Method: projects.serviceAccounts.signJwt

Signs a JWT using a service account's system-managed private key.

HTTP request

POST https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:signJwt

The URL uses Google API HTTP annotation syntax.

Path parameters

Parameters
name

string

The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. Using - as a wildcard for the project will infer the project from the account.

Authorization requires the following Google IAM permission on the specified resource name:

  • iam.serviceAccounts.signJwt

Request body

The request body contains data with the following structure:

JSON representation
{
  "delegates": [
    string
  ],
  "payload": string
}
Fields
delegates[]

string

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}

payload

string

The JWT payload to sign: a JSON object that contains a JWT Claims Set.

Response body

If successful, the response body contains data with the following structure:

JSON representation
{
  "keyId": string,
  "signedJwt": string
}
Fields
keyId

string

The ID of the key used to sign the JWT.

signedJwt

string

The signed JWT.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Try it!

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Identity and Access Management