Authenticating with a service account

Prerequisites

This page assumes that you have already:

Configuring authentication

To authenticate with a service account:

  1. Import the App Engine Endpoints API in your API class:

    import endpoints
    
  2. Add an issuer object for the service account to the API decorator. For example:

    @endpoints.api(
        name='echo',
        version='v1',
        issuers={'serviceAccount': endpoints.Issuer(
            'YOUR_SERVICE_ACCOUNT_EMAIL',
            'https://www.googleapis.com/robot/v1/metadata/x509/YOUR_SERVICE_ACCOUNT_EMAIL')},
        audiences={'serviceAccount': ['YOUR_AUDIENCE']})
    
    • Replace echo with the name of your API.
    • Replace v1 with your API version.
    • Replace YOUR_SERVICE_ACCOUNT_EMAIL with your service account email.
    • Replace YOUR_AUDIENCE with the value in the aud field sent by the calling service.
  3. In each API method where you want to check for proper authentication, check for a valid User and raise error 401if there isn't one, as shown in this sample method definition:

    user = endpoints.get_current_user()
    # If there's no user defined, the request was unauthenticated, so we
    # raise 401 Unauthorized.
    
  4. Deploy the API. You need to redeploy the API whenever you add new clients.