Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to add support in your API for user authentication from
client applications by using Cloud Endpoints Frameworks. Note that
Android and JavaScript clients are currently supported.
Endpoints Frameworks supports user authentication from client
applications that use any of the following methodologies:
No matter which authentication method you use, in each API method where you want
to check for proper authentication, you must check for a valid User as
described in the following sections:
If you use JWT in your client to send authenticated requests to the API,
the JWT must be in the authorization header of a HTTP request. The JWT should
have the following required claims:
iss
sub
aud
iat
exp
Authenticating with Firebase Auth
To support calls from clients that use Firebase Auth:
Import the App Engine Cloud Endpoints API in your API class:
importendpoints
Add a Firebase issuer object for each client to the
API decorator.
For example:
Replace VERSION_NUMBER with your API version, for
example, v1.
Replace code>YOUR_PROJECT_ID with the Google Cloud
project ID of the client.
In each API method where you want to check for proper authentication,
check for a valid User and raise error 401 if there isn't one, as
shown in this sample method definition:
user=endpoints.get_current_user()# If there's no user defined, the request was unauthenticated, so we# raise 401 Unauthorized.
You can add Firebase authentication to your code as described in the
Firebase
documentation. The client must have a Google Cloud project associated with
it, and the project ID must be listed in the API's Firebase issuer
configuration.
Authenticating with Auth0
To support calls from clients that use Auth0:
Import the App Engine Endpoints API in your API class:
importendpoints
Add an Auth0 issuer object for each client to
the
API decorator.
For example:
Replace VERSION_NUMBER with your API version, for
example, v1.
Replace YOUR_ACCOUNT_NAME with the Auth0 account
name used for the client.
In each API method where you want to check for proper authentication,
check for a valid User and raise error 401 if there isn't one, as
shown in this sample method definition:
user=endpoints.get_current_user()# If there's no user defined, the request was unauthenticated, so we# raise 401 Unauthorized.
Deploy the API. You
need to redeploy the API whenever you add new clients.
Adding Auth0 authentication to a client
You can add Auth0 authentication to your code as described in the
Auth0
documentation. The client must be listed in the API's Auth0 issuer configuration.
Authenticating with Google ID tokens
To support calls from clients that authenticate using Google ID tokens:
Obtain an OAuth 2 client ID for each client application. The client
application owner must generate the client ID from the Google Cloud console. For
instructions, see
Creating client IDs.
Import the App Engine Endpoints API in your API class:
importendpoints
Specify all of the client IDs you want to grant access to your API
in the allowed_client_ids, and also specify client IDs belonging to Android
clients in theaudiences field in the
API decorator.
For example:
@endpoints.api(
name='YOUR_API_NAME',
version='VERSION_NUMBER',
allowed_client_ids=ALLOWED_CLIENT_IDS,
audiences=[ANDROID_AUDIENCE])
class AuthedGreetingApi(remote.Service):
# ...
Replace ALLOWED_CLIENT_IDS with the list of OAuth 2
client IDs generated from each client's project, and replace
ANDROID_AUDIENCE with the list of Android web client
IDs. The web client ID is the client ID with .apps.googleusercontent.com
appended, for example:
YOUR_CLIENT_ID.apps.googleusercontent.com.
