ReplaceYOUR_SERVICE_ACCOUNT_EMAILwith your
service account email.
ReplaceYOUR_AUDIENCEwith the value in theaudfield sent by the calling service.
In your API implementation code, importUsers:
importcom.google.api.server.spi.auth.common.User;
In each API method where you want to check for proper authentication,
check for a validUserand throw an exception if there isn't one, as
shown in this sample method definition:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide requires you to have already created a Google Cloud project and added API management to it.\u003c/p\u003e\n"],["\u003cp\u003eAuthentication with a service account requires specific parameters in your \u003ccode\u003e@Api\u003c/code\u003e annotation, including \u003ccode\u003eauthenticators\u003c/code\u003e, \u003ccode\u003eissuers\u003c/code\u003e, and \u003ccode\u003eissuerAudiences\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eEach API method can be configured to check for a valid \u003ccode\u003eUser\u003c/code\u003e, throwing an exception if the user is invalid for authentication.\u003c/p\u003e\n"],["\u003cp\u003eThe API must be redeployed after you set up authentication for it to take effect, and anytime you add new clients.\u003c/p\u003e\n"]]],[],null,["# Authenticating with a service account\n\nPrerequisites\n-------------\n\nThis page assumes that you have already:\n\n- [Created a Google Cloud project](/resource-manager/docs/creating-managing-projects).\n\n- [Added API management](/endpoints/docs/frameworks/java/adding-api-management).\n\nConfiguring authentication\n--------------------------\n\nTo authenticate with a service account:\n\n1. Add the following to your\n [`@Api`](/endpoints/docs/frameworks/java/annotations#api_api-scoped_annotations)\n or method annotation:\n\n - Add an `authenticators` parameter to your annotation, set to the value `{EspAuthenticator.class}`.\n - Add an `issuers` parameter containing an `@ApiIssuer`.\n - Add an `issuerAudiences` parameter containing an `@ApiIssuerAudience` set to the service account issuer and your audience.\n\n For example: \n\n ```\n @Api(\n name = \"echo\",\n version = \"v1\",\n authenticators = {EspAuthenticator.class},\n issuers = {\n @ApiIssuer(\n name = \"serviceAccount\",\n issuer = \"YOUR_SERVICE_ACCOUNT_EMAIL\",\n jwksUri = \"https://www.googleapis.com/robot/v1/metadata/x509/YOUR_SERVICE_ACCOUNT_EMAIL\")\n },\n issuerAudiences = {\n @ApiIssuerAudience(name = \"serviceAccount\", audiences = \"YOUR_AUDIENCE\")\n })\n ```\n - Replace \u003cvar translate=\"no\"\u003eecho\u003c/var\u003e with the name of your API.\n - Replace \u003cvar translate=\"no\"\u003ev1\u003c/var\u003e with your API version.\n - Replace \u003cvar translate=\"no\"\u003eYOUR_SERVICE_ACCOUNT_EMAIL\u003c/var\u003e with your service account email.\n - Replace \u003cvar translate=\"no\"\u003eYOUR_AUDIENCE\u003c/var\u003e with the value in the `aud` field sent by the calling service.\n2. In your API implementation code, import `Users`:\n\n import com.google.api.server.spi.auth.common.User;\n\n3. In each API method where you want to check for proper authentication,\n check for a valid `User` and throw an exception if there isn't one, as\n shown in this sample method definition:\n\n @ApiMethod(httpMethod = ApiMethod.HttpMethod.GET)\n public Email getUserEmail(User user) throws UnauthorizedException {\n if (user == null) {\n throw new UnauthorizedException(\"Invalid credentials\");\n }\n\n Email response = new Email();\n response.setEmail(user.getEmail());\n return response;\n }\n\n4. [Deploy the API](/endpoints/docs/frameworks/java/test-deploy). You need to\n redeploy the API whenever you add new clients."]]
