cloud Client Library for Go.

Import the client library:

import (



Instantiate a client:

client, err := bigquery.NewClient(ctx, proj)


This sample uses the Google Cloud Client Library for Ruby.

Import the client library and instantiate a client:

require "gcloud"

gcloud = project_id
bigquery = gcloud.bigquery

Authenticating as an end user

If your application needs to access BigQuery using the end user's identity (e.g. if the table they'd like to access has an access control list specified that restricts access to your end user), you can use the OAuth 2.0 flow to obtain user credentials in various scenarios.

The credential object you obtain at the end of the flow can then be used as above in place of the application's default credentials object. See the documentation for your client library for details on how to obtain such a credentials object.

Send feedback about...

BigQuery Documentation