In each API method where you want to check for proper authentication,
check for a valid User and raise error 401 if there isn't one, as
shown in this sample method definition:
user=endpoints.get_current_user()# If there's no user defined, the request was unauthenticated, so we# raise 401 Unauthorized.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThis guide outlines how to implement user authentication in your API using Cloud Endpoints Frameworks, currently supporting Android and JavaScript clients.\u003c/p\u003e\n"],["\u003cp\u003eEndpoints Frameworks enables user authentication from client applications via Firebase Auth, Auth0, or Google ID tokens.\u003c/p\u003e\n"],["\u003cp\u003eTo ensure proper authentication, you must check for a valid \u003ccode\u003eUser\u003c/code\u003e within each API method, regardless of the chosen authentication method.\u003c/p\u003e\n"],["\u003cp\u003eImplementing authentication involves importing the App Engine Endpoints API, configuring issuer objects in the API decorator, and deploying the updated API.\u003c/p\u003e\n"],["\u003cp\u003eIf you use JWT in your client to send authenticated requests to the API, the JWT must be in the authorization header of a HTTP request and contain the claims \u003ccode\u003eiss\u003c/code\u003e, \u003ccode\u003esub\u003c/code\u003e, \u003ccode\u003eaud\u003c/code\u003e, \u003ccode\u003eiat\u003c/code\u003e, and \u003ccode\u003eexp\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Authenticating users\n\nThis page describes how to add support in your API for user authentication from\nclient applications by using Cloud Endpoints Frameworks. Note that\nAndroid and JavaScript clients are currently supported.\n\nEndpoints Frameworks supports user authentication from client\napplications that use any of the following methodologies:\n\n- [Firebase Auth](https://firebase.google.com/docs/auth/)\n- [Auth0](http://auth0.com)\n- [Google ID tokens](/endpoints/docs/frameworks/glossary#google_id_token)\n\nNo matter which authentication method you use, in each API method where you want\nto check for proper authentication, you must check for a valid `User` as\ndescribed in the following sections:\n\n- [Authenticating with Firebase Auth](#authenticating_with_firebase_auth)\n- [Authenticating with Auth0](#authenticating_with_auth0)\n- [Authenticating with Google ID tokens](#google-id-tokens)\n\nPrerequisites\n-------------\n\nThis page assumes that you have already:\n\n- Created a\n [Google Cloud project](/resource-manager/docs/creating-managing-projects).\n\n- [Added API management](/endpoints/docs/frameworks/java/adding-api-management).\n\n \u003cbr /\u003e\n\n- If you use JWT in your client to send authenticated requests to the API, the JWT must be in the authorization header of a HTTP request. The JWT should have the following required claims:\u003cbr /\u003e\n\n - `iss`\n - `sub`\n - `aud`\n - `iat`\n - `exp`\n\n \u003cbr /\u003e\n\nAuthenticating with Firebase Auth\n---------------------------------\n\nTo support calls from clients that use Firebase Auth:\n\n1. Import the App Engine Cloud Endpoints API in your API class:\n\n import endpoints\n\n2. Add a Firebase issuer object for each client to the\n [API decorator](/endpoints/docs/frameworks/python/decorators-reference#defining_the_api_endpointsapi).\n For example:\n\n ```\n @endpoints.api(\n name='YOUR_API_NAME',\n version='VERSION_NUMBER',\n issuers={'firebase': endpoints.Issuer(\n 'https://securetoken.google.com/YOUR_PROJECT_ID,\n 'https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com')})\n ```\n - Replace \u003cvar translate=\"no\"\u003eYOUR_API_NAME\u003c/var\u003e with the name of your API.\n - Replace \u003cvar translate=\"no\"\u003eVERSION_NUMBER\u003c/var\u003e with your API version, for example, `v1`.\n - Replace code\\\u003e\u003cvar translate=\"no\"\u003eYOUR_PROJECT_ID\u003c/var\u003e with the Google Cloud project ID of the client.\n3. In each API method where you want to check for proper authentication,\n check for a valid `User` and raise `error 401` if there isn't one, as\n shown in this sample method definition:\n\n user = endpoints.get_current_user()\n # If there's no user defined, the request was unauthenticated, so we\n # raise 401 Unauthorized.\n\n4. [Deploy the Endpoints API](/endpoints/docs/frameworks/python/test-deploy).\n You need to redeploy the Endpoints API whenever you add new\n clients.