Your OAuth client is the credential which your application uses when making calls to Google OAuth 2.0 endpoint to receive an access token or ID token. After creating your OAuth client, you will receive a client ID and sometimes, a client secret.
Think of your client ID like your app's unique username when it needs to request an access token or ID token from Google's OAuth 2.0 endpoint. This ID helps Google identify your app and ensure that only authorized applications can access user data.
Client ID and Client SecretSimilar to how you would use a username and password to log to online services, many applications use a client ID paired with a client secret. The client secret adds an extra layer of security, acting like your app's password.
Applications are categorized as either public or private clients:
To create an OAuth 2.0 client ID in the console:
Note: Your application's client secret will only be shown after you create the client. Store this information in a secure place such as Google Cloud Secret Manager because it will not be visible or accessible again. Learn more.
Application types Web ApplicationsA web application is accessed by web browsers over a network.
Authorized JavaScript originsApplications that use client-side JavaScript to access Google APIs must specify authorized JavaScript origins. The origins identify the domains from which your application can send API requests.
Specified origins must adhere to the following rules :
If you send a request to a Google OAuth 2.0 endpoint from an unregistered JavaScript origin, you will receive an origin_mismatch error.
Applications that access Google APIs from a server (often using languages and frameworks like Node.js, Java, .NET, and Python) must specify authorized redirect URIs. The redirect URIs are the endpoints of your application server to which the OAuth 2.0 server can send responses. Users are redirected to this path after they have authenticated with Google.
Redirect URIs must adhere to the following rules :
If the redirect_uri passed in the authorization request does not match an authorized redirect URI for the OAuth client ID, you will receive a redirect_uri_mismatch error.
Note: It may take 5 minutes to a few hours for changes made to these settings to take effect
Native Applications (Android, iOS, Desktop, UWP, Chrome Extensions, TV and Limited Input)If your application is going to be installed on a device or computer (such as a system running Android, iOS, Universal Windows Platform, Chrome, or any desktop OS), you can use Google's OAuth 2.0 Mobile and desktop apps flow. If your application runs on devices with limited input capabilities, such as smart TVs, you can use Google’s OAuth 2.0 TV and limited-input device flow.
AndroidNote: Currently, obtaining OAuth 2.0 access tokens via AccountManager works for Android Ice Cream Sandwich (4.0) and newer versions.
You need to specify your Android app's package name and SHA1 fingerprint.
In the Package name field, enter your Android app's package name.
In a terminal, run the keytool utility to get the SHA1 fingerprint for your digitally signed .apk file's public certificate.
keytool -exportcert -alias androiddebugkey -keystore path-to-debug-or-production-keystore -list -vNote: For the debug.keystore, the password is android. For Android Studio, the debug keystore is typically located at ~/.android/debug.keystore.
The Keytool prints the fingerprint to the shell. For example:
$ keytool -list -v -keystore ~/.android/debug.keystore
Enter keystore password: Type "android" if using debug.keystore
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: androiddebugkey
Creation date: Mar 13, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: C=US, O=Android, CN=Android Debug
Issuer: C=US, O=Android, CN=Android Debug
Serial number: 1
Valid from: Fri Mar 13 09:59:25 PDT 2020 until: Sun Mar 06 08:59:25 PST 2050
Certificate fingerprints:
SHA1: D9:E9:59:FA:7A:46:72:4E:69:1F:96:18:8C:F9:AE:82:3A:5D:2F:03
SHA256: 92:59:1E:F4:C9:BC:72:43:1C:59:57:24:AD:78:CA:A2:DB:C7:C5:AC:B1:A3:E8:52:04:B2:00:37:53:04:0B:8E
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1Copy the SHA1 fingerprint from the results that appear in your terminal.
Important: When you prepare to release your app to your users, follow these steps again in a production project and create a new OAuth 2.0 client ID for your production app. For production apps, use your own private key to sign the production app's .apk file. For more information, see Signing your applications.
You can verify ownership of your Android application to reduce the risk of app impersonation. Learn more about verifying ownership of your Android application.
If your application accesses APIs directly from iOS, you will need the application's Bundle ID and, optionally, its Apple App Store ID and Team ID:
The application's Bundle ID is the bundle identifier as listed in the app's .plist file. For example: com.example.myapp.
The application's App Store ID is in the app's App Store URL, if the app was published in the Apple App Store. For example, in the app URL https://apps.apple.com/us/app/google/id284815942, the App Store ID is 284815942.
The application's Team ID is a 10-character string that Apple assigns to your team. For information about your Team ID, see Locating your Team ID in the Apple App Distribution Guide.
After creating your iOS credentials and obtaining a Client ID, you use the Installed Application OAuth 2.0 flow to communicate with Google APIs.
Enable App CheckWhen you enable App Check, Apple's App Attest service is used to verify that OAuth 2.0 requests originating from your OAuth client are genuine and come from your app. This helps to reduce the risk of app impersonation. Learn more about enabling App Check for your iOS app.
To enable App Check, turn on the Protect your OAuth client from abuse with Firebase App Check toggle button in the create/edit view of your iOS client.
