Package google.cloud.identitytoolkit.v1

Index

AccountManagementService (interface)
AuthenticationService (interface)
ProjectConfigService (interface)
SessionManagementService (interface)
Argon2Parameters (message)
Argon2Parameters.HashType (enum)
Argon2Parameters.Version (enum)
BatchDeleteAccountsRequest (message)
BatchDeleteAccountsResponse (message)
BatchDeleteAccountsResponse.BatchDeleteErrorInfo (message)
ClientType (enum)
CreateAuthUriRequest (message)
CreateAuthUriResponse (message)
CreateSessionCookieRequest (message)
CreateSessionCookieResponse (message)
DeleteAccountRequest (message)
DeleteAccountResponse (message)
DownloadAccountRequest (message)
DownloadAccountResponse (message)
EmailInfo (message)
EmailTemplate (message)
EmailTemplate.EmailBodyFormat (enum)
ErrorInfo (message)
GetAccountInfoRequest (message)
GetAccountInfoRequest.FederatedUserIdentifier (message)
GetAccountInfoResponse (message)
GetOobCodeRequest (message)
GetOobCodeResponse (message)
GetProjectConfigRequest (message)
GetProjectConfigResponse (message)
GetRecaptchaParamResponse (message)
GetSessionCookiePublicKeysResponse (message)
IdpConfig (message)
IdpConfig.Provider (enum)
IssueSamlResponseRequest (message)
IssueSamlResponseResponse (message)
MfaEnrollment (message)
OobReqType (enum)
OpenIdConnectKey (message)
ProviderUserInfo (message)
QueryUserInfoRequest (message)
QueryUserInfoRequest.Order (enum)
QueryUserInfoRequest.SortByField (enum)
QueryUserInfoRequest.SqlExpression (message)
QueryUserInfoResponse (message)
RecaptchaVersion (enum)
ResetPasswordRequest (message)
ResetPasswordResponse (message)
SendVerificationCodeRequest (message)
SendVerificationCodeRequest.AutoRetrievalInfo (message)
SendVerificationCodeResponse (message)
SetAccountInfoRequest (message)
SetAccountInfoRequest.MfaInfo (message)
SetAccountInfoRequest.UserAttributeName (enum)
SetAccountInfoResponse (message)
SignInWithCustomTokenRequest (message)
SignInWithCustomTokenResponse (message)
SignInWithEmailLinkRequest (message)
SignInWithEmailLinkResponse (message)
SignInWithGameCenterRequest (message)
SignInWithGameCenterResponse (message)
SignInWithIdpRequest (message)
SignInWithIdpResponse (message)
SignInWithPasswordRequest (message)
SignInWithPasswordResponse (message)
SignInWithPhoneNumberRequest (message)
SignInWithPhoneNumberRequest.VerifyOp (enum)
SignInWithPhoneNumberResponse (message)
SignUpRequest (message)
SignUpRequest.MfaFactor (message)
SignUpResponse (message)
TotpInfo (message)
UploadAccountRequest (message)
UploadAccountRequest.PasswordHashOrder (enum)
UploadAccountResponse (message)
UserInfo (message)
UserNotification (message)
UserNotification.NotificationCode (enum)
VerifyIosClientRequest (message)
VerifyIosClientResponse (message)

AccountManagementService

Account management for Identity Toolkit

BatchDeleteAccounts

rpc BatchDeleteAccounts( BatchDeleteAccountsRequest ) returns ( BatchDeleteAccountsResponse )

Batch deletes multiple accounts. For accounts that fail to be deleted, error info is contained in the response. The method ignores accounts that do not exist or are duplicated in the request.

This method requires a Google OAuth 2.0 credential with proper permissions .

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/firebase
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

DeleteAccount

rpc DeleteAccount( DeleteAccountRequest ) returns ( DeleteAccountResponse )

Deletes a user's account.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

DownloadAccount

rpc DownloadAccount( DownloadAccountRequest ) returns ( DownloadAccountResponse )

Download account information for all accounts on the project in a paginated manner. To use this method requires a Google OAuth 2.0 credential with proper permissions .. Furthermore, additional permissions are needed to get password hash, password salt, and password version from accounts; otherwise these fields are redacted.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/firebase
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

GetAccountInfo

rpc GetAccountInfo( GetAccountInfoRequest ) returns ( GetAccountInfoResponse )

Gets account information for all matched accounts. For an end user request, retrieves the account of the end user. For an admin request with Google OAuth 2.0 credential, retrieves one or multiple account(s) with matching criteria.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

GetOobCode

rpc GetOobCode( GetOobCodeRequest ) returns ( GetOobCodeResponse )

Sends an out-of-band confirmation code for an account. Requests from a authenticated request can optionally return a link including the OOB code instead of sending it.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

QueryUserInfo

rpc QueryUserInfo( QueryUserInfoRequest ) returns ( QueryUserInfoResponse )

Looks up user accounts within a project or a tenant based on conditions in the request.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/firebase
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

ResetPassword

rpc ResetPassword( ResetPasswordRequest ) returns ( ResetPasswordResponse )

Resets the password of an account either using an out-of-band code generated by [sendOobCode][v1.accounts.sendOobCode] or by specifying the email and password of the account to be modified. Can also check the purpose of an out-of-band code without consuming it.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

SetAccountInfo

rpc SetAccountInfo( SetAccountInfoRequest ) returns ( SetAccountInfoResponse )

Updates account-related information for the specified user by setting specific fields or applying action codes. Requests from administrators and end users are supported.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

UploadAccount

rpc UploadAccount( UploadAccountRequest ) returns ( UploadAccountResponse )

Uploads multiple accounts into the Google Cloud project. If there is a problem uploading one or more of the accounts, the rest will be uploaded, and a list of the errors will be returned. To use this method requires a Google OAuth 2.0 credential with proper permissions .

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/firebase
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

AuthenticationService

Authentication for Identity Toolkit

CreateAuthUri

rpc CreateAuthUri( CreateAuthUriRequest ) returns ( CreateAuthUriResponse )

If an email identifier is specified, checks and returns if any user account is registered with the email. If there is a registered account, fetches all providers associated with the account's email.

If the provider ID of an Identity Provider (IdP) is specified, creates an authorization URI for the IdP. The user can be directed to this URI to sign in with the IdP.

An API key is required in the request in order to identify the Google Cloud project.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

GetPublicKeys

rpc GetPublicKeys( Empty ) returns ( Struct )

Retrieves public keys of the legacy Identity Toolkit token signer to enable third parties to verify the legacy ID token. For now the X509 pem cert is the only format supported.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

GetRecaptchaParam

rpc GetRecaptchaParam( Empty ) returns ( GetRecaptchaParamResponse )

Gets parameters needed for generating a reCAPTCHA challenge.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

IssueSamlResponse

rpc IssueSamlResponse( IssueSamlResponseRequest ) returns ( IssueSamlResponseResponse )

Experimental

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

SendVerificationCode

rpc SendVerificationCode( SendVerificationCodeRequest ) returns ( SendVerificationCodeResponse )

Sends a SMS verification code for phone number sign-in.

To localize the text of the SMS sent to the user, set the HTTP header X-Firebase-Locale to the language code that corresponds with the user's locale.

An API key is required in the request in order to identify the Google Cloud project.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

SignInWithCustomToken

rpc SignInWithCustomToken( SignInWithCustomTokenRequest ) returns ( SignInWithCustomTokenResponse )

Signs in or signs up a user by exchanging a custom Auth token. Upon a successful sign-in or sign-up, a new Identity Platform ID token and refresh token are issued for the user.

An API key is required in the request in order to identify the Google Cloud project.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

SignInWithEmailLink

rpc SignInWithEmailLink( SignInWithEmailLinkRequest ) returns ( SignInWithEmailLinkResponse )

Signs in or signs up a user with a out-of-band code from an email link. If a user does not exist with the given email address, a user record will be created. If the sign-in succeeds, an Identity Platform ID and refresh token are issued for the authenticated user.

An API key is required in the request in order to identify the Google Cloud project.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

SignInWithGameCenter

rpc SignInWithGameCenter( SignInWithGameCenterRequest ) returns ( SignInWithGameCenterResponse )

Signs in or signs up a user with iOS Game Center credentials. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user. The bundle ID is required in the request header as x-ios-bundle-identifier .

An API key is required in the request in order to identify the Google Cloud project.

Apple has deprecated the playerID field . The Apple platform Firebase SDK will use gamePlayerID and teamPlayerID from version 10.5.0 and onwards. Upgrading to SDK version 10.5.0 or later updates existing integrations that use playerID to instead use gamePlayerID and teamPlayerID . When making calls to signInWithGameCenter , you must include playerID along with the new fields gamePlayerID and teamPlayerID to successfully identify all existing users.

Upgrading existing Game Center sign in integrations to SDK version 10.5.0 or later is irreversible.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

SignInWithIdp

rpc SignInWithIdp( SignInWithIdpRequest ) returns ( SignInWithIdpResponse )

Signs in or signs up a user using credentials from an Identity Provider (IdP). This is done by manually providing an IdP credential, or by providing the authorization response obtained via the authorization request from CreateAuthUri. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user.

A new Identity Platform user account will be created if the user has not previously signed in to the IdP with the same account. In addition, when the "One account per email address" setting is enabled, there should not be an existing Identity Platform user account with the same email address for a new user account to be created.

An API key is required in the request in order to identify the Google Cloud project.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

SignInWithPassword

rpc SignInWithPassword( SignInWithPasswordRequest ) returns ( SignInWithPasswordResponse )

Signs in a user with email and password. If the sign-in succeeds, a new Identity Platform ID token and refresh token are issued for the authenticated user.

An API key is required in the request in order to identify the Google Cloud project.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

SignInWithPhoneNumber

rpc SignInWithPhoneNumber( SignInWithPhoneNumberRequest ) returns ( SignInWithPhoneNumberResponse )

Completes a phone number authentication attempt. If a user already exists with the given phone number, an ID token is minted for that user. Otherwise, a new user is created and associated with the phone number. This method may also be used to link a phone number to an existing user.

