Choosing an Authentication Method

Endpoints Frameworks supports multiple authentication methods that are suited to different applications and use cases. Endpoints Frameworks uses the authentication method that you have specified in your annotation to validate incoming requests before passing them to your API backend. This document provides an overview and sample use cases for each supported authentication method.

API keys

An API key is a simple encrypted string that identifies a Google Cloud Platform (GCP) project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the GCP Console and embeds that key in every call to your API as a query parameter.

If you specify an API key requirement in your annotation, Endpoints Frameworks uses the API key to look up the GCP project that the API key is associated with. Endpoints Frameworks rejects requests unless the API key was generated in your GCP project or within other GCP projects in which your API has been enabled. For more information, see Restricting API Access with API Keys

Unlike credentials that use short-lived tokens or signed requests and are sent in the request header, clients send an API key as a query parameter. Even though query parameters get encrypted in HTTPS, API keys are not secure. For example, some servers might store the entire URL of each request in clear text in a server log. For security reasons, do not use API keys by themselves when API calls contain user data. You can use API keys in addition to one of the authentication methods described below.

For best practices on securing and adding restrictions to API keys, see Using API Keys. Although "Using API Keys" is targeted for clients using Google APIs, the best practices are applicable to APIs that you create using Endpoints Frameworks.

Use case

If you want to use Endpoints features such as quotas, each request must pass in an API key so that Endpoints can identify the GCP project that the client application is associated with.

For more information about API keys, see Why and When to Use API Keys.

Firebase Authentication

Firebase Authentication provides backend services, SDKs, and libraries to authenticate users to a mobile or web app. It authenticates users using a variety of credentials such as Google, Facebook, Twitter, or GitHub.

The Firebase client library signs a JSON Web Token (JWT) with a private key after the user has successfully signed in. Endpoints Frameworks validates that the JWT was signed by Firebase and that the "iss" (issuer) claim in the JWT, which identifies your Firebase application, matches the issuer setting in the annotation.

Use case

Because Firebase Authentication integrates tightly with other Firebase services, it is well suited for mobile or web apps that use Firebase. See Authenticating with Firebase Auth.

Auth0

Auth0 authenticates and authorizes apps and APIs regardless of identity provider, platform, stack and device.

Auth0 supports a large number of providers and the Security Assertion Markup Language specification. It provides backend services, SDKs and user interface libraries for authenticating users in web and mobile apps. Auth0 integrates with several third-party identity providers and also provides custom user account management.

The client library provided by Auth0 generates and signs a JWT once the user has signed in. Endpoints Frameworks validates the JWT was signed by Auth0 and that the "iss" claim in the JWT, which identifies your Auth0 application, matches the issuer setting in the annotation.

Use case

Auth0 is well suited for consumer and enterprise web and mobile apps. For more information, see Authenticating with Auth0.

Google ID token authentication

Authentication using a Google ID token allows users to authenticate by signing in with a Google account. Once authenticated, the user has access to all Google services. You can use Google ID tokens to make calls to Google APIs and APIs that you have implemented using Endpoints Frameworks. Endpoints Frameworks validates the Google ID token using the public key and ensures that the "iss" claim in the JWT is https://accounts.google.com or accounts.google.com.

Use case

Authentication using a Google ID token is recommended when all users have Google accounts. You might choose to use Google ID token authentication, for example, if your API accompanies G Suite Applications (for example, a Google Drive companion). Google ID token authentication allows users to authenticate by signing in with a Google account. Once authenticated, the user has access to all Google services.

For more information, see Authenticating with Google ID tokens.

JWTs and service accounts

A JSON Web Token (JWT) is commonly used to share claims or assertions between connected applications. A JWT representing a service account can be signed either by:

  • The service account.

  • Google's authorization service. (A JWT signed by Google's authorization service is referred to as a Google ID token.)

Authenticating a request using a JWT signed by a service account might be easier to implement, but if you have a large number of service accounts, or if you want to accept credentials from service accounts you don't own, using a Google ID token is recommended because you only need to whitelist https://accounts.google.com or accounts.google.com as an issuer for all service accounts.

Use case

JWTs and service accounts are well suited for microservices. For more information, see Authenticating with a Service Account.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Endpoints Frameworks for App Engine
Need help? Visit our support page.