If verification succeeds, you will receive the token's payload as a hash.
If verification fails, an exception (normally a subclass of
VerificationError) will be raised.
To verify an ID token issued by the Google identity-aware proxy (IAP):
These methods will automatically download and cache the Google public
keys necessary to verify these tokens. They will also automatically
verify the issuer (iss) field for their respective types of ID tokens.
Advanced usage
If you want to provide your own public keys, either by pointing at a
custom URI or by providing the key data directly, use the Verifier class
and pass in a key source.
A convenience method that verifies a token allegedly issued by Google
IAP.
Parameters
token (String) — The ID token to verify
aud (String, Array<String>, nil) (defaults to: nil) — The expected audience. At least
one aud field in the token must match at least one of the
provided audiences, or the verification will fail with
{Google::Auth::IDToken::AudienceMismatchError}. If nil (the
default), no audience checking is performed.
azp (String, Array<String>, nil) (defaults to: nil) — The expected authorized party
(azp). At least one azp field in the token must match at least
one of the provided values, or the verification will fail with
{Google::Auth::IDToken::AuthorizedPartyMismatchError}. If nil
(the default), no azp checking is performed.
iss (String, Array<String>, nil) (defaults to: IAP_ISSUERS) — The expected issuer. At least
one iss field in the token must match at least one of the
provided issuers, or the verification will fail with
{Google::Auth::IDToken::IssuerMismatchError}. If nil, no issuer
checking is performed. Default is to check against {IAP_ISSUERS}.
A convenience method that verifies a token allegedly issued by Google
OIDC.
Parameters
token (String) — The ID token to verify
aud (String, Array<String>, nil) (defaults to: nil) — The expected audience. At least
one aud field in the token must match at least one of the
provided audiences, or the verification will fail with
{Google::Auth::IDToken::AudienceMismatchError}. If nil (the
default), no audience checking is performed.
azp (String, Array<String>, nil) (defaults to: nil) — The expected authorized party
(azp). At least one azp field in the token must match at least
one of the provided values, or the verification will fail with
{Google::Auth::IDToken::AuthorizedPartyMismatchError}. If nil
(the default), no azp checking is performed.
iss (String, Array<String>, nil) (defaults to: OIDC_ISSUERS) — The expected issuer. At least
one iss field in the token must match at least one of the
provided issuers, or the verification will fail with
{Google::Auth::IDToken::IssuerMismatchError}. If nil, no issuer
checking is performed. Default is to check against {OIDC_ISSUERS}.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[],[],null,["# googleauth - Module Google::Auth::IDTokens (v1.15.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.15.0 (latest)](/ruby/docs/reference/googleauth/latest/Google-Auth-IDTokens)\n- [1.14.0](/ruby/docs/reference/googleauth/1.14.0/Google-Auth-IDTokens)\n- [1.13.1](/ruby/docs/reference/googleauth/1.13.1/Google-Auth-IDTokens)\n- [1.12.2](/ruby/docs/reference/googleauth/1.12.2/Google-Auth-IDTokens) \nReference documentation and code samples for the googleauth module Google::Auth::IDTokens.\n\n### Verifying Google ID tokens\n\nThis module verifies ID tokens issued by Google. This can be used to\nauthenticate signed-in users using OpenID Connect. See\n\u003chttps://developers.google.com/identity/sign-in/web/backend-auth\u003e for more\ninformation.\n\n#### Basic usage\n\nTo verify an ID token issued by Google accounts: \n\n payload = Google::Auth::https://cloud.google.com/ruby/docs/reference/googleauth/latest/Google-Auth-IDTokens.html.https://cloud.google.com/ruby/docs/reference/googleauth/latest/Google-Auth-IDTokens.html the_token,\n aud: \"my-app-client-id\"\n\nIf verification succeeds, you will receive the token's payload as a hash.\nIf verification fails, an exception (normally a subclass of\n[VerificationError](/ruby/docs/reference/googleauth/latest/Google-Auth-IDTokens-VerificationError \"Google::Auth::IDTokens::VerificationError (class)\")) will be raised.\n\nTo verify an ID token issued by the Google identity-aware proxy (IAP): \n\n payload = Google::Auth::https://cloud.google.com/ruby/docs/reference/googleauth/latest/Google-Auth-IDTokens.html.https://cloud.google.com/ruby/docs/reference/googleauth/latest/Google-Auth-IDTokens.html the_token,\n aud: \"my-app-client-id\"\n\nThese methods will automatically download and cache the Google public\nkeys necessary to verify these tokens. They will also automatically\nverify the issuer (`iss`) field for their respective types of ID tokens.\n\n#### Advanced usage\n\nIf you want to provide your own public keys, either by pointing at a\ncustom URI or by providing the key data directly, use the Verifier class\nand pass in a key source.