To localize the text of the SMS sent to the user, set the HTTP header X-Firebase-Locale to the language code that corresponds with the user's locale.

An API key is required in the request in order to identify the Google Cloud project.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

SignUp

rpc SignUp( SignUpRequest ) returns ( SignUpResponse )

Signs up a new email and password user or anonymous user, or upgrades an anonymous user to email and password. For an admin request with a Google OAuth 2.0 credential with the proper permissions , creates a new anonymous, email and password, or phone number user.

An API key is required in the request in order to identify the Google Cloud project.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

VerifyIosClient

rpc VerifyIosClient( VerifyIosClientRequest ) returns ( VerifyIosClientResponse )

Verifies an iOS client is a real iOS device. If the request is valid, a receipt will be sent in the response and a secret will be sent via Apple Push Notification Service. The client should send both of them back to certain Identity Platform APIs in a later call (for example, /accounts:sendVerificationCode), in order to verify the client. The bundle ID is required in the request header as x-ios-bundle-identifier .

An API key is required in the request in order to identify the Google Cloud project.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

ProjectConfigService

Project configuration for Identity Toolkit

GetProjectConfig

rpc GetProjectConfig( GetProjectConfigRequest ) returns ( GetProjectConfigResponse )

Gets a project's public Identity Toolkit configuration. (Legacy) This method also supports authenticated calls from a developer to retrieve non-public configuration.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

SessionManagementService

Session management for Identity Platform.

CreateSessionCookie

rpc CreateSessionCookie( CreateSessionCookieRequest ) returns ( CreateSessionCookieResponse )

Creates a session cookie for the given Identity Platform ID token. The session cookie is used by the client to preserve the user's login state.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/identitytoolkit
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview .

GetSessionCookiePublicKeys

rpc GetSessionCookiePublicKeys( Empty ) returns ( GetSessionCookiePublicKeysResponse )

Retrieves the set of public keys of the session cookie JSON Web Token (JWT) signer that can be used to validate the session cookie created through [createSessionCookie][v1.projects.createSessionCookie].

Argon2Parameters

The parameters for Argon2 hashing algorithm.

Fields
`hash_length_bytes`	`int32` Required. The desired hash length in bytes. Minimum is 4 and maximum is 1024.
`hash_type`	`HashType` Required. Must not be HASH_TYPE_UNSPECIFIED.
`parallelism`	`int32` Required. The degree of parallelism, also called threads or lanes. Minimum is 1, maximum is 16.
`iterations`	`int32` Required. The number of iterations to perform. Minimum is 1, maximum is 16.
`memory_cost_kib`	`int32` Required. The memory cost in kibibytes. Maximum is 32768.
`version`	`Version` The version of the Argon2 algorithm. This defaults to VERSION_13 if not specified.
`associated_data`	`bytes` The additional associated data, if provided, is appended to the hash value to provide an additional layer of security. A base64-encoded string if specified via JSON.

HashType

The types of the algorithm.

Enums
`HASH_TYPE_UNSPECIFIED`	The hash type is not specified.
`ARGON2_D`	An Argon2 variant, Argon2d.
`ARGON2_ID`	An Argon2 variant, Argonid. Recommended.
`ARGON2_I`	An Argon2 variant, Argon2i.

Version

The verion of the algorithm.

Enums
`VERSION_UNSPECIFIED`	The version is not specified.
`VERSION_10`	The previous version, 0x10.
`VERSION_13`	The current version, 0x13. The default value for version.

BatchDeleteAccountsRequest

Request message for BatchDeleteAccounts.

Fields

target_project_id

string

If tenant_id is specified, the ID of the Google Cloud project that the Identity Platform tenant belongs to. Otherwise, the ID of the Google Cloud project that accounts belong to.

Authorization requires the following IAM permission on the specified resource targetProjectId :

firebaseauth.users.delete

local_ids[]

string

Required. List of user IDs to be deleted.

force

bool

Whether to force deleting accounts that are not in disabled state. If false, only disabled accounts will be deleted, and accounts that are not disabled will be added to the errors .

tenant_id

string

If the accounts belong to an Identity Platform tenant, the ID of the tenant. If the accounts belong to a default Identity Platform project, the field is not needed.

BatchDeleteAccountsResponse

Response message to BatchDeleteAccounts.

Fields

Fields
`errors[]`	`BatchDeleteErrorInfo` Detailed error info for accounts that cannot be deleted.

errors[]

BatchDeleteErrorInfo

Detailed error info for accounts that cannot be deleted.

BatchDeleteErrorInfo

Error info for account failed to be deleted.

Fields

Fields
`index`	`int32` The index of the errored item in the original local_ids field.
`local_id`	`string` The corresponding user ID.
`error_message`	`string` Detailed error message.

index

int32

The index of the errored item in the original local_ids field.

local_id

string

The corresponding user ID.

error_message

string

Detailed error message.

ClientType

The client's platform type: web, android or ios.

Enums
`CLIENT_TYPE_UNSPECIFIED`	Client type is not specified.
`CLIENT_TYPE_WEB`	Client type is web.
`CLIENT_TYPE_ANDROID`	Client type is android.
`CLIENT_TYPE_IOS`	Client type is ios.

CreateAuthUriRequest

Request message for CreateAuthUri.

Fields
`identifier`	`string` The email identifier of the user account to fetch associated providers for. At least one of the fields `identifier` and `provider_id` must be set. The length of the email address should be less than 256 characters and in the format of `name@domain.tld` . The email address should also match the RFC 822 addr-spec production.
`continue_uri`	`string` A valid URL for the IdP to redirect the user back to. The URL cannot contain fragments or the reserved `state` query parameter.
`openid_realm (deprecated)`	`string` This item is deprecated!
`provider_id`	`string` The provider ID of the IdP for the user to sign in with. This should be a provider ID enabled for sign-in, which is either from the list of default supported IdPs , or of the format `oidc.` or `saml.` . Some examples are `google.com` , `facebook.com` , `oidc.testapp` , and `saml.testapp` . At least one of the fields `identifier` and `provider_id` must be set.
`oauth_consumer_key (deprecated)`	`string` This item is deprecated!
`oauth_scope`	`string` Additional space-delimited OAuth 2.0 scopes specifying the scope of the authentication request with the IdP. Used for OAuth 2.0 IdPs. For the Google provider, the authorization code flow will be used if this field is set.
`context`	`string` An opaque string used to maintain contextual information between the authentication request and the callback from the IdP.
`ota_app (deprecated)`	`string` This item is deprecated!
`app_id (deprecated)`	`string` This item is deprecated!
`hosted_domain`	`string` Used for the Google provider. The G Suite hosted domain of the user in order to restrict sign-in to users at that domain.
`session_id`	`string` A session ID that can be verified against in SignInWithIdp to prevent session fixation attacks. If absent, a random string will be generated and returned as the session ID.
`auth_flow_type`	`string` Used for the Google provider. The type of the authentication flow to be used. If present, this should be `CODE_FLOW` to specify the authorization code flow. Otherwise, the default ID Token flow will be used.
`custom_parameter`	`map<string, string>` Additional customized query parameters to be added to the authorization URI. The following parameters are reserved and cannot be added: `client_id` , `response_type` , `scope` , `redirect_uri` , `state` . For the Microsoft provider, the Azure AD tenant to sign-in to can be specified in the `tenant` custom parameter.
`tenant_id`	`string` The ID of the Identity Platform tenant to create an authorization URI or lookup an email identifier for. If not set, the operation will be performed in the default Identity Platform instance in the project.

CreateAuthUriResponse

Response message for CreateAuthUri.

Fields
`kind (deprecated)`	`string` This item is deprecated!
`auth_uri`	`string` The authorization URI for the requested provider. Present only when a provider ID is set in the request.
`all_providers[] (deprecated)`	`string` This item is deprecated!
`registered`	`bool` Whether the email identifier represents an existing account. Present only when an email identifier is set in the request.
`provider_id`	`string` The provider ID from the request, if provided.
`for_existing_provider`	`bool` Whether the user has previously signed in with the provider ID in the request. Present only when a registered email identifier is set in the request.
`captcha_required`	`bool` Whether a CAPTCHA is needed because there have been too many failed login attempts by the user. Present only when a registered email identifier is set in the request.
`session_id`	`string` The session ID from the request, or a random string generated by CreateAuthUri if absent. It is used to prevent session fixation attacks.
`signin_methods[]`	`string` The list of sign-in methods that the user has previously used. Each element is one of `password` , `emailLink` , or the provider ID of an IdP. Present only when a registered email identifier is set in the request. If email enumeration protection is enabled, this method returns an empty list.

CreateSessionCookieRequest

Request message for CreateSessionCookie.

Fields
`id_token`	`string` Required. A valid Identity Platform ID token.
`valid_duration`	`int64` The number of seconds until the session cookie expires. Specify a duration in seconds, between five minutes and fourteen days, inclusively.
`target_project_id`	`string` The ID of the project that the account belongs to.
`tenant_id`	`string` The tenant ID of the Identity Platform tenant the account belongs to.

CreateSessionCookieResponse

Response message for CreateSessionCookie.

Fields

session_cookie

string

The session cookie that has been created from the Identity Platform ID token specified in the request. It is in the form of a JSON Web Token (JWT). Always present.

DeleteAccountRequest

Request message for DeleteAccount.

Fields

local_id

string

The ID of user account to delete. Specifying this field requires a Google OAuth 2.0 credential with proper permissions . Requests from users lacking the credential should pass an ID token instead.

delegated_project_number
 (deprecated)

int64

id_token

string

The Identity Platform ID token of the account to delete. Require to be specified for requests from end users that lack Google OAuth 2.0 credential. Authenticated requests bearing a Google OAuth2 credential with proper permissions may pass local_id to specify the account to delete alternatively.

tenant_id

string

The ID of the tenant that the account belongs to, if applicable. Only require to be specified for authenticated requests bearing a Google OAuth 2.0 credential that specify local_id of an account that belongs to an Identity Platform tenant.

target_project_id

string

The ID of the project which the account belongs to. Should only be specified in authenticated requests that specify local_id of an account.