The following requirements must be met to successfully enable App Check for your iOS client:
If your application runs on Universal Windows Platform, you will need your app’s 12-character Store ID. You can find this value in the Partner Center, on the App identity page of the App management section. This value can also be found as the last part of your app's Microsoft Store URL. For example: https://www.microsoft.com/store/apps/YOUR_STORE_ID
Google Chrome apps and extensions are a special case of installed applications. Chrome exposes JavaScript APIs to allow your Chrome apps and extensions to perform various operations. Some of these APIs rely on knowing the identity of the user who is signed in to Chrome. If you're writing a Chrome app or extension that calls APIs that need to know the user's identity, and you want your app or extension to get user authorization for these requests using OAuth 2.0, then choose Chrome as the platform when you create your credentials. You will need to enter your Chrome app or extension's Application ID. The Item ID is the last part of your Chrome Extension's Chrome Web Store URL. For more information about these APIs, see the User Authentication documentation.
Verify app ownershipYou can verify ownership of your Chrome application to reduce the risk of app impersonation. Learn more about verifying ownership of your Chrome application.
TVs and Limited-input devicesThe console does not require any additional information to create OAuth 2.0 credentials for applications running on limited-input devices, such as TVs.
Desktop appsThe console does not require any additional information to create OAuth 2.0 credentials for desktop applications.
Delete OAuth ClientsTo delete a client ID, go to the Clients page, check the box next to the ID you want to delete, and then click the DELETE button.
Before deleting a Client ID, ensure to check the ID is not in use by monitoring your traffic in the overview page.
You can restore deleted clients within 30 days of the deletion. To restore a recently deleted client, navigate to the Deleted credentials page to find a list of clients you recently deleted and click the RESTORE button for the client you want to restore.
Any client deleted over 30 days ago cannot be restored and is permanently deleted.
Note : Clients can also be automatically deleted if they become inactive. Learn more.
Rotating your clients secretsClient secrets or credentials should be treated with extreme care as described in the OAuth 2.0 policies, because they allow anyone who has them to use your app's identity to gain access to user information. With the client secret rotation feature, you can add a new secret to your OAuth client configuration, migrate to the new secret while the old secret is still usable, and disable the old secret afterwards. This is useful when the client secret has been inadvertently disclosed or leaked. This also ensures good security practices by occasionally rotating your secrets without causing downtime of your app. In addition, Google started to issue more secure client secrets recommended by RFC 6749 in 2021. While apps that were created earlier are able to continue using the old secrets, we recommend that you migrate to the new secret with this rotation feature.
To rotate your client secret, please follow the following steps:
Step 1: Create a new client secretNote 1: Both secrets can be used until you manually disable them. You must update your app to use the new secret and disable the old one as soon as possible after creating it to minimize security risks.
Note 2: You can only have two client secrets at maximum. If the client already has two secrets, to create a new secret, you must first disable and delete an existing secret.
Step 2: Configure your app to use the new secretNext, update your app to use the new secret. Remember to handle your client secrets securely as described in the OAuth 2.0 policies.
You need to monitor your app and make sure the new secret has fully taken effect. In other words, make sure the old secret is not used anywhere in your app. Check the metrics and configurations used by your app to confirm that only the new client secret is used, for example:
Having more than one enabled secrets for a client increases security risks. Once you confirm that your app has fully migrated to the new secret per the instructions in Step 2, you must disable the old secret.
: A disabled client secret will be rejected in OAuth flows. You are expected to continuously monitor your app and see if it’s working properly. In case you notice the app is failing because it is still using the old secret, you may click
Enableto reinstate the secret on your client details page in the
Google Auth Platform Clients page. In this case, you should redo this step after completing the migration.
Step 4: Delete the old secretOnce you've confirmed that your app is working seamlessly with the new client secret, you are safe to delete the disabled old secret. To delete the secret, click the delete button next to it. Note that this cannot be undone.
Unused Client DeletionOAuth 2.0 clients that have been inactive for six months are automatically deleted. This mitigates risks associated with unused client credentials, such as potential app impersonation or unauthorized data access if credentials are compromised.
An OAuth 2.0 client is considered unused if neither of the following actions have occurred within the past six months:
You will receive an email notification 30 days before an inactive client is scheduled for deletion. To prevent the automatic deletion of a client you still require, ensure it is used for an authorization or authorization request before the 30 days elapses.
A notification will also be sent after the client has been successfully deleted.
Note : You should only take action to prevent deletion if you actively require the client. Keeping unused clients active unnecessarily increases security risk for your application. If you determine a client is no longer needed, delete it yourself via the Google Auth Platform Clients page. Do not wait for the automatic deletion process.
Once an OAuth 2.0 client is deleted:
deleted_client error.Deleted clients are typically recoverable at least 30 days following deletion. To restore a deleted client, navigate to the Deleted Credentials page. Only restore a client if you have a confirmed, ongoing need for it.
To ensure that you receive these notifications and others related to your app, review your contact information settings.
Note: This feature is currently available for new clients created after June 2025 and will be extended to existing clients at a later date.
In April 2025, we announced that client secrets for OAuth 2.0 clients are only visible and downloadable from the Google Cloud Console at the time of their creation.
Client secrets add a critical layer of security to your OAuth 2.0 client ID, functioning similarly to a password for your application. Protecting these secrets is important for maintaining application security and privacy. To prevent accidental exposure and increase protection, client secrets are hashed. This means you will only be able to view and download the full client secret once, at the time of its creation.
It is important that you download your OAuth 2.0 client secrets immediately upon creation and store them in a secure manner, for example in a secret manager such as Google Cloud Secret Manager.
After the initial creation, the Google Cloud Console will only display the last four characters of the client secret. This truncated version is provided solely for identification purposes, allowing you to distinguish between your client secrets. If you lose your client secret, you can use the client secret rotation feature to get a new one.
Best Practices for Client Secret Management
How can we improve it?
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4