The BigQuery API requires all requests to be authenticated as a user or a service account. This guide describes how to perform authentication in various application scenarios.
Application Default Credentials
Application Default Credentials should be used in most cases. It allows your application to use its own default service account credentials to access BigQuery tables as its own identity. Unless your application accesses BigQuery tables only available to its end user, or requires queries be billed to the end user's Cloud Platform project rather than the application's project, you should use Application Default Credentials
Client libraries can use Application Default Credentials to easily authenticate with Google APIs and send requests to those APIs. With Application Default Credentials, you can test your application locally and deploy it without changing the underlying code. For more information, including code samples, see Google Cloud Platform Auth Guide.
The following code sample demonstrates authenticating BigQuery API Clients using Application Default Credentials:
Authenticating as an end user
If your application needs to access BigQuery using the end user's identity (e.g. if the table they'd like to access has an access control list specified that restricts access to your end user), you can use the OAuth 2.0 flow to obtain user credentials in various scenarios.
- For web server applications, see Using OAuth 2.0 for Web Server Applications
- For installed applications, see Using OAuth 2.0 for Installed Applications
credential object you obtain at the end of the flow can then be used as above in place of the application's default credentials object.
See the documentation
for your client library for details on how to obtain such a