Authorization requires the following IAM permission on the specified resource targetProjectId :

firebaseauth.users.delete

DeleteAccountResponse

Response message for DeleteAccount.

Fields
`kind (deprecated)`	`string` This item is deprecated!

DownloadAccountRequest

Request message for DownloadAccount

Fields

delegated_project_number
 (deprecated)

int64

next_page_token

string

The pagination token from the response of a previous request.

max_results

int32

The maximum number of results to return. Must be at least 1 and no greater than 1000. By default, it is 20.

target_project_id

string

If tenant_id is specified, the ID of the Google Cloud project that the Identity Platform tenant belongs to. Otherwise, the ID of the Google Cloud project that the accounts belong to.

Authorization requires the following IAM permission on the specified resource targetProjectId :

firebaseauth.users.get

tenant_id

string

The ID of the Identity Platform tenant the accounts belongs to. If not specified, accounts on the Identity Platform project are returned.

DownloadAccountResponse

Response message for DownloadAccount.

Fields

kind
 (deprecated)

string

users[]

UserInfo

All accounts belonging to the project/tenant limited by max_results in the request.

next_page_token

string

If there are more accounts to be downloaded, a token that can be passed back to DownloadAccount to get more accounts. Otherwise, this is blank.

EmailInfo

Information about email MFA.

Fields

Fields
`email_address`	`string` Email address that a MFA verification should be sent to.

email_address

string

Email address that a MFA verification should be sent to.

EmailTemplate

Email template

Fields
`disabled`	`bool` Whether the template is disabled. If true, a default template will be used.
`from`	`string` From address of the email
`body`	`string` Email body
`subject`	`string` Subject of the email
`from_display_name`	`string` From display name
`format`	`EmailBodyFormat` Email body format
`reply_to`	`string` Reply-to address
`from_local_part`	`string` Local part of From address
`locale`	`string` Value is in III language code format (e.g. "zh-CN", "es"). Both '-' and '_' separators are accepted.
`customized`	`bool` Whether the body or subject of the email is customized.

EmailBodyFormat

Email body format

Enums
`EMAIL_BODY_FORMAT_UNSPECIFIED`	Default value. Do not use.
`PLAINTEXT`	Email body is in plain text format.
`HTML`	Email body is in HTML format.

ErrorInfo

Error information explaining why an account cannot be uploaded. batch upload.

Fields

Fields
`index`	`int32` The index of the item, range is [0, request.size - 1]
`error_message`	`string` Detailed error message

index

int32

The index of the item, range is [0, request.size - 1]

error_message

string

Detailed error message

GetAccountInfoRequest

Request message for GetAccountInfo.

Fields

id_token

string

The Identity Platform ID token of the account to fetch. Require to be specified for requests from end users.

local_id[]

string

The ID of one or more accounts to fetch. Should only be specified by authenticated requests bearing a Google OAuth 2.0 credential with proper permissions .

email[]

string

The email address of one or more accounts to fetch. The length of email should be less than 256 characters and in the format of name@domain.tld . The email should also match the RFC 822 addr-spec production. Should only be specified by authenticated requests from a developer.

delegated_project_number
 (deprecated)

int64

phone_number[]

string

The phone number of one or more accounts to fetch. Should only be specified by authenticated requests from a developer and should be in E.164 format, for example, +15555555555.

federated_user_id[]

FederatedUserIdentifier

tenant_id

string

The ID of the tenant that the account belongs to. Should only be specified by authenticated requests from a developer.

target_project_id

string

The ID of the Google Cloud project that the account or the Identity Platform tenant specified by tenant_id belongs to. Should only be specified by authenticated requests bearing a Google OAuth 2.0 credential with proper permissions .

Authorization requires the following IAM permission on the specified resource targetProjectId :

firebaseauth.users.get

initial_email[]

string

The initial email of one or more accounts to fetch. The length of email should be less than 256 characters and in the format of name@domain.tld . The email should also match the RFC 822 addr-spec production. Should only be specified by authenticated requests from a developer.

FederatedUserIdentifier

Federated user identifier at an Identity Provider.

Fields

Fields
`provider_id`	`string` The ID of supported identity providers. This should be a provider ID enabled for sign-in, which is either from the list of default supported IdPs , or of the format `oidc.` or `saml.` . Some examples are `google.com` , `facebook.com` , `oidc.testapp` , and `saml.testapp` .
`raw_id`	`string` The user ID of the account at the third-party Identity Provider specified by `provider_id` .

provider_id

string

The ID of supported identity providers. This should be a provider ID enabled for sign-in, which is either from the list of default supported IdPs , or of the format oidc.* or saml.* . Some examples are google.com , facebook.com , oidc.testapp , and saml.testapp .

raw_id

string

The user ID of the account at the third-party Identity Provider specified by provider_id .

GetAccountInfoResponse

Response message for GetAccountInfo.

Fields

kind
 (deprecated)

string

users[]

UserInfo

The information of specific user account(s) matching the parameters in the request.

GetOobCodeRequest

Request message for GetOobCode.

Fields

req_type

OobReqType

Required. The type of out-of-band (OOB) code to send. Depending on this value, other fields in this request will be required and/or have different meanings. There are 4 different OOB codes that can be sent: * PASSWORD_RESET * EMAIL_SIGNIN * VERIFY_EMAIL * VERIFY_AND_CHANGE_EMAIL

email

string

The account's email address to send the OOB code to, and generally the email address of the account that needs to be updated. Required for PASSWORD_RESET, EMAIL_SIGNIN, and VERIFY_EMAIL. Only required for VERIFY_AND_CHANGE_EMAIL requests when return_oob_link is set to true. In this case, it is the original email of the user.

challenge
 (deprecated)

string

captcha_resp

string

For a PASSWORD_RESET request, a reCaptcha response is required when the system detects possible abuse activity. In those cases, this is the response from the reCaptcha challenge used to verify the caller.

user_ip

string

The IP address of the caller. Required only for PASSWORD_RESET requests.

new_email

string

The email address the account is being updated to. Required only for VERIFY_AND_CHANGE_EMAIL requests.

id_token

string

An ID token for the account. It is required for VERIFY_AND_CHANGE_EMAIL and VERIFY_EMAIL requests unless return_oob_link is set to true.

continue_url

string

The Url to continue after user clicks the link sent in email. This is the url that will allow the web widget to handle the OOB code.

ios_bundle_id

string

If an associated iOS app can handle the OOB code, the iOS bundle id of this app. This will allow the correct app to open if it is already installed.

ios_app_store_id

string

If an associated iOS app can handle the OOB code, the App Store id of this app. This will allow App Store to open to the correct app if the app is not yet installed.

android_package_name

string

If an associated android app can handle the OOB code, the Android package name of the android app that will handle the callback when this OOB code is used. This will allow the correct app to open if it is already installed, or allow Google Play Store to open to the correct app if it is not yet installed.

android_install_app

bool

If an associated android app can handle the OOB code, whether or not to install the android app on the device where the link is opened if the app is not already installed.

android_minimum_version_code

string

If an associated android app can handle the OOB code, the minimum version of the app. If the version on the device is lower than this version then the user is taken to Google Play Store to upgrade the app.

can_handle_code_in_app

bool

When set to true, the OOB code link will be be sent as a Universal Link or an Android App Link and will be opened by the corresponding app if installed. If not set, or set to false, the OOB code will be sent to the web widget first and then on continue will redirect to the app if installed.

tenant_id

string

The tenant ID of the Identity Platform tenant the account belongs to.

target_project_id

string

The Project ID of the Identity Platform project which the account belongs to. To specify this field, it requires a Google OAuth 2.0 credential with proper permissions .

Authorization requires the following IAM permission on the specified resource targetProjectId :

firebaseauth.users.sendEmail

dynamic_link_domain

string

In order to ensure that the url used can be easily opened up in iOS or android, we create a Firebase Dynamic Link . Most Identity Platform projects will only have one Dynamic Link domain enabled, and can leave this field blank. This field contains a specified Dynamic Link domain for projects that have multiple enabled.

return_oob_link

bool

Whether the confirmation link containing the OOB code should be returned in the response (no email is sent). Used when a developer wants to construct the email template and send it on their own. By default this is false; to specify this field, and to set it to true, it requires a Google OAuth 2.0 credential with proper permissions

client_type

ClientType

The client type: web, Android or iOS. Required when reCAPTCHA Enterprise protection is enabled.

recaptcha_version

RecaptchaVersion

The reCAPTCHA version of the reCAPTCHA token in the captcha_response.

link_domain

string

Optional. In order to ensure that the url used can be easily opened in iOS or Android, we create a Hosting link '/__/auth/links'. This optional field contains the domain to use when constructing a Hosting link. If not set, ' .firebaseapp.com' domain will be used.

GetOobCodeResponse

Response message for GetOobCode.

Fields
`kind (deprecated)`	`string` This item is deprecated!
`oob_code`	`string` If return_oob_link is true in the request, the OOB code to send.
`email`	`string` If return_oob_link is false in the request, the email address the verification was sent to.
`oob_link`	`string` If return_oob_link is true in the request, the OOB link to be sent to the user. This returns the constructed link including Firebase Dynamic Link related parameters.

GetProjectConfigRequest

Request message for GetProjectconfig.

Fields
`delegated_project_number`	`int64` Project Number of the delegated project request. This field should only be used as part of the Firebase V1 migration.
`project_number`	`int64` Project number of the configuration to retrieve. This field is deprecated and should not be used by new integrations.
`return_dynamic_link`	`bool` Whether dynamic link should be returned.
`android_package_name`	`string` Android package name to check against the real android package name. If this field is provided, and sha1_cert_hash is not provided, the action will throw an error if this does not match the real android package name.
`ios_bundle_id`	`string` iOS bundle id to check against the real ios bundle id. If this field is provided, the action will throw an error if this does not match the real iOS bundle id.
`client_id`	`string` The RP OAuth client ID. If set, a check will be performed to ensure that the OAuth client is valid for the retrieved project and the request rejected with a client error if not valid.
`sha1_cert`	`string` SHA-1 Android application cert hash. If set, a check will be performed to ensure that the cert hash is valid for the retrieved project and android_package_name.
`firebase_app_id`	`string` The Firebase app ID, for applications that use Firebase. This can be found in the Firebase console for your project. If set, a check will be performed to ensure that the app ID is valid for the retrieved project. If not valid, the request will be rejected with a client error.

