Authenticating to the Cloud Vision API

Using a service account

Using a service account to authenticate is the preferred method. To use a service account to authenticate to the Vision API:

  1. Follow the instructions to create a service account. Select JSON as your key type.

Once complete, your service account key is downloaded to your browser's default location.

Next, decide whether you'll provide your service account authentication as a bearer token or using application default credentials.

Bearer tokens

If you're calling the Vision API directly, such as by making an HTTP request with cURL, you'll pass your authentication as a bearer token in an Authorization header. To obtain a bearer token using your service account:

  1. Install the gcloud CLI.
  2. Authenticate to your service account, replacing KEY_FILE below with the path to your service account key file:

    gcloud auth activate-service-account --key-file KEY_FILE
    
  3. Obtain an authorization token using your service account:

    gcloud auth print-access-token
    

    The command returns an access token value.

  4. When calling the API, obtain an authorization token using your service account in an Authorization header:

    curl -s -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
    -H "Content-Type: application/json" \
    "https://vision.googleapis.com/v1/images:annotate" -d @request.json
    

Application default credentials

If you're using a client library to call the Vision API, use Application Default Credentials (ADC). Services using ADC look for credentials within a GOOGLE_APPLICATION_CREDENTIALS environment variable. Unless you specifically wish to have ADC use other credentials (for example, user credentials), we recommend you set this environment variable to point to your service account key file.

export GOOGLE_APPLICATION_CREDENTIALS=PATH_TO_KEY_FILE

Replace PATH_TO_KEY_FILE with the path to your JSON service account file. GOOGLE_APPLICATION_CREDENTIALS should be written out as-is (it's not a placeholder in the example above).

Using an API key

You can use a Google Cloud console API key to authenticate to the Vision API.

To do so:

  1. Follow the instructions to create an API key for your Google Cloud console project.

  2. When making any Vision API request, pass your key as the value of a key parameter. For example:

    POST https://vision.googleapis.com/v1/images:annotate?key=YOUR_API_KEY
    

Make sure to read Best practices for securely using API keys to prevent unauthorized use of your API key.