Method: projects.serviceAccounts.signJwt

Signs a JWT using a service account's system-managed private key.

If no expiry time (exp) is provided in the SignJwtRequest, IAM sets an an expiry time of one hour by default. If you request an expiry time of more than one hour, the request will fail.

HTTP request

POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:signJwt

The URL uses Google API HTTP annotation syntax.

Path parameters

Parameters
name

string

The resource name of the service account in the following format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. Using - as a wildcard for the PROJECT_ID will infer the project from the account. The ACCOUNT value can be the email address or the uniqueId of the service account.

Authorization requires the following Google IAM permission on the specified resource name:

  • iam.serviceAccounts.signJwt

Request body

The request body contains data with the following structure:

JSON representation
{
  "payload": string,
}
Fields
payload

string

The JWT payload to sign, a JSON JWT Claim set.

Response body

If successful, the response body contains data with the following structure:

The service account sign JWT response.

JSON representation
{
  "keyId": string,
  "signedJwt": string,
}
Fields
keyId

string

The id of the key used to sign the JWT.

signedJwt

string

The signed JWT.

Authorization Scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/iam
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Auth Guide.

Try it!

このページは役立ちましたか?評価をお願いいたします。

フィードバックを送信...

Cloud Identity and Access Management