GetProjectConfigResponse

Response message for GetProjectConfig.

Fields
`project_id`	`string` The project id of the retrieved configuration.
`api_key`	`string` Google Cloud API key. This field is only returned for authenticated calls from a developer.
`allow_password_user`	`bool` Whether to allow password account sign up. This field is only returned for authenticated calls from a developer.
`idp_config[]`	`IdpConfig` OAuth2 provider config. This field is only returned for authenticated calls from a developer.
`authorized_domains[]`	`string` Authorized domains for widget redirect.
`enable_anonymous_user`	`bool` Whether anonymous user is enabled. This field is only returned for authenticated calls from a developer.
`dynamic_links_domain`	`string` The Firebase Dynamic Links domain used to construct links for redirects to native apps.
`use_email_sending`	`bool` Whether to use email sending. This field is only returned for authenticated calls from a developer.
`reset_password_template`	`EmailTemplate` Email template for reset password. This field is only returned for authenticated calls from a developer.
`verify_email_template`	`EmailTemplate` Email template for verify email. This field is only returned for authenticated calls from a developer.
`change_email_template`	`EmailTemplate` Email template for change email. This field is only returned for authenticated calls from a developer.
`legacy_reset_password_template`	`EmailTemplate` Reset password email template for legacy Firebase V1 app. This field is only returned for authenticated calls from a developer.
`revert_second_factor_addition_template`	`EmailTemplate` Email template for reverting second factor additions. This field is only returned for authenticated calls from a developer.

GetRecaptchaParamResponse

Response message for GetRecaptchaParam.

Fields
`kind (deprecated)`	`string` This item is deprecated!
`recaptcha_stoken (deprecated)`	`string` This item is deprecated!
`recaptcha_site_key`	`string` The reCAPTCHA v2 site key used to invoke the reCAPTCHA service. Always present.
`producer_project_number`	`string` The producer project number used to generate PIA tokens

GetSessionCookiePublicKeysResponse

Response message for GetSessionCookiePublicKeys.

Fields

keys[]

OpenIdConnectKey

Public keys of the session cookie signer, formatted as JSON Web Keys (JWK) .

IdpConfig

Config of an identity provider.

Fields
`provider`	`Provider`
`enabled`	`bool` True if allows the user to sign in with the provider.
`experiment_percent`	`int32` Percent of users who will be prompted/redirected federated login for this IdP
`key`	`string` OAuth2 client ID.
`secret`	`string` OAuth2 client secret.
`whitelisted_audiences[]`	`string` Whitelisted client IDs for audience check.

Provider

Name of the identity provider.

Enums
`PROVIDER_UNSPECIFIED`
`MSLIVE`	Microsoft Live as identity provider.
`GOOGLE`	Google as identity provider.
`FACEBOOK`	Facebook as identity provider.
`PAYPAL`	PayPal as identity provider.
`TWITTER`	Twitter as identity provider.
`YAHOO`	Yahoo as identity provider.
`AOL`	AOL as identity provider.
`GITHUB`	GitHub as identity provider.
`GOOGLE_PLAY_GAMES`	Google Play Games as identity provider.
`LINKEDIN`	LinkedIn as identity provider.
`IOS_GAME_CENTER`	iOS Game Center as identity provider.

IssueSamlResponseRequest

Request message for IssueSamlResponse.

Fields

Fields
`rp_id`	`string` Relying Party identifier, which is the audience of issued SAMLResponse.
`id_token`	`string` The Identity Platform ID token. It will be verified and then converted to a new SAMLResponse.
`saml_app_entity_id`	`string` SAML app entity id specified in Google Admin Console for each app. If developers want to redirect to a third-party app rather than a G Suite app, they'll probably they need this. When it's used, we'll return a RelayState. This includes a SAMLRequest, which can be used to trigger a SP-initiated SAML flow to redirect to the real app.

rp_id

string

Relying Party identifier, which is the audience of issued SAMLResponse.

id_token

string

The Identity Platform ID token. It will be verified and then converted to a new SAMLResponse.

saml_app_entity_id

string

SAML app entity id specified in Google Admin Console for each app. If developers want to redirect to a third-party app rather than a G Suite app, they'll probably they need this. When it's used, we'll return a RelayState. This includes a SAMLRequest, which can be used to trigger a SP-initiated SAML flow to redirect to the real app.

IssueSamlResponseResponse

Response for IssueSamlResponse request.

Fields
`saml_response`	`string` Signed SAMLResponse created for the Relying Party.
`acs_endpoint`	`string` The ACS endpoint which consumes the returned SAMLResponse.
`relay_state`	`string` Generated RelayState.
`email`	`string` Email of the user.
`first_name`	`string` First name of the user.
`last_name`	`string` Last name of the user.
`is_new_user`	`bool` Whether the logged in user was created by this request.

MfaEnrollment

Information on which multi-factor authentication (MFA) providers are enabled for an account.

Fields

mfa_enrollment_id

string

ID of this MFA option.

display_name

string

Display name for this mfa option e.g. "corp cell phone".

enrolled_at

Timestamp

Timestamp when the account enrolled this second factor.

Union field mfa_value . The defining value of the MFA option. mfa_value can be only one of the following:

phone_info

string

Normally this will show the phone number associated with this enrollment. In some situations, such as after a first factor sign in, it will only show the obfuscated version of the associated phone number.

totp_info

TotpInfo

Contains information specific to TOTP MFA.

email_info

EmailInfo

Contains information specific to email MFA.

Union field unobfuscated_mfa_value .

unobfuscated_mfa_value can be only one of the following:

unobfuscated_phone_info

string

Output only. Unobfuscated phone_info.

OobReqType

The requested action type for an OOB code.

Enums
`OOB_REQ_TYPE_UNSPECIFIED`	Oob code type is not specified.
`PASSWORD_RESET`	reset password
`OLD_EMAIL_AGREE`	This item is deprecated!
`NEW_EMAIL_ACCEPT`	This item is deprecated!
`VERIFY_EMAIL`	verify the account's email address by sending an email
`RECOVER_EMAIL`	This item is deprecated!
`EMAIL_SIGNIN`	sign in with email only
`VERIFY_AND_CHANGE_EMAIL`	This flow sends an email to the specified new email, and when applied by clicking the link in the email changes the account's email to the new email. Used when the account must have verified email at all times, such as MFA accounts.
`REVERT_SECOND_FACTOR_ADDITION`	This item is deprecated!

OpenIdConnectKey

Represents a public key of the session cookie signer, formatted as a JSON Web Key (JWK) .

Fields
`type`	`string` Key type.
`algorithm`	`string` Signature algorithm.
`use`	`string` Key use.
`id`	`string` Unique string to identify this key.
`modulus`	`string` Modulus for the RSA public key, it is represented as the base64url encoding of the value's big endian representation.
`exponent`	`string` Exponent for the RSA public key, it is represented as the base64url encoding of the value's big endian representation.

ProviderUserInfo

Information about the user as provided by various Identity Providers.

Fields
`provider_id`	`string` The ID of the Identity Provider.
`display_name`	`string` The user's display name at the Identity Provider.
`photo_url`	`string` The user's profile photo URL at the Identity Provider.
`federated_id`	`string` The user's identifier at the Identity Provider.
`email`	`string` The user's email address at the Identity Provider.
`raw_id`	`string` The user's raw identifier directly returned from Identity Provider.
`screen_name`	`string` The user's screen_name at Twitter or login name at GitHub.
`phone_number`	`string` The user's phone number at the Identity Provider.

QueryUserInfoRequest

Request message for QueryUserInfo.

Fields

return_user_info

bool

If true , this request will return the accounts matching the query. If false , only the countof accounts matching the query will be returned. Defaults to true .

limit

int64

The maximum number of accounts to return with an upper limit of 500. Defaults to 500 . Only valid when return_user_info is set to true .

offset

int64

The number of accounts to skip from the beginning of matching records. Only valid when return_user_info is set to true .

sort_by

SortByField

order

Order

target_project_id

string

The ID of the project to which the result is scoped.

Authorization requires the following IAM permission on the specified resource targetProjectId :

firebaseauth.users.get

tenant_id

string

The ID of the tenant to which the result is scoped.

expression[]

SqlExpression

Order

An order for sorting query result.

Enums
`ORDER_UNSPECIFIED`	Order is not specified.
`ASC`	Sort on ascending order.
`DESC`	Sort on descending order.

SortByField

A field to use for sorting user accounts.

Enums
`SORT_BY_FIELD_UNSPECIFIED`	Sort field is not specified.
`USER_ID`	Sort result by userId.
`NAME`	Sort result by name.
`CREATED_AT`	Sort result by createdAt.
`LAST_LOGIN_AT`	Sort result by lastLoginAt.
`USER_EMAIL`	Sort result by userEmail.

SqlExpression

Query conditions used to filter results.

Fields

Fields
`email`	`string` A case insensitive string that the account's email should match. Only one of `email` , `phone_number` , or `user_id` should be specified in a SqlExpression. If more than one is specified, only the first (in that order) will be applied.
`user_id`	`string` A string that the account's local ID should match. Only one of `email` , `phone_number` , or `user_id` should be specified in a SqlExpression If more than one is specified, only the first (in that order) will be applied.
`phone_number`	`string` A string that the account's phone number should match. Only one of `email` , `phone_number` , or `user_id` should be specified in a SqlExpression. If more than one is specified, only the first (in that order) will be applied.

email

string

A case insensitive string that the account's email should match. Only one of email , phone_number , or user_id should be specified in a SqlExpression. If more than one is specified, only the first (in that order) will be applied.

user_id

string

A string that the account's local ID should match. Only one of email , phone_number , or user_id should be specified in a SqlExpression If more than one is specified, only the first (in that order) will be applied.

phone_number

string

A string that the account's phone number should match. Only one of email , phone_number , or user_id should be specified in a SqlExpression. If more than one is specified, only the first (in that order) will be applied.

