Method: projects.serviceAccounts.generateIdToken

HTTP request
Path parameters
Request body
- JSON representation
Response body
- JSON representation
Authorization scopes
Try it!

Generates an OpenID Connect ID token for a service account.

HTTP request

POST https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:generateIdToken

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`name`	`string` Required. The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid. Authorization requires the following IAM permission on the specified resource `name`: `iam.serviceAccounts.getOpenIdToken`

name

string

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.

Authorization requires the following IAM permission on the specified resource name:

iam.serviceAccounts.getOpenIdToken

Request body

The request body contains data with the following structure:

JSON representation
{ "delegates": [ string ], "audience": string, "includeEmail": boolean, "organizationNumberIncluded": boolean }

Fields
`delegates[]`	`string` The sequence of service accounts in a delegation chain. Each service account must be granted the `roles/iam.serviceAccountTokenCreator` role on its next service account in the chain. The last service account in the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on the service account that is specified in the `name` field of the request. The delegates must have the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.
`audience`	`string` Required. The audience for the token, such as the API or account that this token grants access to.
`includeEmail`	`boolean` Include the service account email in the token. If set to `true`, the token will contain `email` and `email_verified` claims.
`organizationNumberIncluded`	`boolean` Include the organization number of the service account in the token. If set to `true`, the token will contain a `google.organization_number` claim. The value of the claim will be `null` if the service account isn't associated with an organization.

Response body

If successful, the response body contains data with the following structure:

JSON representation
{ "token": string }

Fields

Fields
`token`	`string` The OpenId Connect ID token. The token is a JSON Web Token (JWT) that contains a payload with claims. See the JSON Web Token spec for more information. Here is an example of a decoded JWT payload: `{ "iss": "https://accounts.google.com", "iat": 1496953245, "exp": 1496953245, "aud": "https://www.example.com", "sub": "107517467455664443765", "azp": "107517467455664443765", "email": "my-iam-account@my-project.iam.gserviceaccount.com", "email_verified": true, "google": { "organization_number": 123456 } }`

token

string

The OpenId Connect ID token.

The token is a JSON Web Token (JWT) that contains a payload with claims. See the JSON Web Token spec for more information. Here is an example of a decoded JWT payload:

{
  "iss": "https://accounts.google.com",
  "iat": 1496953245,
  "exp": 1496953245,
  "aud": "https://www.example.com",
  "sub": "107517467455664443765",
  "azp": "107517467455664443765",
  "email": "my-iam-account@my-project.iam.gserviceaccount.com",
  "email_verified": true,
  "google": {
    "organization_number": 123456
  }
}

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/iam
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.