Method: accounts.signInWithPassword

Signs in a user with email and password. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user.

An API key is required in the request in order to identify the Google Cloud project.

HTTP request

POST https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation 
{
  "email": string,
  "password": string,
  "pendingIdToken": string,
  "captchaChallenge": string,
  "captchaResponse": string,
  "instanceId": string,
  "delegatedProjectNumber": string,
  "idToken": string,
  "returnSecureToken": boolean,
  "tenantId": string,
  "clientType": enum (ClientType),
  "recaptchaVersion": enum (RecaptchaVersion)
}
Fields
email

string

Required. The email the user is signing in with. The length of email should be less than 256 characters and in the format of name@domain.tld. The email should also match the RFC 822 addr-spec production.
password

string

Required. The password the user provides to sign in to the account.
pendingIdToken
(deprecated)

string
captchaChallenge
(deprecated)

string
captchaResponse

string

The reCAPTCHA token provided by the reCAPTCHA client-side integration. reCAPTCHA Enterprise uses it for risk assessment. Required when reCAPTCHA Enterprise is enabled.
instanceId
(deprecated)

string
delegatedProjectNumber
(deprecated)

string (int64 format)
idToken
(deprecated)

string
returnSecureToken

boolean

Should always be true.
tenantId

string

The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform instance in the project.
clientType

enum (ClientType)

The client type, web, android or ios. Required when reCAPTCHA Enterprise is enabled.
recaptchaVersion

enum (RecaptchaVersion)

The reCAPTCHA version of the reCAPTCHA token in the captchaResponse.

Response body

Response message for accounts.signInWithPassword.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "kind": string,
  "localId": string,
  "email": string,
  "displayName": string,
  "idToken": string,
  "registered": boolean,
  "profilePicture": string,
  "oauthAccessToken": string,
  "oauthExpireIn": integer,
  "oauthAuthorizationCode": string,
  "refreshToken": string,
  "expiresIn": string,
  "mfaPendingCredential": string,
  "mfaInfo": [
    {
      object (MfaEnrollment)
    }
  ],
  "userNotifications": [
    {
      object (UserNotification)
    }
  ]
}
Fields
kind
(deprecated)

string
localId

string

The ID of the authenticated user. Always present in the response.
email

string

The email of the authenticated user. Always present in the response.
displayName

string

The user's display name stored in the account's attributes.
idToken

string

An Identity Platform ID token for the authenticated user.
registered
(deprecated)

boolean

Whether the email is for an existing account. Always true.
profilePicture

string

The user's profile picture stored in the account's attributes.
oauthAccessToken
(deprecated)

string

The OAuth2 access token.
oauthExpireIn
(deprecated)

integer

The access token expiration time in seconds.
oauthAuthorizationCode
(deprecated)

string
refreshToken

string

An Identity Platform refresh token for the authenticated user.
expiresIn

string (int64 format)

The number of seconds until the Identity Platform ID token expires.
mfaPendingCredential

string

An opaque string that functions as proof that the user has successfully passed the first factor authentication.
mfaInfo[]

object (MfaEnrollment)

Info on which multi-factor authentication providers are enabled for the account. Present if the user needs to complete the sign-in using multi-factor authentication.
userNotifications[]

object (UserNotification)

Warning notifications for the user.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UserNotification

Warning notifications for the user.

JSON representation 
{
  "notificationCode": enum (NotificationCode),
  "notificationMessage": string
}
Fields
notificationCode

enum (NotificationCode)

Warning notification enum. Can be used for localization.
notificationMessage

string

Warning notification string. Can be used as fallback.

NotificationCode

Warning notification enum. Can be used for localization.

Enums
NOTIFICATION_CODE_UNSPECIFIED No notification specified.
MISSING_LOWERCASE_CHARACTER Password missing lowercase character.
MISSING_UPPERCASE_CHARACTER Password missing uppercase character.
MISSING_NUMERIC_CHARACTER Password missing numeric character.
MISSING_NON_ALPHANUMERIC_CHARACTER Password missing non alphanumeric character.
MINIMUM_PASSWORD_LENGTH Password less than minimum required length.
MAXIMUM_PASSWORD_LENGTH Password greater than maximum required length.