QueryUserInfoResponse

Response message for QueryUserInfo.

Fields

Fields
`records_count`	`int64` If `return_user_info` in the request is true, this is the number of returned accounts in this message. Otherwise, this is the total number of accounts matching the query.
`user_info[]`	`UserInfo` If `return_user_info` in the request is true, this is the accounts matching the query.

records_count

int64

If return_user_info in the request is true, this is the number of returned accounts in this message. Otherwise, this is the total number of accounts matching the query.

user_info[]

UserInfo

If return_user_info in the request is true, this is the accounts matching the query.

RecaptchaVersion

The reCAPTCHA version.

Enums
`RECAPTCHA_VERSION_UNSPECIFIED`	The reCAPTCHA version is not specified.
`RECAPTCHA_ENTERPRISE`	The reCAPTCHA enterprise.

ResetPasswordRequest

Request message for ResetPassword.

Fields
`oob_code`	`string` An out-of-band (OOB) code generated by GetOobCode request. Specify only this parameter (or only this parameter and a tenant ID) to get the out-of-band code's type in the response without mutating the account's state. Only a PASSWORD_RESET out-of-band code can be consumed via this method.
`new_password`	`string` The new password to be set for this account. Specifying this field will result in a change to the account and consume the out-of-band code if one was specified and it was of type PASSWORD_RESET.
`old_password`	`string` The current password of the account to be modified. Specify this and email to change an account's password without using an out-of-band code.
`email`	`string` Optional. The email of the account to be modified. Specify this and the old password in order to change an account's password without using an out-of-band code.
`tenant_id`	`string` Optional. The tenant ID of the Identity Platform tenant the account belongs to.

ResetPasswordResponse

Response message for ResetPassword.

Fields
`kind (deprecated)`	`string` This item is deprecated!
`email`	`string` The email associated with the out-of-band code that was used.
`new_email`	`string`
`req_type`	`OobReqType`
`mfa_info`	`MfaEnrollment`

SendVerificationCodeRequest

Request message for SendVerificationCode. 'captcha_response' is required when reCAPTCHA enterprise is enabled, or otherwise at least one of ( ios_receipt and ios_secret ), recaptcha_token , or safety_net_token must be specified to verify the verification code is being sent on behalf of a real app and not an emulator.

Fields
`phone_number`	`string` The phone number to send the verification code to in E.164 format.
`ios_receipt`	`string` Receipt of successful iOS app token validation. At least one of ( `ios_receipt` and `ios_secret` ), `recaptcha_token` , or `safety_net_token` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captcha_response' is not used (reCAPTCHA enterprise is not enabled). This should come from the response of [verifyIosClient][v1.accounts.verifyIosClient]. If present, the caller should also provide the `ios_secret` , as well as a bundle ID in the `x-ios-bundle-identifier` header, which must match the bundle ID from the [verifyIosClient][v1.accounts.verifyIosClient] request.
`ios_secret`	`string` Secret delivered to iOS app as a push notification. Should be passed with an `ios_receipt` as well as the `x-ios-bundle-identifier` header.
`recaptcha_token`	`string` Recaptcha token for app verification. At least one of ( `ios_receipt` and `ios_secret` ), `recaptcha_token` , or `safety_net_token` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captcha_response' is not used (reCAPTCHA enterprise is not enabled). The recaptcha should be generated by calling [getRecaptchaParams][v1.getRecaptchaParams] and the recaptcha token will be generated on user completion of the recaptcha challenge.
`tenant_id`	`string` Tenant ID of the Identity Platform tenant the user is signing in to.
`auto_retrieval_info`	`AutoRetrievalInfo` Android only. Used by Google Play Services to identify the app for auto-retrieval.
`safety_net_token`	`string` Android only. Used to assert application identity in place of a recaptcha token. At least one of ( `ios_receipt` and `ios_secret` ), `recaptcha_token` , or `safety_net_token` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captcha_response' is not used (reCAPTCHA enterprise is not enabled). A SafetyNet Token can be generated via the SafetyNet Android Attestation API , with the Base64 encoding of the `phone_number` field as the nonce.
`play_integrity_token`	`string` Android only. Used to assert application identity in place of a recaptcha token (and safety_net_token). At least one of ( `ios_receipt` and `ios_secret` ), `recaptcha_token` , , or `play_integrity_token` must be specified to verify the verification code is being sent on behalf of a real app and not an emulator, if 'captcha_response' is not used (reCAPTCHA enterprise is not enabled). A Play Integrity Token can be generated via the PlayIntegrity API with applying SHA256 to the `phone_number` field as the nonce.
`captcha_response`	`string` Optional. The reCAPTCHA Enterprise token provided by the reCAPTCHA client-side integration. Required when reCAPTCHA enterprise is enabled.
`client_type`	`ClientType` Optional. The client type, web, android or ios. Required when reCAPTCHA Enterprise is enabled.
`recaptcha_version`	`RecaptchaVersion` Optional. The reCAPTCHA version of the reCAPTCHA token in the captcha_response. Required when reCAPTCHA Enterprise is enabled.

AutoRetrievalInfo

The information required to auto-retrieve an SMS.

Fields

Fields
`app_signature_hash`	`string` The Android app's signature hash for Google Play Service's SMS Retriever API.

app_signature_hash

string

The Android app's signature hash for Google Play Service's SMS Retriever API.

SendVerificationCodeResponse

Response message for SendVerificationCode.

Fields

Fields
`session_info`	`string` Encrypted session information. This can be used in [signInWithPhoneNumber][v1.accounts.signInWithPhoneNumber] to authenticate the phone number.

session_info

string

Encrypted session information. This can be used in [signInWithPhoneNumber][v1.accounts.signInWithPhoneNumber] to authenticate the phone number.

SetAccountInfoRequest

Request message for SetAccountInfo.

Fields

id_token

string

A valid Identity Platform ID token. Required when attempting to change user-related information.

local_id

string

The ID of the user. Specifying this field requires a Google OAuth 2.0 credential with proper permissions . For requests from end-users, an ID token should be passed instead.

display_name

string

The user's new display name to be updated in the account's attributes. The length of the display name must be less than or equal to 256 characters.

email

string

The user's new email to be updated in the account's attributes. The length of email should be less than 256 characters and in the format of name@domain.tld . The email should also match the RFC 822 addr-spec production. If email enumeration protection is enabled, the email cannot be changed by the user without verifying the email first, but it can be changed by an administrator.

password

string

The user's new password to be updated in the account's attributes. The password must be at least 6 characters long.

provider[]

string

The Identity Providers that the account should be associated with.

oob_code

string

The out-of-band code to be applied on the user's account. The following out-of-band code types are supported: * VERIFY_EMAIL * RECOVER_EMAIL * REVERT_SECOND_FACTOR_ADDITION * VERIFY_AND_CHANGE_EMAIL

email_verified

bool

Whether the user's email has been verified. Specifying this field requires a Google OAuth 2.0 credential with proper permissions .

upgrade_to_federated_login

bool

Whether the account should be restricted to only using federated login.

captcha_challenge
 (deprecated)

string

captcha_response

string

The response from reCaptcha challenge. This is required when the system detects possible abuse activities.

valid_since

int64

Specifies the minimum timestamp in seconds for an Identity Platform ID token to be considered valid.

disable_user

bool

If true, marks the account as disabled, meaning the user will no longer be able to sign-in.

instance_id
 (deprecated)

string

delegated_project_number
 (deprecated)

int64

photo_url

string

The user's new photo URL for the account's profile photo to be updated in the account's attributes. The length of the URL must be less than or equal to 2048 characters.

delete_attribute[]

UserAttributeName

return_secure_token

bool

Whether or not to return an ID and refresh token. Should always be true.

delete_provider[]

string

The Identity Providers to unlink from the user's account.

last_login_at

int64

The timestamp in milliseconds when the account last logged in.

created_at

int64

The timestamp in milliseconds when the account was created.

phone_number

string

The phone number to be updated in the account's attributes.

custom_attributes

string

JSON formatted custom attributes to be stored in the Identity Platform ID token. Specifying this field requires a Google OAuth 2.0 credential with proper permissions .

tenant_id

string

The tenant ID of the Identity Platform tenant that the account belongs to. Requests from end users should pass an Identity Platform ID token rather than setting this field.

target_project_id

string

The project ID for the project that the account belongs to. Specifying this field requires Google OAuth 2.0 credential with proper permissions . Requests from end users should pass an Identity Platform ID token instead.

Authorization requires the following IAM permission on the specified resource targetProjectId :

firebaseauth.users.update

mfa

MfaInfo

The multi-factor authentication related information to be set on the user's account. This will overwrite any previous multi-factor related information on the account. Specifying this field requires a Google OAuth 2.0 credential with proper permissions .

link_provider_user_info

ProviderUserInfo

The provider to be linked to the user's account. Specifying this field requires a Google OAuth 2.0 credential with proper permissions .

MfaInfo

Multi-factor authentication related information.

Fields

Fields
`enrollments[]`	`MfaEnrollment` The second factors the user has enrolled.

enrollments[]

MfaEnrollment

The second factors the user has enrolled.

UserAttributeName

The account's attributes that can be deleted.

Enums
`USER_ATTRIBUTE_NAME_UNSPECIFIED`	User attribute name is not specified.
`EMAIL`	User attribute key name is email.
`DISPLAY_NAME`	User attribute key name is displayName.
`PROVIDER`	User attribute key name is provider.
`PHOTO_URL`	User attribute key name is photoURL.
`PASSWORD`	User attribute key name is password.
`RAW_USER_INFO`	User attribute key name is rawUserInfo.

SetAccountInfoResponse

Response message for SetAccountInfo

Fields
`kind (deprecated)`	`string` This item is deprecated!
`local_id`	`string` The ID of the authenticated user.
`email (deprecated)`	`string` This item is deprecated! The account's email address.
`display_name (deprecated)`	`string` This item is deprecated! The account's display name.
`id_token`	`string` An Identity Platform ID token for the account. This is used for legacy user sign up.
`provider_user_info[]`	`ProviderUserInfo` The linked Identity Providers on the account.
`new_email`	`string` The new email that has been set on the user's account attributes.
`photo_url (deprecated)`	`string` This item is deprecated! The user's photo URL for the account's profile photo.
`refresh_token`	`string` A refresh token for the account. This is used for legacy user sign up.
`expires_in`	`int64` The number of seconds until the Identity Platform ID token expires.
`password_hash (deprecated)`	`string` This item is deprecated! Deprecated. No actual password hash is currently returned.
`email_verified`	`bool` Whether the account's email has been verified.