\n\n### Adding Firebase authentication to a client\n\nYou can add Firebase authentication to your code as described in the\n[Firebase](https://firebase.google.com/docs/auth/)\ndocumentation. The client must have a Google Cloud project associated with\nit, and the project ID must be listed in the API's Firebase issuer\nconfiguration.\n\nAuthenticating with Auth0\n-------------------------\n\nTo support calls from clients that use Auth0:\n\n1. Import the App Engine Endpoints API in your API class:\n\n import endpoints\n\n2. Add an Auth0 issuer object for each client to\n the\n [API decorator](/endpoints/docs/frameworks/python/decorators-reference#defining_the_api_endpointsapi).\n For example:\n\n ```\n @endpoints.api(\n name='YOUR_API_NAME',\n version='VERSION_NUMBER',\n issuers={'auth0': endpoints.Issuer(\n 'https://YOUR_ACCOUNT_NAME.auth0.com',\n 'https://YOUR_ACCOUNT_NAME.auth0.com/.well-known/jwks.json')})\n ```\n - Replace \u003cvar translate=\"no\"\u003eYOUR_API_NAME\u003c/var\u003e with the name of your API.\n - Replace \u003cvar translate=\"no\"\u003eVERSION_NUMBER\u003c/var\u003e with your API version, for example, `v1`.\n - Replace \u003cvar translate=\"no\"\u003eYOUR_ACCOUNT_NAME\u003c/var\u003e with the Auth0 account name used for the client.\n3. In each API method where you want to check for proper authentication,\n check for a valid `User` and raise `error 401` if there isn't one, as\n shown in this sample method definition:\n\n user = endpoints.get_current_user()\n # If there's no user defined, the request was unauthenticated, so we\n # raise 401 Unauthorized.\n\n4. [Deploy the API](/endpoints/docs/frameworks/python/test-deploy). You\n need to redeploy the API whenever you add new clients.\n\n### Adding Auth0 authentication to a client\n\nYou can add Auth0 authentication to your code as described in the\n[Auth0](http://auth0.com)\ndocumentation. The client must be listed in the API's Auth0 issuer configuration.\n\nAuthenticating with Google ID tokens\n------------------------------------\n\nTo support calls from clients that authenticate using Google ID tokens:\n\n1. Obtain an OAuth 2 client ID for each client application. The client\n application owner must generate the client ID from the Google Cloud console. For\n instructions, see\n [Creating client IDs](/endpoints/docs/frameworks/python/creating-client-ids).\n\n2. Import the App Engine Endpoints API in your API class:\n\n import endpoints\n\n3. Specify all of the client IDs you want to grant access to your API\n in the `allowed_client_ids`, and also specify client IDs belonging to Android\n clients in the`audiences` field in the\n [API decorator](/endpoints/docs/frameworks/python/decorators-reference#defining_the_api_endpointsapi).\n For example:\n\n ```\n @endpoints.api(\n name='YOUR_API_NAME',\n version='VERSION_NUMBER',\n allowed_client_ids=ALLOWED_CLIENT_IDS,\n audiences=[ANDROID_AUDIENCE])\n class AuthedGreetingApi(remote.Service):\n # ...\n ```\n\n Replace \u003cvar translate=\"no\"\u003eALLOWED_CLIENT_IDS\u003c/var\u003e with the list of OAuth 2\n client IDs generated from each client's project, and replace\n \u003cvar translate=\"no\"\u003eANDROID_AUDIENCE\u003c/var\u003e with the list of Android web client\n IDs. The web client ID is the client ID with `.apps.googleusercontent.com`\n appended, for example:\n \u003cvar translate=\"no\"\u003eYOUR_CLIENT_ID\u003c/var\u003e`.apps.googleusercontent.com`.\n4. In each API method where you want to check for proper authentication,\n check for a valid `User` and raise `error 401` if there isn't one, as\n shown in this sample method definition:\n\n user = endpoints.get_current_user()\n # If there's no user defined, the request was unauthenticated, so we\n # raise 401 Unauthorized.\n\n5. [Deploy the Endpoints API](/endpoints/docs/frameworks/python/test-deploy).\n You need to redeploy the Endpoints API whenever you add new\n clients.\n\n### Adding Google ID token authentication to a client\n\nFor information on adding authentication code to clients, see the following:\n\n- [Android app](/endpoints/docs/frameworks/python/consume_android)\n- [Python client](/endpoints/docs/frameworks/python/access_from_python)\n\nWhat's next\n-----------\n\nFor background information about user authentication and how it differs from\nAPI key authorization, see\n[When and why to use API keys](/endpoints/docs/frameworks/python/when-why-api-key)."]]
