Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to add support in your API for user authentication from
client applications using Cloud Endpoints Frameworks. Note that
Android and JavaScript clients are currently supported.
Endpoints Frameworks supports user authentication from client
applications that use any of the following methodologies:
No matter which authentication method you use, in each API method where you want
to check for proper authentication, you must check for a valid User as
described in the following sections:
To support calls from clients that use Firebase Auth:
If you haven't already done so, create a Firebase project. Firebase projects
are Google Cloud console projects that use Firebase services. For more
information, see
What is a Firebase project?
and the
Firebase documentation.
Add the following to your
@Api
or method annotation:
Add an authenticators parameter to your annotation, set to the value
{EspAuthenticator.class}.
Add an issuers parameter containing an @ApiIssuer set to Firebase.
Add an issuerAudiences parameter containing an @ApiIssuerAudience
set to Firebase and your project ID.
Replace VERSION_NUMBER with your API version, for
example, v1.
Replace both instances of YOUR_PROJECT_ID with
your Firebase project ID.
In your API implementation code, import Users:
importcom.google.api.server.spi.auth.common.User;
In each API method where you want to check for proper authentication,
check for a valid User and throw an exception if there isn't one, as
shown in this sample method definition:
You can add Firebase authentication to your code as described in the
Firebase
documentation. The client must have a Google Cloud project
associated with it, and the project ID must be listed in the API's Firebase
issuer configuration as shown in the preceding section.
Authenticating with Auth0
To support calls from clients that use Auth0:
Add the following to your
@Api
or method annotation:
Add an authenticators parameter to your annotation, set to the value
{EspAuthenticator.class}.
Add an issuers parameter containing an @ApiIssuer set to Auth0.
Add an issuerAudiences parameter containing an @ApiIssuerAudience
set to Auth0 and your Auth0 client ID.
Replace VERSION_NUMBER with your API version, for
example, v1.
Replace YOUR_ACCOUNT_NAME with the Auth0 account
name used for the client.
Replace AUTH0_CLIENT_ID with the ID you want to
use for your client.
In your API implementation code, import Users:
importcom.google.api.server.spi.auth.common.User;
In each API method where you want to check for proper authentication,
check for a valid User and throw an exception if there isn't one, as
shown in this sample method definition:
You can add Auth0 authentication to your code as described in the
Auth0
documentation. The client must be listed in the API's Auth0 issuer
configuration.
Authenticating with Google ID tokens
To support calls from clients that authenticate using Google ID tokens:
Obtain an OAuth 2 client ID for each client application. The client
application owner must generate the client ID from the Google Cloud console.
For instructions, see
Creating client IDs.
Add a clientIds entry containing the client ID for each client app
you are granting access to, and an audiences entry as well for each
Android client, in your
@Api annotation.
For example:
@Api(
name = "YOUR_API_NAME",
version = "VERSION_NUMBER",
clientIds = {"YOUR_CLIENT_ID"},
audiences = {"YOUR_CLIENT_ID"}
)
Replace YOUR_API_NAME with the name of your API.
Replace VERSION_NUMBER with your API version, for
example, v1.
Replace YOUR_CLIENT_ID with the OAuth 2 client ID
that was generated in the client application project.
In your API implementation code, import Users:
importcom.google.api.server.spi.auth.common.User;
In each API method where you want to check for proper authentication, check
for a valid User and throw an exception if there isn't one, as
shown in this sample method definition:
If you use a JWT in your client to send authenticated requests to the API, the
JWT must be in the authorization header of a HTTP request. The JWT should have
the following required claims:
iss
sub
aud
iat
exp
What's next
For background information about user authentication and how it differs from
API key authorization, see