SignInWithCustomTokenRequest

Request message for SignInWithCustomToken.

Fields
`token`	`string` Required. The custom Auth token asserted by the developer. The token should be a JSON Web Token (JWT) that includes the claims listed in the API reference under the "Custom Token Claims" section.
`instance_id (deprecated)`	`string` This item is deprecated!
`return_secure_token`	`bool` Should always be true.
`delegated_project_number (deprecated)`	`int64` This item is deprecated!
`tenant_id`	`string` The ID of the Identity Platform tenant the user is signing in to. If present, the ID should match the tenant_id in the token.

SignInWithCustomTokenResponse

Response message for SignInWithCustomToken.

Fields
`kind (deprecated)`	`string` This item is deprecated!
`id_token`	`string` An Identity Platform ID token for the authenticated user.
`refresh_token`	`string` An Identity Platform refresh token for the authenticated user.
`expires_in`	`int64` The number of seconds until the ID token expires.
`is_new_user`	`bool` Whether the authenticated user was created by this request.

SignInWithEmailLinkRequest

Request message for SignInWithEmailLink

Fields
`oob_code`	`string` Required. The out-of-band code from the email link.
`email`	`string` Required. The email address the sign-in link was sent to. The length of email should be less than 256 characters and in the format of `name@domain.tld` . The email should also match the RFC 822 addr-spec production.
`id_token`	`string` A valid ID token for an Identity Platform account. If passed, this request will link the email address to the user represented by this ID token and enable sign-in with email link on the account for the future.
`tenant_id`	`string` The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.

SignInWithEmailLinkResponse

Response message for SignInWithEmailLink.

Fields
`kind (deprecated)`	`string` This item is deprecated!
`id_token`	`string` An Identity Platform ID token for the authenticated user.
`email`	`string` The email the user signed in with. Always present in the response.
`refresh_token`	`string` Refresh token for the authenticated user.
`expires_in`	`int64` The number of seconds until the ID token expires.
`local_id`	`string` The ID of the authenticated user. Always present in the response.
`is_new_user`	`bool` Whether the authenticated user was created by this request.
`mfa_pending_credential`	`string` An opaque string that functions as proof that the user has successfully passed the first factor check.
`mfa_info[]`	`MfaEnrollment` Info on which multi-factor authentication providers are enabled. Present if the user needs to complete the sign-in using multi-factor authentication.

SignInWithGameCenterRequest

Request message for SignInWithGameCenter

Fields
`player_id`	`string` Required. The user's Game Center player ID. Deprecated by Apple. Pass `playerID` along with `gamePlayerID` and `teamPlayerID` to initiate the migration of a user's Game Center player ID to `gamePlayerID` .
`public_key_url`	`string` Required. The URL to fetch the Apple public key in order to verify the given signature is signed by Apple.
`signature`	`string` Required. The verification signature data generated by Apple.
`salt`	`string` Required. A random string used to generate the given signature.
`timestamp`	`int64` Required. The time when the signature was created by Apple, in milliseconds since the epoch.
`id_token`	`string` A valid ID token for an Identity Platform account. If present, this request will link the Game Center player ID to the account represented by this ID token.
`display_name`	`string` The user's Game Center display name.
`tenant_id`	`string` The ID of the Identity Platform tenant the user is signing in to.
`team_player_id`	`string` The user's Game Center team player ID. A unique identifier for a player of all the games that you distribute using your developer account. https://developer.apple.com/documentation/gamekit/gkplayer/3174857-teamplayerid
`game_player_id`	`string` The user's Game Center game player ID. A unique identifier for a player of the game. https://developer.apple.com/documentation/gamekit/gkplayer/3113960-gameplayerid

SignInWithGameCenterResponse

Response message for SignInWithGameCenter

Fields
`local_id`	`string` The ID of the authenticated user. Always present in the response.
`player_id`	`string` The user's Game Center player ID. Pass `playerID` along with `gamePlayerID` and `teamPlayerID` to initiate the migration of a user's Game Center player ID to `gamePlayerID` .
`id_token`	`string` An Identity Platform ID token for the authenticated user.
`refresh_token`	`string` An Identity Platform refresh token for the authenticated user.
`expires_in`	`int64` The number of seconds until the ID token expires.
`is_new_user`	`bool` Whether the logged in user was created by this request.
`display_name`	`string` Display name of the authenticated user.
`team_player_id`	`string` The user's Game Center team player ID. A unique identifier for a player of all the games that you distribute using your developer account. https://developer.apple.com/documentation/gamekit/gkplayer/3174857-teamplayerid
`game_player_id`	`string` The user's Game Center game player ID. A unique identifier for a player of the game. https://developer.apple.com/documentation/gamekit/gkplayer/3113960-gameplayerid

SignInWithIdpRequest

Request message for SignInWithIdp.

Fields
`request_uri`	`string` Required. The URL to which the IdP redirects the user back. This can be set to `http://localhost` if the user is signing in with a manually provided IdP credential.
`post_body`	`string` If the user is signing in with an authorization response obtained via a previous CreateAuthUri authorization request, this is the body of the HTTP POST callback from the IdP, if present. Otherwise, if the user is signing in with a manually provided IdP credential, this should be a URL-encoded form that contains the credential (e.g. an ID token or access token for OAuth 2.0 IdPs) and the provider ID of the IdP that issued the credential. For example, if the user is signing in to the Google provider using a Google ID token, this should be set to id _ token `=[GOOGLE_ID_TOKEN]&providerId=google.com` , where `[GOOGLE_ID_TOKEN]` should be replaced with the Google ID token. If the user is signing in to the Facebook provider using a Facebook authentication token, this should be set to id _ token `=[FACEBOOK_AUTHENTICATION_TOKEN]&providerId=facebook. com&nonce= [NONCE]` , where `[FACEBOOK_AUTHENTICATION_TOKEN]` should be replaced with the Facebook authentication token. Nonce is required for validating the token. The request will fail if no nonce is provided. If the user is signing in to the Facebook provider using a Facebook access token, this should be set to access _ token `=[FACEBOOK_ACCESS_TOKEN]&providerId=facebook. com` , where `[FACEBOOK_ACCESS_TOKEN]` should be replaced with the Facebook access token. If the user is signing in to the Twitter provider using a Twitter OAuth 1.0 credential, this should be set to access _ token `=[TWITTER_ACCESS_TOKEN]&oauth_token_secret= [TWITTER_TOKEN_SECRET]&providerId=twitter.com` , where `[TWITTER_ACCESS_TOKEN]` and `[TWITTER_TOKEN_SECRET]` should be replaced with the Twitter OAuth access token and Twitter OAuth token secret respectively.
`pending_id_token (deprecated)`	`string` This item is deprecated!
`return_refresh_token`	`bool` Whether or not to return the OAuth refresh token from the IdP, if available.
`session_id`	`string` The session ID returned from a previous CreateAuthUri call. This field is verified against that session ID to prevent session fixation attacks. Required if the user is signing in with an authorization response from a previous CreateAuthUri authorization request.
`delegated_project_number (deprecated)`	`int64` This item is deprecated!
`id_token`	`string` A valid Identity Platform ID token. If passed, the user's account at the IdP will be linked to the account represented by this ID token.
`return_secure_token`	`bool` Should always be true.
`return_idp_credential`	`bool` Whether or not to return OAuth credentials from the IdP on the following errors: `FEDERATED_USER_ID_ALREADY_LINKED` and `EMAIL_EXISTS` .
`auto_create (deprecated)`	`bool` This item is deprecated!
`tenant_id`	`string` The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.
`pending_token`	`string` An opaque string from a previous SignInWithIdp response. If set, it can be used to repeat the sign-in operation from the previous SignInWithIdp operation. This may be present if the user needs to confirm their account information as part of a previous federated login attempt, or perform account linking.

SignInWithIdpResponse

Response message for SignInWithIdp.

