HTTP Bearer token

Shows how to make Google Cloud-authenticated HTTP requests.

Documentation pages that include this code sample

To view the code sample used in context, see the following documentation:

Code sample


#include <google/cloud/functions/http_request.h>
#include <google/cloud/functions/http_response.h>
#include <google/cloud/storage/oauth2/google_credentials.h>
#include <curl/curl.h>
#include <cstdlib>
#include <optional>
#include <sstream>
#include <stdexcept>
#include <string>

namespace gcf = ::google::cloud::functions;

namespace {
/// A helper function to perform a HTTP GET request.
gcf::HttpResponse HttpGet(std::string const& url,
                          std::string const& authorization_header);
}  // namespace

gcf::HttpResponse bearer_token(gcf::HttpRequest request) {  // NOLINT
  static auto const kTargetUrl = [] {
    auto const* target_url = std::getenv("TARGET_URL");
    if (target_url != nullptr) return std::string(target_url);
    throw std::runtime_error("TARGET_URL environment variable is not defined");

  static auto const kCredentials = [] {
    auto credentials =
    if (credentials) return std::move(credentials).value();
    std::ostringstream os;
    os << "Error fetching credentials: " << std::move(credentials).status();
    throw std::runtime_error(std::move(os).str());

  static auto const kCurlInit = [] {
    return curl_global_init(CURL_GLOBAL_ALL);

  if ( == "/no-auth-header") return HttpGet(kTargetUrl, "");

  auto header = kCredentials->AuthorizationHeader();
  if (header) return HttpGet(kTargetUrl, *header);

  std::ostringstream os;
  os << "Error creating authorization header: " << std::move(header).status();
  throw std::runtime_error(std::move(os).str());


import (


// makeGetRequest makes a request to the provided targetURL with an authenticated client.
func makeGetRequest(w io.Writer, targetURL string) error {
	// functionURL := "https://TARGET_URL"
	ctx := context.Background()

	// client is a http.Client that automatically adds an "Authorization" header
	// to any requests made.
	client, err := idtoken.NewClient(ctx, targetURL)
	if err != nil {
		return fmt.Errorf("idtoken.NewClient: %v", err)

	resp, err := client.Get(targetURL)
	if err != nil {
		return fmt.Errorf("client.Get: %v", err)
	defer resp.Body.Close()
	if _, err := io.Copy(w, resp.Body); err != nil {
		return fmt.Errorf("io.Copy: %v", err)

	return nil



public class Authentication {

  // makeGetRequest makes a GET request to the specified Cloud Run or
  // Cloud Functions endpoint, serviceUrl (must be a complete URL), by
  // authenticating with an Id token retrieved from Application Default Credentials.
  public static HttpResponse makeGetRequest(String serviceUrl) throws IOException {
    GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
    if (!(credentials instanceof IdTokenProvider)) {
      throw new IllegalArgumentException("Credentials are not an instance of IdTokenProvider.");
    IdTokenCredentials tokenCredential =
            .setIdTokenProvider((IdTokenProvider) credentials)

    GenericUrl genericUrl = new GenericUrl(serviceUrl);
    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(tokenCredential);
    HttpTransport transport = new NetHttpTransport();
    HttpRequest request = transport.createRequestFactory(adapter).buildGetRequest(genericUrl);
    return request.execute();


const fetch = require('node-fetch');

// TODO(developer): set these values
const REGION = 'us-central1';
const PROJECT_ID = 'my-project-id';
const RECEIVING_FUNCTION = 'myFunction';

// Constants for setting up metadata server request
// See
const functionURL = `https://${REGION}-${PROJECT_ID}${RECEIVING_FUNCTION}`;
const metadataServerURL =
const tokenUrl = metadataServerURL + functionURL;

exports.callingFunction = async (req, res) => {
  // Fetch the token
  const tokenResponse = await fetch(tokenUrl, {
    headers: {
      'Metadata-Flavor': 'Google',
  const token = await tokenResponse.text();

  // Provide the token in the request to the receiving function
  try {
    const functionResponse = await fetch(functionURL, {
      headers: {Authorization: `bearer ${token}`},
    res.status(200).send(await functionResponse.text());
  } catch (err) {
    res.status(500).send('An error occurred! See logs for more details.');


import urllib

import google.auth.transport.requests
import google.oauth2.id_token

def make_authorized_get_request(service_url):
    make_authorized_get_request makes a GET request to the specified HTTP endpoint
    in service_url (must be a complete URL) by authenticating with the
    ID token obtained from the google-auth client library.

    req = urllib.request.Request(service_url)

    auth_req = google.auth.transport.requests.Request()
    id_token = google.oauth2.id_token.fetch_id_token(auth_req, service_url)

    req.add_header("Authorization", f"Bearer {id_token}")
    response = urllib.request.urlopen(req)


What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser