Index
AccountManagementService(interface)AuthenticationService(interface)AutoRetrievalInfo(message)ClientType(enum)FinalizeMfaEnrollmentRequest(message)FinalizeMfaEnrollmentResponse(message)FinalizeMfaPhoneRequestInfo(message)FinalizeMfaPhoneResponseInfo(message)FinalizeMfaSignInRequest(message)FinalizeMfaSignInResponse(message)FinalizeMfaTotpEnrollmentRequestInfo(message)FinalizeMfaTotpEnrollmentResponseInfo(message)GetPasswordPolicyRequest(message)GetRecaptchaConfigRequest(message)MfaTotpSignInRequestInfo(message)PasswordPolicy(message)PasswordPolicy.CustomStrengthOptions(message)PasswordPolicy.EnforcementState(enum)RecaptchaConfig(message)RecaptchaEnforcementState(message)RecaptchaEnforcementState.EnforcementState(enum)RecaptchaEnforcementState.RecaptchaProvider(enum)RecaptchaVersion(enum)RevokeTokenRequest(message)RevokeTokenRequest.TokenType(enum)RevokeTokenResponse(message)StartMfaEnrollmentRequest(message)StartMfaEnrollmentResponse(message)StartMfaPhoneRequestInfo(message)StartMfaPhoneResponseInfo(message)StartMfaSignInRequest(message)StartMfaSignInResponse(message)StartMfaTotpEnrollmentRequestInfo(message)StartMfaTotpEnrollmentResponseInfo(message)WithdrawMfaRequest(message)WithdrawMfaResponse(message)
AccountManagementService
Account management for Identity Toolkit
| FinalizeMfaEnrollment |
|---|
|
Finishes enrolling a second factor for the user.
|
| StartMfaEnrollment |
|---|
|
Step one of the MFA enrollment process. In SMS case, this sends an SMS verification code to the user.
|
| WithdrawMfa |
|---|
|
Revokes one second factor from the enrolled second factors for an account.
|
AuthenticationService
Authentication for Identity Toolkit
| FinalizeMfaSignIn |
|---|
|
Verifies the MFA challenge and performs sign-in
|
| GetPasswordPolicy |
|---|
|
Gets password policy config set on the project or tenant.
|
| GetRecaptchaConfig |
|---|
|
Gets parameters needed for reCAPTCHA analysis.
|
| RevokeToken |
|---|
|
Revokes a user's token from an Identity Provider (IdP). This is done by manually providing an IdP credential, and the token types for revocation. An API key is required in the request in order to identify the Google Cloud project.
|
| StartMfaSignIn |
|---|
|
Sends the MFA challenge
|
AutoRetrievalInfo
The information required to auto-retrieve an SMS.
| Fields | |
|---|---|
app_signature_hash |
The Android app's signature hash for Google Play Service's SMS Retriever API. |
ClientType
The client's platform type: web, android or ios.
| Enums | |
|---|---|
CLIENT_TYPE_UNSPECIFIED |
Client type is not specified. |
CLIENT_TYPE_WEB |
Client type is web. |
CLIENT_TYPE_ANDROID |
Client type is android. |
CLIENT_TYPE_IOS |
Client type is ios. |
FinalizeMfaEnrollmentRequest
Finishes enrolling a second factor for the user.
| Fields | |
|---|---|
id_token |
Required. ID token. |
display_name |
Display name which is entered by users to distinguish between different second factors with same type or different type. |
tenant_id |
The ID of the Identity Platform tenant that the user enrolling MFA belongs to. If not set, the user belongs to the default Identity Platform project. |
Union field verification_info. MFA enrollment information to be verified. verification_info can be only one of the following: |
|
phone_verification_info |
Verification info to authorize sending an SMS for phone verification. |
totp_verification_info |
Verification information for TOTP. |
FinalizeMfaEnrollmentResponse
FinalizeMfaEnrollment response.