Fields
`federated_id`	`string` The user's account ID at the IdP. Always present in the response.
`provider_id`	`string` The provider ID of the IdP that the user is signing in to. Always present in the response.
`email`	`string` The email address of the user's account at the IdP.
`email_verified`	`bool` Whether the user account's email address is verified.
`first_name`	`string` The first name for the user's account at the IdP.
`full_name`	`string` The full name for the user's account at the IdP.
`last_name`	`string` The last name for the user's account at the IdP.
`nick_name`	`string` The nickname for the user's account at the IdP.
`language`	`string` The language preference for the user's account at the IdP.
`time_zone`	`string` The time zone for the user's account at the IdP.
`photo_url`	`string` The URL of the user's profile picture at the IdP.
`date_of_birth`	`string` The date of birth for the user's account at the IdP.
`input_email (deprecated)`	`string` This item is deprecated!
`original_email`	`string` The main (top-level) email address of the user's Identity Platform account, if different from the email address at the IdP. Only present if the "One account per email address" setting is enabled.
`local_id`	`string` The ID of the authenticated Identity Platform user. Always present in the response.
`email_recycled`	`bool` Whether or not there is an existing Identity Platform user account with the same email address but linked to a different account at the same IdP. Only present if the "One account per email address" setting is enabled and the email address at the IdP is verified.
`display_name`	`string` The display name for the user's account at the IdP.
`id_token`	`string` An Identity Platform ID token for the authenticated user.
`context`	`string` The opaque string set in CreateAuthUri that is used to maintain contextual information between the authentication request and the callback from the IdP.
`verified_provider[]`	`string` A list of provider IDs that the user can sign in to in order to resolve a `need_confirmation` error. Only present if `need_confirmation` is set to `true` .
`need_confirmation`	`bool` Whether or not there is an existing Identity Platform user account with the same email address as the current account signed in at the IdP, and the account's email address is not verified at the IdP. The user will need to sign in to the existing Identity Platform account and then link the current credential from the IdP to it. Only present if the "One account per email address" setting is enabled.
`oauth_access_token`	`string` The OAuth access token from the IdP, if available.
`oauth_refresh_token`	`string` The OAuth 2.0 refresh token from the IdP, if available and `return_refresh_token` is set to `true` .
`oauth_expire_in`	`int32` The number of seconds until the OAuth access token from the IdP expires.
`oauth_authorization_code`	`string` The OAuth 2.0 authorization code, if available. Only present for the Google provider.
`need_email (deprecated)`	`bool` This item is deprecated!
`oauth_token_secret`	`string` The OAuth 1.0 token secret from the IdP, if available. Only present for the Twitter provider.
`refresh_token`	`string` An Identity Platform refresh token for the authenticated user.
`expires_in`	`int64` The number of seconds until the Identity Platform ID token expires.
`oauth_id_token`	`string` The OpenID Connect ID token from the IdP, if available.
`screen_name`	`string` The screen name for the user's account at the Twitter IdP or the login name for the user's account at the GitHub IdP.
`raw_user_info`	`string` The stringified JSON response containing all the data corresponding to the user's account at the IdP.
`error_message`	`string` The error message returned if `return_idp_credential` is set to `true` and either the `FEDERATED_USER_ID_ALREADY_LINKED` or `EMAIL_EXISTS` error is encountered. This field's value is either `FEDERATED_USER_ID_ALREADY_LINKED` or `EMAIL_EXISTS` .
`is_new_user`	`bool` Whether or not a new Identity Platform account was created for the authenticated user.
`kind (deprecated)`	`string` This item is deprecated!
`pending_token`	`string` An opaque string that can be used as a credential from the IdP the user is signing into. The pending token obtained here can be set in a future SignInWithIdp request to sign the same user in with the IdP again.
`tenant_id`	`string` The value of the `tenant_id` field in the request.
`mfa_pending_credential`	`string` An opaque string that functions as proof that the user has successfully passed the first factor authentication.
`mfa_info[]`	`MfaEnrollment` Info on which multi-factor authentication providers are enabled for the account. Present if the user needs to complete the sign-in using multi-factor authentication.

SignInWithPasswordRequest

Request message for SignInWithPassword.

Fields
`email`	`string` Required. The email the user is signing in with. The length of email should be less than 256 characters and in the format of `name@domain.tld` . The email should also match the RFC 822 addr-spec production.
`password`	`string` Required. The password the user provides to sign in to the account.
`pending_id_token (deprecated)`	`string` This item is deprecated!
`captcha_challenge (deprecated)`	`string` This item is deprecated!
`captcha_response`	`string` The reCAPTCHA token provided by the reCAPTCHA client-side integration. reCAPTCHA Enterprise uses it for risk assessment. Required when reCAPTCHA Enterprise is enabled.
`instance_id (deprecated)`	`string` This item is deprecated!
`delegated_project_number (deprecated)`	`int64` This item is deprecated!
`id_token (deprecated)`	`string` This item is deprecated!
`return_secure_token`	`bool` Should always be true.
`tenant_id`	`string` The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform instance in the project.
`client_type`	`ClientType` The client type, web, android or ios. Required when reCAPTCHA Enterprise is enabled.
`recaptcha_version`	`RecaptchaVersion` The reCAPTCHA version of the reCAPTCHA token in the captcha_response.

SignInWithPasswordResponse

Response message for SignInWithPassword.

Fields
`kind (deprecated)`	`string` This item is deprecated!
`local_id`	`string` The ID of the authenticated user. Always present in the response.
`email`	`string` The email of the authenticated user. Always present in the response.
`display_name`	`string` The user's display name stored in the account's attributes.
`id_token`	`string` An Identity Platform ID token for the authenticated user.
`registered (deprecated)`	`bool` This item is deprecated! Whether the email is for an existing account. Always true.
`profile_picture`	`string` The user's profile picture stored in the account's attributes.
`oauth_access_token (deprecated)`	`string` This item is deprecated! The OAuth2 access token.
`oauth_expire_in (deprecated)`	`int32` This item is deprecated! The access token expiration time in seconds.
`oauth_authorization_code (deprecated)`	`string` This item is deprecated!
`refresh_token`	`string` An Identity Platform refresh token for the authenticated user.
`expires_in`	`int64` The number of seconds until the Identity Platform ID token expires.
`mfa_pending_credential`	`string` An opaque string that functions as proof that the user has successfully passed the first factor authentication.
`mfa_info[]`	`MfaEnrollment` Info on which multi-factor authentication providers are enabled for the account. Present if the user needs to complete the sign-in using multi-factor authentication.
`user_notifications[]`	`UserNotification` Warning notifications for the user.

SignInWithPhoneNumberRequest

Request message for SignInWithPhoneNumber.

Fields
`session_info`	`string` Encrypted session information from the response of [sendVerificationCode][v1.accounts.sendVerificationCode]. In the case of authenticating with an SMS code this must be specified, but in the case of using a temporary proof it can be unspecified.
`phone_number`	`string` The user's phone number to sign in with. This is necessary in the case of uing a temporary proof, in which case it must match the phone number that was authenticated in the request that generated the temporary proof. This field is ignored if a session info is passed.
`code`	`string` User-entered verification code from an SMS sent to the user's phone.
`temporary_proof`	`string` A proof of the phone number verification, provided from a previous [signInWithPhoneNumber][v1.accounts.signInWithPhoneNumber] request. If this is passed, the caller must also pass in the phone_number field the phone number that was verified in the previous request.
`verification_proof`	`string` Do not use.
`id_token`	`string` A valid ID token for an Identity Platform account. If passed, this request will link the phone number to the user represented by this ID token if the phone number is not in use, or will reauthenticate the user if the phone number is already linked to the user.
`operation (deprecated)`	`VerifyOp` This item is deprecated!
`tenant_id`	`string` The ID of the Identity Platform tenant the user is signing in to. If not set, the user will sign in to the default Identity Platform project.

VerifyOp

Intended operation.

Enums
`VERIFY_OP_UNSPECIFIED`	Operation is not specified.
`SIGN_UP_OR_IN`	Verify operation is to sign up/sign in.
`REAUTH`	Verify operation is to reauth.
`UPDATE`	Verify operation is to update.
`LINK`	Verify operation is to link.

SignInWithPhoneNumberResponse

Response message for SignInWithPhoneNumber.

Fields
`id_token`	`string` Identity Platform ID token for the authenticated user.
`refresh_token`	`string` Refresh token for the authenticated user.
`expires_in`	`int64` The number of seconds until the ID token expires.
`local_id`	`string` The id of the authenticated user. Present in the case of a successful authentication. In the case when the phone could be verified but the account operation could not be performed, a temporary proof will be returned instead.
`is_new_user`	`bool` Whether the authenticated user was created by this request.
`temporary_proof`	`string` A proof of the phone number verification, provided if a phone authentication is successful but the user operation fails. This happens when the request tries to link a phone number to a user with an ID token or reauthenticate with an ID token but the phone number is linked to a different user.
`verification_proof`	`string` Do not use.
`verification_proof_expires_in`	`int64` Do not use.
`phone_number`	`string` Phone number of the authenticated user. Always present in the response.
`temporary_proof_expires_in`	`int64` The number of seconds until the temporary proof expires.

SignUpRequest

Request message for SignUp.

Fields
`email`	`string` The email to assign to the created user. The length of the email should be less than 256 characters and in the format of `name@domain.tld` . The email should also match the RFC 822 addr-spec production. An anonymous user will be created if not provided.
`password`	`string` The password to assign to the created user. The password must be be at least 6 characters long. If set, the `email` field must also be set.
`display_name`	`string` The display name of the user to be created.
`captcha_challenge (deprecated)`	`string` This item is deprecated!
`captcha_response`	`string` The reCAPTCHA token provided by the reCAPTCHA client-side integration. reCAPTCHA Enterprise uses it for assessment. Required when reCAPTCHA enterprise is enabled.
`instance_id (deprecated)`	`string` This item is deprecated!
`id_token`	`string` A valid ID token for an Identity Platform user. If set, this request will link the authentication credential to the user represented by this ID token. For a non-admin request, both the `email` and `password` fields must be set. For an admin request, `local_id` must not be set.
`email_verified`	`bool` Whether the user's email is verified. Specifying this field requires a Google OAuth 2.0 credential with the proper permissions .
`photo_url`	`string` The profile photo url of the user to create.
`disabled`	`bool` Whether the user will be disabled upon creation. Disabled accounts are inaccessible except for requests bearing a Google OAuth2 credential with proper permissions .
`local_id`	`string` The ID of the user to create. The ID must be unique within the project that the user is being created under. Specifying this field requires a Google OAuth 2.0 credential with the proper permissions .
`phone_number`	`string` The phone number of the user to create. Specifying this field requires a Google OAuth 2.0 credential with the proper permissions .
`tenant_id`	`string` The ID of the Identity Platform tenant to create a user under. If not set, the user will be created under the default Identity Platform project.
`target_project_id`	`string` The project ID of the project which the user should belong to. Specifying this field requires a Google OAuth 2.0 credential with the proper permissions . If this is not set, the target project is inferred from the scope associated to the Bearer access token.
`mfa_info[]`	`MfaFactor` The multi-factor authentication providers for the user to create.
`client_type`	`ClientType` The client type: web, Android or iOS. Required when enabling reCAPTCHA enterprise protection.
`recaptcha_version`	`RecaptchaVersion` The reCAPTCHA version of the reCAPTCHA token in the captcha_response.

MfaFactor

Fields

display_name

string

Display name for this mfa option e.g. "corp cell phone".

Union field mfa_value .

mfa_value can be only one of the following:

phone_info

string

Phone number to receive OTP for MFA.

SignUpResponse

Response message for SignUp.

