Authenticating requests to the Google BigQuery API

The BigQuery API requires all requests to be authenticated as a user or a service account. This guide describes how to perform authentication in various application scenarios.

  1. Application Default Credentials
  2. Authenticating as an end user

Application Default Credentials

Application Default Credentials should be used in most cases. It allows your application to use its own default service account credentials to access BigQuery tables as its own identity. Unless your application accesses BigQuery tables only available to its end user, or requires queries be billed to the end user's Cloud Platform project rather than the application's project, you should use Application Default Credentials

Client libraries can use Application Default Credentials to easily authenticate with Google APIs and send requests to those APIs. With Application Default Credentials, you can test your application locally and deploy it without changing the underlying code. For more information, including code samples, see Google Cloud Platform Auth Guide.

The following code sample demonstrates authenticating BigQuery API Clients using Application Default Credentials:





Authenticating as an end user

If your application needs to access BigQuery using the end user's identity (e.g. if the table they'd like to access has an access control list specified that restricts access to your end user), you can use the OAuth 2.0 flow to obtain user credentials in various scenarios.

The credential object you obtain at the end of the flow can then be used as above in place of the application's default credentials object. See the documentation for your client library for details on how to obtain such a credentials object.

Send feedback about...