When and why to use API keys.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eThis guide outlines how to enable user authentication in your API using Cloud Endpoints Frameworks, currently supporting Android and JavaScript clients.\u003c/p\u003e\n"],["\u003cp\u003eEndpoints Frameworks allows authentication via Firebase Auth, Auth0, or Google ID tokens, and each method requires checking for a valid \u003ccode\u003eUser\u003c/code\u003e in the API method.\u003c/p\u003e\n"],["\u003cp\u003eTo implement authentication, you must configure \u003ccode\u003e@Api\u003c/code\u003e or method annotations with appropriate \u003ccode\u003eauthenticators\u003c/code\u003e, \u003ccode\u003eissuers\u003c/code\u003e, and \u003ccode\u003eissuerAudiences\u003c/code\u003e parameters specific to your chosen authentication method (Firebase, Auth0, or Google ID).\u003c/p\u003e\n"],["\u003cp\u003eAPI methods must include a check for a valid \u003ccode\u003eUser\u003c/code\u003e, throwing an \u003ccode\u003eUnauthorizedException\u003c/code\u003e if the user is null, and you should redeploy your API after adding clients or changing any configurations.\u003c/p\u003e\n"],["\u003cp\u003eWhen using JWT in clients, the JWT should be included in the authorization header of HTTP requests and must contain \u003ccode\u003eiss\u003c/code\u003e, \u003ccode\u003esub\u003c/code\u003e, \u003ccode\u003eaud\u003c/code\u003e, \u003ccode\u003eiat\u003c/code\u003e, and \u003ccode\u003eexp\u003c/code\u003e claims.\u003c/p\u003e\n"]]],[],null,["# Authenticating users\n\nThis page describes how to add support in your API for user authentication from\nclient applications using Cloud Endpoints Frameworks. Note that\nAndroid and JavaScript clients are currently supported.\n\nEndpoints Frameworks supports user authentication from client\napplications that use any of the following methodologies:\n\n- [Firebase Auth](https://firebase.google.com/docs/auth/)\n- [Auth0](http://auth0.com)\n- [Google ID tokens](/endpoints/docs/frameworks/glossary#google_id_token)\n\nNo matter which authentication method you use, in each API method where you want\nto check for proper authentication, you must check for a valid `User` as\ndescribed in the following sections:\n\n- [Authenticating with Firebase Auth](#authenticating_with_firebase_auth)\n- [Authenticating with Auth0](#authenticating_with_auth0)\n- [Authenticating with Google ID tokens](#google-id-tokens)\n\nPrerequisites\n-------------\n\nThis page assumes that you have already:\n\n- Created a [Google Cloud\n project](/resource-manager/docs/creating-managing-projects).\n\n- [Added API management](/endpoints/docs/frameworks/java/adding-api-management).\n\nAuthenticating with Firebase Auth\n---------------------------------\n\nTo support calls from clients that use Firebase Auth:\n\n1. If you haven't already done so, create a Firebase project. Firebase projects\n are Google Cloud console projects that use Firebase services. For more\n information, see\n [What is a Firebase project?](https://support.google.com/firebase/answer/6399760?hl=en)\n and the\n [Firebase documentation](https://firebase.google.com/docs/).\n\n2. Add the following to your\n [`@Api`](/endpoints/docs/frameworks/java/annotations#api_api-scoped_annotations)\n or method annotation:\n\n - Add an `authenticators` parameter to your annotation, set to the value `{EspAuthenticator.class}`.\n - Add an `issuers` parameter containing an `@ApiIssuer` set to Firebase.\n - Add an `issuerAudiences` parameter containing an `@ApiIssuerAudience` set to Firebase and your project ID.\n\n For example: \n\n ```\n @Api(\n name = \"YOUR_API_NAME\",\n version = \"VERSION_NUMBER\",\n authenticators = {EspAuthenticator.class},\n issuers = {\n @ApiIssuer(\n name = \"firebase\",\n issuer = \"https://securetoken.google.com/YOUR_PROJECT_ID\",\n jwksUri = \"https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com\")\n },\n issuerAudiences = {\n @ApiIssuerAudience(name = \"firebase\", audiences = \"YOUR_PROJECT_ID\")\n })\n ```\n - Replace \u003cvar translate=\"no\"\u003eYOUR_API_NAME\u003c/var\u003e with the name of your API.\n - Replace \u003cvar translate=\"no\"\u003eVERSION_NUMBER\u003c/var\u003e with your API version, for example, `v1`.\n - Replace both instances of \u003cvar translate=\"no\"\u003eYOUR_PROJECT_ID\u003c/var\u003e with your Firebase project ID.\n3. In your API implementation code, import `Users`:\n\n import com.google.api.server.spi.auth.common.User;\n\n4. In each API method where you want to check for proper authentication,\n check for a valid `User` and throw an exception if there isn't one, as\n shown in this sample method definition:\n\n @ApiMethod(httpMethod = ApiMethod.HttpMethod.GET)\n public Email getUserEmail(User user) throws UnauthorizedException {\n if (user == null) {\n throw new UnauthorizedException(\"Invalid credentials\");\n }\n\n Email response = new Email();\n response.setEmail(user.getEmail());\n return response;\n }\n\n5. [Redeploy the API](/endpoints/docs/frameworks/java/test-deploy)\n whenever you add new clients.\n\n### Adding Firebase authentication to a client\n\nYou can add Firebase authentication to your code as described in the\n[Firebase](https://firebase.google.com/docs/auth/)\ndocumentation. The client must have a Google Cloud project\nassociated with it, and the project ID must be listed in the API's Firebase\nissuer configuration as shown in the preceding section.