| Fields | |
|---|---|
id_token |
ID token updated to reflect MFA enrollment. |
refresh_token |
Refresh token updated to reflect MFA enrollment. |
Union field auxiliary_auth_info. MFA verified enrollment information. auxiliary_auth_info can be only one of the following: |
|
phone_auth_info |
Auxiliary auth info specific to phone auth. |
totp_auth_info |
Auxiliary auth info specific to TOTP auth. |
FinalizeMfaPhoneRequestInfo
Phone Verification info for a FinalizeMfa request.
| Fields | |
|---|---|
session_info |
An opaque string that represents the enrollment session. |
code |
User-entered verification code. |
android_verification_proof |
Android only. Uses for "instant" phone number verification though GmsCore. |
phone_number |
Required if Android verification proof is presented. |
FinalizeMfaPhoneResponseInfo
Phone Verification info for a FinalizeMfa response.
| Fields | |
|---|---|
android_verification_proof |
Android only. Long-lived replacement for valid code tied to android device. |
android_verification_proof_expire_time |
Android only. Expiration time of verification proof in seconds. |
phone_number |
For Android verification proof. |
FinalizeMfaSignInRequest
Finalizes sign-in by verifying MFA challenge.
| Fields | |
|---|---|
mfa_pending_credential |
Required. Pending credential from first factor sign-in. |
tenant_id |
The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project. |
mfa_enrollment_id |
The MFA enrollment ID from the user's list of current MFA enrollments. |
Union field verification_info. Proof of completion of the MFA challenge. verification_info can be only one of the following: |
|
phone_verification_info |
Proof of completion of the SMS based MFA challenge. |
totp_verification_info |
Proof of completion of the TOTP based MFA challenge. |
FinalizeMfaSignInResponse
FinalizeMfaSignIn response.
| Fields | |
|---|---|
id_token |
ID token for the authenticated user. |
refresh_token |
Refresh token for the authenticated user. |
Union field auxiliary_auth_info. MFA verified sign-in information. auxiliary_auth_info can be only one of the following: |
|
phone_auth_info |
Extra phone auth info, including android verification proof. |
FinalizeMfaTotpEnrollmentRequestInfo
Mfa request info specific to TOTP auth for FinalizeMfa.
| Fields | |
|---|---|
session_info |
An opaque string that represents the enrollment session. |
verification_code |
User-entered verification code. |
FinalizeMfaTotpEnrollmentResponseInfo
This type has no fields.
Mfa response info specific to TOTP auth for FinalizeMfa.
GetPasswordPolicyRequest
The request for GetPasswordPolicy.
| Fields | |
|---|---|
tenant_id |
The id of a tenant. |
GetRecaptchaConfigRequest
The request for GetRecaptchaConfig.
| Fields | |
|---|---|
tenant_id |
The id of a tenant. |
client_type |
reCAPTCHA Enterprise uses separate site keys for different client types. Specify the client type to get the corresponding key. |
version |
The reCAPTCHA version. |
MfaTotpSignInRequestInfo
TOTP verification info for FinalizeMfaSignInRequest.
| Fields | |
|---|---|
verification_code |
User-entered verification code. |
PasswordPolicy
Configuration for password policy.
| Fields | |
|---|---|
custom_strength_options |
The custom strength options enforced by the password policy. |
schema_version |
Output only. schema version number for the password policy |
allowed_non_alphanumeric_characters[] |
Output only. Allowed characters which satisfy the non_alphanumeric requirement. |
enforcement_state |
Output only. Which enforcement mode to use for the password policy. |
force_upgrade_on_signin |
Users must have a password compliant with the password policy to sign-in. |
CustomStrengthOptions
Custom strength options to enforce on user passwords.
