Accessing non-Google resources programmatically

This article shows you how to programmatically access a resource protected by Identity-Aware Proxy (IAP) using external identities.

There are several situations where you might want to do this:

  • Your frontend application leverages Identity Platform directly. Your backend API server is built using App Engine, and protected by IAP using external identities.

  • Your application is designed for use in a non-traditional browser environment, such as on Android, iOS, or the command-line, where using a browser redirect to authenticate users is infeasible.

Accessing resources

To access a resource programmatically, follow these steps:

  1. Retrieve the user's ID token.


    Ensure the user is signed in. The code below shows a simple example of signing in a user with an email and password:

    // If signing in using project-level email/password IdP.
    // auth.tenantId = null; // This is null by default.
    // For signing in to a specific tenant using email/password.
    auth.tenantId = 'myTenantId';
    auth.signInWithEmailAndPassword(email, password)
      .then((user) => {
        // User signed in. ID token can now be retrieved.
      .catch((error) => {
        // Handler error.

    You can then retrieve an ID token on the user object:

      .then((idToken) => {
        // idToken is now available and can be sent to API server.
      .catch((error) => {
        // Handler error.


    Calling signInWithPassword returns an ID token in the response:

    curl '' \
    -H 'Content-Type: application/json' \
    --data-binary '{
      "tenantId":"TENANT-ID" # Only used in multi-tenancy
  2. Include the ID token in the authorization header when calling an endpoint protected by IAP.

    curl -H "Authorization: Bearer GCIP-ID-TOKEN" ""