\n\nAuthenticating with Auth0\n-------------------------\n\nTo support calls from clients that use Auth0:\n\n1. Add the following to your\n [`@Api`](/endpoints/docs/frameworks/java/annotations#api_api-scoped_annotations)\n or method annotation:\n\n - Add an `authenticators` parameter to your annotation, set to the value `{EspAuthenticator.class}`.\n - Add an `issuers` parameter containing an `@ApiIssuer` set to Auth0.\n - Add an `issuerAudiences` parameter containing an `@ApiIssuerAudience` set to Auth0 and your Auth0 client ID.\n\n For example: \n\n ```\n @Api(\n name = \"YOUR_API_NAME\",\n version = \"VERSION_NUMBER\",\n authenticators = {EspAuthenticator.class},\n issuers = {\n @ApiIssuer(\n name = \"auth0\",\n issuer = \"https://YOUR_ACCOUNT_NAME.auth0.com/\",\n jwksUri = \"https://YOUR_ACCOUNT_NAME.auth0.com/.well-known/jwks.json\")\n },\n issuerAudiences = {\n @ApiIssuerAudience(name = \"auth0\", audiences = \"AUTH0_CLIENT_ID\")\n })\n ```\n - Replace \u003cvar translate=\"no\"\u003eYOUR_API_NAME\u003c/var\u003e with the name of your API.\n - Replace \u003cvar translate=\"no\"\u003eVERSION_NUMBER\u003c/var\u003e with your API version, for example, `v1`.\n - Replace \u003cvar translate=\"no\"\u003eYOUR_ACCOUNT_NAME\u003c/var\u003e with the Auth0 account name used for the client.\n - Replace \u003cvar translate=\"no\"\u003eAUTH0_CLIENT_ID\u003c/var\u003e with the ID you want to use for your client.\n2. In your API implementation code, import `Users`:\n\n import com.google.api.server.spi.auth.common.User;\n\n3. In each API method where you want to check for proper authentication,\n check for a valid `User` and throw an exception if there isn't one, as\n shown in this sample method definition:\n\n @ApiMethod(httpMethod = ApiMethod.HttpMethod.GET)\n public Email getUserEmail(User user) throws UnauthorizedException {\n if (user == null) {\n throw new UnauthorizedException(\"Invalid credentials\");\n }\n\n Email response = new Email();\n response.setEmail(user.getEmail());\n return response;\n }\n\n4. [Redeploy the API](/endpoints/docs/frameworks/java/test-deploy)\n whenever you add new clients.\n\n### Adding Auth0 authentication to a client\n\nYou can add Auth0 authentication to your code as described in the\n[Auth0](http://auth0.com)\ndocumentation. The client must be listed in the API's Auth0 issuer\nconfiguration.\n\nAuthenticating with Google ID tokens\n------------------------------------\n\nTo support calls from clients that authenticate using Google ID tokens:\n\n1. Obtain an OAuth 2 client ID for each client application. The client\n application owner must generate the client ID from the Google Cloud console.\n For instructions, see\n [Creating client IDs](/endpoints/docs/frameworks/java/creating-client-ids).\n\n2. Add a `clientIds` entry containing the client ID for each client app\n you are granting access to, and an `audiences` entry as well for each\n Android client, in your\n [`@Api` annotation](/endpoints/docs/frameworks/java/annotations#api_api-scoped_annotations).\n\n For example: \n\n ```\n @Api(\n name = \"YOUR_API_NAME\",\n version = \"VERSION_NUMBER\",\n clientIds = {\"YOUR_CLIENT_ID\"},\n audiences = {\"YOUR_CLIENT_ID\"}\n )\n ```\n - Replace \u003cvar translate=\"no\"\u003eYOUR_API_NAME\u003c/var\u003e with the name of your API.\n - Replace \u003cvar translate=\"no\"\u003eVERSION_NUMBER\u003c/var\u003e with your API version, for example, `v1`.\n - Replace \u003cvar translate=\"no\"\u003eYOUR_CLIENT_ID\u003c/var\u003e with the OAuth 2 client ID that was generated in the client application project.\n3. In your API implementation code, import `Users`:\n\n import com.google.api.server.spi.auth.common.User;\n\n4. In each API method where you want to check for proper authentication, check\n for a valid `User` and throw an exception if there isn't one, as\n shown in this sample method definition:\n\n @ApiMethod(httpMethod = ApiMethod.HttpMethod.GET)\n public Email getUserEmail(User user) throws UnauthorizedException {\n if (user == null) {\n throw new UnauthorizedException(\"Invalid credentials\");\n }\n\n Email response = new Email();\n response.setEmail(user.getEmail());\n return response;\n }\n\n5. [Redeploy the API](/endpoints/docs/frameworks/java/test-deploy)\n whenever you add new clients.\n\n### Adding Google ID tokens authentication to a client\n\nFor information on adding authentication code to clients, see the following:\n\n- [Android app](/endpoints/docs/frameworks/java/calling-from-android)\n\nSending a JWT in your client\n----------------------------\n\nIf you use a JWT in your client to send authenticated requests to the API, the\nJWT must be in the authorization header of a HTTP request. The JWT should have\nthe following required claims:\n\n- `iss`\n- `sub`\n- `aud`\n- `iat`\n- `exp`\n\nWhat's next\n-----------\n\nFor background information about user authentication and how it differs from\nAPI key authorization, see\n[When and why to use API keys](/endpoints/docs/frameworks/java/when-why-api-key)."]]