| Fields | |
|---|---|
min_password_length |
Minimum password length. Range from 6 to 30 |
max_password_length |
Maximum password length. No default max length |
contains_lowercase_character |
The password must contain a lower case character. |
contains_uppercase_character |
The password must contain an upper case character. |
contains_numeric_character |
The password must contain a number. |
contains_non_alphanumeric_character |
The password must contain a non alpha numeric character. |
EnforcementState
Enforcement state for the password policy
| Enums | |
|---|---|
ENFORCEMENT_STATE_UNSPECIFIED |
Enforcement state has not been set. |
OFF |
Password Policy will not be used on the project. |
ENFORCE |
Passwords non-compliant with the password policy will be rejected with an error thrown. |
RecaptchaConfig
Configuration for reCAPTCHA
| Fields | |
|---|---|
recaptcha_enforcement_state[] |
The reCAPTCHA enforcement state for the providers that GCIP supports reCAPTCHA protection. |
recaptcha_key |
The reCAPTCHA Enterprise key resource name, e.g. "projects/{project}/keys/{key}". This will only be returned when the reCAPTCHA enforcement state is AUDIT or ENFORCE on at least one of the reCAPTCHA providers. |
RecaptchaEnforcementState
Enforcement states for reCAPTCHA protection.
| Fields | |
|---|---|
provider |
The provider that has reCAPTCHA protection. |
enforcement_state |
The reCAPTCHA enforcement state for the provider. |
EnforcementState
Enforcement states for reCAPTCHA protection per provider.
| Enums | |
|---|---|
ENFORCEMENT_STATE_UNSPECIFIED |
Enforcement state has not been set. |
OFF |
Unenforced. |
AUDIT |
reCAPTCHA assessment is created, result is not used to enforce. |
ENFORCE |
reCAPTCHA assessment is created, result is used to enforce. |
RecaptchaProvider
The GCIP providers that support reCAPTCHA protection.
| Enums | |
|---|---|
RECAPTCHA_PROVIDER_UNSPECIFIED |
reCAPTCHA provider not specified |
EMAIL_PASSWORD_PROVIDER |
Email password provider |
RecaptchaVersion
The reCAPTCHA version.
| Enums | |
|---|---|
RECAPTCHA_VERSION_UNSPECIFIED |
The reCAPTCHA version is not specified. |
RECAPTCHA_ENTERPRISE |
The reCAPTCHA enterprise. |
RevokeTokenRequest
Request message for RevokeToken.
| Fields | |
|---|---|
provider_id |
Required. The idp provider for the token. Currently only supports Apple Idp. The format should be "apple.com". |
token_type |
Required. The type of the token to be revoked. |
token |
Required. The token to be revoked. If an authorization_code is passed in, the API will first exchange the code for access token and then revoke the token exchanged. |
id_token |
Required. A valid Identity Platform ID token to link the account. If there was a successful token revocation request on the account and no tokens are generated after the revocation, the duplicate requests will be ignored and returned immediately. |
tenant_id |
The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project. |
redirect_uri |
The redirect URI provided in the initial authorization request made by the client to the IDP. The URI must use the HTTPS protocol, include a domain name, and can't contain an IP address or localhost. Required if token_type is CODE. |
TokenType
The type of the token to be revoked.
| Enums | |
|---|---|
TOKEN_TYPE_UNSPECIFIED |
Default value, do not use. |
REFRESH_TOKEN |
Token type is refresh_token. |
ACCESS_TOKEN |
Token type is access_token. |
CODE |
Token type is authorization_code. |
RevokeTokenResponse
This type has no fields.
Response message for RevokeToken. Empty for now.
