Signs in a user with email and password. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user.
An API key is required in the request in order to identify the Google Cloud project.
HTTP request
POST https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword
The URL uses gRPC Transcoding syntax.
Request body
The request body contains data with the following structure:
| JSON representation |
|---|
{ "email": string, "password": string, "pendingIdToken": string, "captchaChallenge": string, "captchaResponse": string, "instanceId": string, "delegatedProjectNumber": string, "idToken": string, "returnSecureToken": boolean, "tenantId": string } |
| Fields | |
|---|---|
email |
Required. The email the user is signing in with. The length of email should be less than 256 characters and in the format of |
password |
Required. The password the user provides to sign in to the account. |
pendingIdToken |
|
captchaChallenge |
|
captchaResponse |
The reCAPTCHA token provided by the reCAPTCHA client-side integration. reCAPTCHA Enterprise uses it for risk assessment. Required when reCAPTCHA Enterprise is enabled. |
instanceId |
|
delegatedProjectNumber |
|
idToken |
|
returnSecureToken |
Should always be true. |
tenantId |
The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform instance in the project. |
Response body
If successful, the response body contains data with the following structure:
Response message for accounts.signInWithPassword.
| JSON representation |
|---|
{
"kind": string,
"localId": string,
"email": string,
"displayName": string,
"idToken": string,
"registered": boolean,
"profilePicture": string,
"oauthAccessToken": string,
"oauthExpireIn": integer,
"oauthAuthorizationCode": string,
"refreshToken": string,
"expiresIn": string,
"mfaPendingCredential": string,
"mfaInfo": [
{
object ( |
| Fields | |
|---|---|
kind |
|
localId |
The ID of the authenticated user. Always present in the response. |
email |
The email of the authenticated user. Always present in the response. |
displayName |
The user's display name stored in the account's attributes. |
idToken |
An Identity Platform ID token for the authenticated user. |
registered |
Whether the email is for an existing account. Always true. |
profilePicture |
The user's profile picture stored in the account's attributes. |
oauthAccessToken |
The OAuth2 access token. |
oauthExpireIn |
The access token expiration time in seconds. |
oauthAuthorizationCode |
|
refreshToken |
An Identity Platform refresh token for the authenticated user. |
expiresIn |
The number of seconds until the Identity Platform ID token expires. |
mfaPendingCredential |
An opaque string that functions as proof that the user has successfully passed the first factor authentication. |
mfaInfo[] |
Info on which multi-factor authentication providers are enabled for the account. Present if the user needs to complete the sign-in using multi-factor authentication. |
Authorization Scopes
Requires one of the following OAuth scopes:
https://www.googleapis.com/auth/identitytoolkithttps://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.