Fields
`kind`	`string`
`id_token`	`string` An Identity Platform ID token for the created user. This field is only set for non-admin requests.
`display_name`	`string` The created user's display name.
`email`	`string` The created user's email.
`refresh_token`	`string` An Identity Platform refresh token for the created user. This field is only set for non-admin requests.
`expires_in`	`int64` The number of seconds until the ID token expires.
`local_id`	`string` The ID of the created user. Always present in the response.

TotpInfo

This type has no fields.

Information about TOTP MFA.

UploadAccountRequest

Request message for UploadAccount.

Fields

hash_algorithm

string

Required. The hashing function used to hash the account passwords. Must be one of the following: * HMAC_SHA256 * HMAC_SHA1 * HMAC_MD5 * SCRYPT * PBKDF_SHA1 * MD5 * HMAC_SHA512 * SHA1 * BCRYPT * PBKDF2_SHA256 * SHA256 * SHA512 * STANDARD_SCRYPT * ARGON2

signer_key

bytes

The signer key used to hash the password. Required for the following hashing functions: * SCRYPT, * HMAC_MD5, * HMAC_SHA1, * HMAC_SHA256, * HMAC_SHA512

salt_separator

bytes

One or more bytes to be inserted between the salt and plain text password. For stronger security, this should be a single non-printable character.

rounds

int32

The number of rounds used for hash calculation. Only required for the following hashing functions: * MD5 * SHA1 * SHA256 * SHA512 * PBKDF_SHA1 * PBKDF2_SHA256 * SCRYPT

memory_cost

int32

Memory cost for hash calculation. Only required when the hashing function is SCRYPT.

users[]

UserInfo

A list of accounts to upload. local_id is required for each user; everything else is optional.

delegated_project_number
 (deprecated)

int64

sanity_check

bool

If true, the service will do the following list of checks before an account is uploaded: * Duplicate emails * Duplicate federated IDs * Federated ID provider validation If the duplication exists within the list of accounts to be uploaded, it will prevent the entire list from being uploaded. If the email or federated ID is a duplicate of a user already within the project/tenant, the account will not be uploaded, but the rest of the accounts will be unaffected. If false, these checks will be skipped.

target_project_id

string

The Project ID of the Identity Platform project which the account belongs to.

Authorization requires the following IAM permission on the specified resource targetProjectId :

firebaseauth.users.create

allow_overwrite

bool

Whether to overwrite an existing account in Identity Platform with a matching local_id in the request. If true, the existing account will be overwritten. If false, an error will be returned.

cpu_mem_cost

int32

The CPU memory cost parameter to be used by the STANDARD_SCRYPT hashing function. This parameter, along with block_size and cpu_mem_cost help tune the resources needed to hash a password, and should be tuned as processor speeds and memory technologies advance.

parallelization

int32

The parallelization cost parameter to be used by the STANDARD_SCRYPT hashing function. This parameter, along with block_size and cpu_mem_cost help tune the resources needed to hash a password, and should be tuned as processor speeds and memory technologies advance.

block_size

int32

The block size parameter used by the STANDARD_SCRYPT hashing function. This parameter, along with parallelization and cpu_mem_cost help tune the resources needed to hash a password, and should be tuned as processor speeds and memory technologies advance.

dk_len

int32

The desired key length for the STANDARD_SCRYPT hashing function. Must be at least 1.

password_hash_order

PasswordHashOrder

tenant_id

string

The ID of the Identity Platform tenant the account belongs to.

argon2_parameters

Argon2Parameters

The parameters for Argon2 hashing algorithm.

PasswordHashOrder

When hashing passwords, whether the password should come before the salt or afterwards.

Enums
`UNSPECIFIED_ORDER`	The order is not specified.
`SALT_AND_PASSWORD`	The order is salt first, and then password.
`PASSWORD_AND_SALT`	The order is password first, and then salt.

UploadAccountResponse

Response message for UploadAccount.

Fields

kind
 (deprecated)

string

error[]

ErrorInfo

Detailed error info for accounts that cannot be uploaded.

UserInfo

An Identity Platform account's information.

Fields
`local_id`	`string` Immutable. The unique ID of the account.
`email`	`string` The account's email address. The length of the email should be less than 256 characters and in the format of `name@domain.tld` . The email should also match the RFC 822 addr-spec.
`display_name`	`string` The display name of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
`language`	`string` Output only. The language preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
`photo_url`	`string` The URL of the account's profile photo. This account attribute is not used by Identity Platform. It is available for informational purposes only.
`time_zone`	`string` Output only. The time zone preference of the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
`date_of_birth`	`string` Output only. The date of birth set for the account. This account attribute is not used by Identity Platform. It is available for informational purposes only.
`password`	`bytes` The account's hashed password. Only accessible by requests bearing a Google OAuth2 credential with proper permissions .
`salt`	`bytes` The account's password salt. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
`version`	`int32` The version of the account's password. Only accessible by requests bearing a Google OAuth2 credential with proper permissions.
`email_verified`	`bool` Whether the account's email address has been verified.
`password_updated_at`	`double` The timestamp, in milliseconds from the epoch of 1970-01-01T00:00:00Z, when the account's password was last updated.
`provider_user_info[]`	`ProviderUserInfo` Information about the user as provided by various Identity Providers.
`valid_since`	`int64` Oldest timestamp, in seconds since epoch, that an ID token should be considered valid. All ID tokens issued before this time are considered invalid.
`disabled`	`bool` Whether the account is disabled. Disabled accounts are inaccessible except for requests bearing a Google OAuth2 credential with proper permissions.
`last_login_at`	`int64` The last time, in milliseconds from epoch, this account was logged into.
`created_at`	`int64` The time, in milliseconds from epoch, when the account was created.
`screen_name`	`string` Output only. This account's screen name at Twitter or login name at GitHub.
`custom_auth`	`bool` Output only. Whether this account has been authenticated using SignInWithCustomToken.
`raw_password`	`string` Input only. Plain text password used to update a account's password. This field is only ever used as input in a request. Identity Platform uses cryptographically secure hashing when managing passwords and will never store or transmit a user's password in plain text.
`phone_number`	`string` The account's phone number.
`custom_attributes`	`string` Custom claims to be added to any ID tokens minted for the account. Should be at most 1,000 characters in length and in valid JSON format.
`email_link_signin`	`bool` Output only. Whether the account can authenticate with email link.
`tenant_id`	`string` ID of the tenant this account belongs to. Only set if this account belongs to a tenant.
`mfa_info[]`	`MfaEnrollment` Information on which multi-factor authentication providers are enabled for this account.
`initial_email`	`string` The first email address associated with this account. The account's initial email cannot be changed once set and is used to recover access to this account if lost via the RECOVER_EMAIL flow in GetOobCode. Should match the RFC 822 addr-spec.
`last_refresh_at`	`Timestamp` Timestamp when an ID token was last minted for this account.

UserNotification

Warning notifications for the user.

Fields

notification_code

NotificationCode

Warning notification enum. Can be used for localization.

notification_message

string

Warning notification string. Can be used as fallback.

NotificationCode

Warning notification enum. Can be used for localization.

Enums
`NOTIFICATION_CODE_UNSPECIFIED`	No notification specified.
`MISSING_LOWERCASE_CHARACTER`	Password missing lowercase character.
`MISSING_UPPERCASE_CHARACTER`	Password missing uppercase character.
`MISSING_NUMERIC_CHARACTER`	Password missing numeric character.
`MISSING_NON_ALPHANUMERIC_CHARACTER`	Password missing non alphanumeric character.
`MINIMUM_PASSWORD_LENGTH`	Password less than minimum required length.
`MAXIMUM_PASSWORD_LENGTH`	Password greater than maximum required length.

VerifyIosClientRequest

Request message for VerifyIosClient

Fields

app_token

string

A device token that the iOS client gets after registering to APNs (Apple Push Notification service).

is_sandbox

bool

Whether the app token is in the iOS sandbox. If false, the app token is in the production environment.

VerifyIosClientResponse

Response message for VerifyIosClient.

Fields

receipt

string

Receipt of successful app token validation.

suggested_timeout

int64

Suggested time that the client should wait in seconds for delivery of the push notification.

Package google.cloud.identitytoolkit.v1 Stay organized with collections Save and categorize content based on your preferences.

Index

AccountManagementService

AuthenticationService

ProjectConfigService

SessionManagementService

Argon2Parameters

HashType

Version

BatchDeleteAccountsRequest

BatchDeleteAccountsResponse

BatchDeleteErrorInfo

ClientType

CreateAuthUriRequest

CreateAuthUriResponse

CreateSessionCookieRequest

CreateSessionCookieResponse

DeleteAccountRequest

DeleteAccountResponse

DownloadAccountRequest

DownloadAccountResponse

EmailInfo

EmailTemplate

EmailBodyFormat

ErrorInfo

GetAccountInfoRequest

FederatedUserIdentifier

GetAccountInfoResponse

GetOobCodeRequest

GetOobCodeResponse

GetProjectConfigRequest

GetProjectConfigResponse

GetRecaptchaParamResponse

GetSessionCookiePublicKeysResponse

IdpConfig

Provider

IssueSamlResponseRequest

IssueSamlResponseResponse

MfaEnrollment

OobReqType

OpenIdConnectKey

ProviderUserInfo

QueryUserInfoRequest

Order

SortByField

SqlExpression

QueryUserInfoResponse

RecaptchaVersion

ResetPasswordRequest

ResetPasswordResponse

SendVerificationCodeRequest

AutoRetrievalInfo

SendVerificationCodeResponse

SetAccountInfoRequest

MfaInfo

UserAttributeName

SetAccountInfoResponse

SignInWithCustomTokenRequest

SignInWithCustomTokenResponse

SignInWithEmailLinkRequest

SignInWithEmailLinkResponse

SignInWithGameCenterRequest

SignInWithGameCenterResponse

SignInWithIdpRequest

SignInWithIdpResponse

SignInWithPasswordRequest

SignInWithPasswordResponse

SignInWithPhoneNumberRequest

VerifyOp

SignInWithPhoneNumberResponse

SignUpRequest

MfaFactor

SignUpResponse

TotpInfo

UploadAccountRequest

PasswordHashOrder

UploadAccountResponse

UserInfo

UserNotification

NotificationCode

Package google.cloud.identitytoolkit.v1