StartMfaEnrollmentRequest
Sends MFA enrollment verification SMS for a user.
| Fields | |
|---|---|
id_token |
Required. User's ID token. |
tenant_id |
The ID of the Identity Platform tenant that the user enrolling MFA belongs to. If not set, the user belongs to the default Identity Platform project. |
Union field enrollment_info. MFA information by type of 2nd factor. enrollment_info can be only one of the following: |
|
phone_enrollment_info |
Verification info to authorize sending an SMS for phone verification. |
totp_enrollment_info |
Sign-in info specific to TOTP auth. |
StartMfaEnrollmentResponse
StartMfaEnrollment response.
| Fields | |
|---|---|
Union field enrollment_response. MFA start enrollment response by 2nd factor type. enrollment_response can be only one of the following: |
|
phone_session_info |
Verification info to authorize sending an SMS for phone verification. |
totp_session_info |
Enrollment response info specific to TOTP auth. |
StartMfaPhoneRequestInfo
App Verification info for a StartMfa request.
| Fields | |
|---|---|
phone_number |
Required for enrollment. Phone number to be enrolled as MFA. |
ios_receipt |
iOS only. Receipt of successful app token validation with APNS. |
ios_secret |
iOS only. Secret delivered to iOS app via APNS. |
recaptcha_token |
Web only. Recaptcha solution. |
auto_retrieval_info |
Android only. Used by Google Play Services to identify the app for auto-retrieval. |
safety_net_token |
Android only. Used to assert application identity in place of a recaptcha token. A SafetyNet Token can be generated via the SafetyNet Android Attestation API, with the Base64 encoding of the |
play_integrity_token |
Android only. Used to assert application identity in place of a recaptcha token (or safety net token). A Play Integrity Token can be generated via the PlayIntegrity API with applying SHA256 to the |
StartMfaPhoneResponseInfo
Phone Verification info for a StartMfa response.
| Fields | |
|---|---|
session_info |
An opaque string that represents the enrollment session. |
StartMfaSignInRequest
Starts multi-factor sign-in by sending the multi-factor auth challenge.
| Fields | |
|---|---|
mfa_pending_credential |
Required. Pending credential from first factor sign-in. |
mfa_enrollment_id |
Required. MFA enrollment id from the user's list of current MFA enrollments. |
tenant_id |
The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project. |
Union field sign_in_info. MFA information by type of 2nd factor. sign_in_info can be only one of the following: |
|
phone_sign_in_info |
Verification info to authorize sending an SMS for phone verification. |
StartMfaSignInResponse
StartMfaSignIn response.
| Fields | |
|---|---|
Union field response_info. MultiFactor start sign-in response by 2nd factor type. response_info can be only one of the following: |
|
phone_response_info |
MultiFactor sign-in session information specific to SMS-type second factors. Along with the one-time code retrieved from the sent SMS, the contents of this session information should be passed to FinalizeMfaSignIn to complete the sign in. |
StartMfaTotpEnrollmentRequestInfo
This type has no fields.
Mfa request info specific to TOTP auth for StartMfa.
StartMfaTotpEnrollmentResponseInfo
Mfa response info specific to TOTP auth for StartMfa.
| Fields | |
|---|---|
shared_secret_key |
A base 32 encoded string that represents the shared TOTP secret. The base 32 encoding is the one specified by RFC4648#section-6. (This is the same as the base 32 encoding from RFC3548#section-5.) |
verification_code_length |
The length of the verification code that needs to be generated. |
hashing_algorithm |
The hashing algorithm used to generate the verification code. |
period_sec |
Duration in seconds at which the verification code will change. |
session_info |
An encoded string that represents the enrollment session. |
finalize_enrollment_time |
The time by which the enrollment must finish. |
WithdrawMfaRequest
Withdraws MFA.
| Fields | |
|---|---|
id_token |
Required. User's ID token. |
mfa_enrollment_id |
Required. MFA enrollment id from a current MFA enrollment. |
tenant_id |
The ID of the Identity Platform tenant that the user unenrolling MFA belongs to. If not set, the user belongs to the default Identity Platform project. |
WithdrawMfaResponse
Withdraws MultiFactorAuth response.
| Fields | |
|---|---|
id_token |
ID token updated to reflect removal of the second factor. |
refresh_token |
Refresh token updated to reflect removal of the second factor. |