Stay organized with collections Save and categorize content based on your preferences.
This page describes how to use Identity-Aware Proxy (IAP) query parameters and headers to enhance your application UI or provide troubleshooting options.
Query ParametersDifferent actions can be performed by setting the parameter gcp-iap-mode in the URL query string. These query parameters can be included with any path, not just the root URL.
Passing the following parameter value returns a JSON dictionary with the user's identity:
YOUR_APP_URL?gcp-iap-mode=IDENTITY
This is available from any signed-in Google account, even if the account doesn't have access to the app. You can navigate to the URL directly or you can reference it to make requests to the URL. Following is an example value returned by the URL:
{"email":"accounts.google.com:USER_EMAIL","sub":"accounts.google.com:118133858486581853996"}
You might find this value useful to personalize your app, such as by displaying the user's name, to pass identity to another page, or capture usage data in logs.
Clearing user loginThe following parameter value clears the IAP login cookie:
YOUR_APP_URL?gcp-iap-mode=CLEAR_LOGIN_COOKIE
Passing this parameter clears all the IAP-issued cookies for your app and navigates the browser to YOUR_APP_URL. If your browser has a valid session with the identity provider (IdP) of your app, a silent sign-in might happen when there is only one account in use with the IdP. If there are multiple accounts in use, an account selection page opens to allow profile switching.
IAP helps you test your JWT verification logic by passing invalid JWTs to testing webpages.
For example, IAP passes a JWT with an invalid signature for any request that contains the query parameters gcp-iap-mode=SECURE_TOKEN_TEST and iap-secure-token-test-type=SIGNATURE. Your verification logic should catch the invalid signature.
You can test your verification logic against any of the following scenarios by appending the appropriate parameters to a request.
Parameters Test case ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=NOT_SET A valid JWT. ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=FUTURE_ISSUE Issue date is set in the future. ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=PAST_EXPIRATION Expiration date is set in the past. ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=ISSUER Incorrect issuer. ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=AUDIENCE Incorrect audience. ?gcp-iap-mode=SECURE_TOKEN_TEST&iap-secure-token-test-type=SIGNATURE Signed using an incorrect signer. Detecting responses from IAPWhen IAP generates an HTTP response, such as when it denies access (403) or requests authentication (302 or 401), it adds the X-Goog-IAP-Generated-Response HTTP response header. By detecting the presence of this header, you can perform actions like:
Distinguish between error messages generated by IAP and error messages generated by your application.
Detect when IAP credentials need to be added to a request.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["IAP query parameters, specifically `gcp-iap-mode`, can be used to perform actions like retrieving user identity or clearing the login cookie."],["The `gcp-iap-mode=IDENTITY` parameter provides a JSON dictionary with the user's email and sub information, which can be used for personalization or data capture, even if the user lacks app access."],["The `gcp-iap-mode=CLEAR_LOGIN_COOKIE` parameter can be used to clear all IAP-issued cookies for the app, potentially prompting a re-authentication process."],["IAP facilitates JWT verification testing using `gcp-iap-mode=SECURE_TOKEN_TEST` along with parameters to simulate different invalid JWT scenarios, such as incorrect signatures or expiration dates."],["The presence of the `X-Goog-IAP-Generated-Response` HTTP header indicates that a response originated from IAP, allowing applications to differentiate between IAP-generated errors and application-generated errors."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4