\n\nTo point to a custom URI that returns a JWK set: \n\n source = Google::Auth::IDTokens::JwkHttpKeySource.new \"https://example.com/jwk\"\n verifier = Google::Auth::IDTokens::Verifier.new key_source: source\n payload = verifier.verify the_token, aud: \"my-app-client-id\"\n\nTo provide key data directly: \n\n jwk_data = {\n keys: [\n {\n alg: \"ES256\",\n crv: \"P-256\",\n kid: \"LYyP2g\",\n kty: \"EC\",\n use: \"sig\",\n x: \"SlXFFkJ3JxMsXyXNrqzE3ozl_0913PmNbccLLWfeQFU\",\n y: \"GLSahrZfBErmMUcHP0MGaeVnJdBwquhrhQ8eP05NfCI\"\n }\n ]\n }\n source = Google::Auth::https://cloud.google.com/ruby/docs/reference/googleauth/latest/Google-Auth-IDTokens.html::https://cloud.google.com/ruby/docs/reference/googleauth/latest/Google-Auth-IDTokens-StaticKeySource.html.from_jwk_set jwk_data\n verifier = Google::Auth::https://cloud.google.com/ruby/docs/reference/googleauth/latest/Google-Auth-IDTokens.html::Verifier key_source: source\n payload = verifier.https://cloud.google.com/ruby/docs/reference/googleauth/latest/Google-Auth-IDTokens-Verifier.html the_token, aud: \"my-app-client-id\"\n\nMethods\n-------\n\n### .iap_key_source\n\n def self.iap_key_source() -\u003e Google::Auth::IDTokens::JwkHttpKeySource\n\nThe key source providing public keys that can be used to verify\nID tokens issued by Google IAP. \n**Returns**\n\n- ([Google::Auth::IDTokens::JwkHttpKeySource](./Google-Auth-IDTokens-JwkHttpKeySource))\n\n### .oidc_key_source\n\n def self.oidc_key_source() -\u003e Google::Auth::IDTokens::JwkHttpKeySource\n\nThe key source providing public keys that can be used to verify\nID tokens issued by Google OIDC. \n**Returns**\n\n- ([Google::Auth::IDTokens::JwkHttpKeySource](./Google-Auth-IDTokens-JwkHttpKeySource))\n\n### .verify_iap\n\n def self.verify_iap(token, aud: nil, azp: nil, iss: IAP_ISSUERS) -\u003e Hash\n\nA convenience method that verifies a token allegedly issued by Google\nIAP. \n**Parameters**\n\n- **token** (String) --- The ID token to verify\n- **aud** (String, Array\\\u003cString\\\u003e, nil) *(defaults to: nil)* --- The expected audience. At least one `aud` field in the token must match at least one of the provided audiences, or the verification will fail with {Google::Auth::IDToken::AudienceMismatchError}. If `nil` (the default), no audience checking is performed.\n- **azp** (String, Array\\\u003cString\\\u003e, nil) *(defaults to: nil)* --- The expected authorized party (azp). At least one `azp` field in the token must match at least one of the provided values, or the verification will fail with {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil` (the default), no azp checking is performed.\n- **iss** (String, Array\\\u003cString\\\u003e, nil) *(defaults to: IAP_ISSUERS)* --- The expected issuer. At least one `iss` field in the token must match at least one of the provided issuers, or the verification will fail with {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer checking is performed. Default is to check against {IAP_ISSUERS}. \n**Returns**\n\n- (Hash) --- The decoded token payload. \n**Raises**\n\n- ([Google::Auth::IDTokens::KeySourceError](./Google-Auth-IDTokens-KeySourceError)) --- if the key source failed to obtain public keys\n- ([Google::Auth::IDTokens::VerificationError](./Google-Auth-IDTokens-VerificationError)) --- if the token verification failed. Additional data may be available in the error subclass and message.\n\n### .verify_oidc\n\n def self.verify_oidc(token, aud: nil, azp: nil, iss: OIDC_ISSUERS) -\u003e Hash\n\nA convenience method that verifies a token allegedly issued by Google\nOIDC. \n**Parameters**\n\n- **token** (String) --- The ID token to verify\n- **aud** (String, Array\\\u003cString\\\u003e, nil) *(defaults to: nil)* --- The expected audience. At least one `aud` field in the token must match at least one of the provided audiences, or the verification will fail with {Google::Auth::IDToken::AudienceMismatchError}. If `nil` (the default), no audience checking is performed.\n- **azp** (String, Array\\\u003cString\\\u003e, nil) *(defaults to: nil)* --- The expected authorized party (azp). At least one `azp` field in the token must match at least one of the provided values, or the verification will fail with {Google::Auth::IDToken::AuthorizedPartyMismatchError}. If `nil` (the default), no azp checking is performed.\n- **iss** (String, Array\\\u003cString\\\u003e, nil) *(defaults to: OIDC_ISSUERS)* --- The expected issuer. At least one `iss` field in the token must match at least one of the provided issuers, or the verification will fail with {Google::Auth::IDToken::IssuerMismatchError}. If `nil`, no issuer checking is performed. Default is to check against {OIDC_ISSUERS}. \n**Returns**\n\n- (Hash) --- The decoded token payload. \n**Raises**\n\n- ([Google::Auth::IDTokens::KeySourceError](./Google-Auth-IDTokens-KeySourceError)) --- if the key source failed to obtain public keys\n- ([Google::Auth::IDTokens::VerificationError](./Google-Auth-IDTokens-VerificationError)) --- if the token verification failed. Additional data may be available in the error subclass and message.\n\nConstants\n---------\n\n### OIDC_ISSUERS\n\n**value:** \\[\"accounts.google.com\", \"https://accounts.google.com\"\\].freeze \nA list of issuers expected for Google OIDC-issued tokens.\n\n### IAP_ISSUERS\n\n**value:** \\[\"https://cloud.google.com/iap\"\\].freeze \nA list of issuers expected for Google IAP-issued tokens.\n\n### OAUTH2_V3_CERTS_URL\n\n**value:** \"[https://www.googleapis.com/oauth2/v3/certs\"](https://www.googleapis.com/oauth2/v3/certs"); \nThe URL for Google OAuth2 V3 public certs\n\n### IAP_JWK_URL\n\n**value:** \"[https://www.gstatic.com/iap/verify/public_key-jwk\"](https://www.gstatic.com/iap/verify/public_key-jwk"); \nThe URL for Google IAP public keys"]]
