ReplaceYOUR_SERVICE_ACCOUNT_EMAILwith your
service account email.
ReplaceYOUR_AUDIENCEwith the value in theaudfield sent by the calling service.
In each API method where you want to check for proper authentication,
check for a validUserand raise error401if there isn't one, as
shown in this sample method definition:
user=endpoints.get_current_user()# If there's no user defined, the request was unauthenticated, so we# raise 401 Unauthorized.
Deploy the API. You need to
redeploy the API whenever you add new clients.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide details how to configure authentication for an API using a service account within a Google Cloud project.\u003c/p\u003e\n"],["\u003cp\u003eAuthentication setup requires importing the App Engine Endpoints API and adding an issuer object to the API decorator, including details of the service account.\u003c/p\u003e\n"],["\u003cp\u003eEach API method should check for a valid user, raising a 401 error if no user is found, to ensure proper authentication.\u003c/p\u003e\n"],["\u003cp\u003eYou must redeploy the API after you configure the initial setup, and also after adding new clients to the API.\u003c/p\u003e\n"]]],[],null,["# Authenticating with a service account\n\nPrerequisites\n-------------\n\nThis page assumes that you have already:\n\n- [Created a Google Cloud project](/resource-manager/docs/creating-managing-projects).\n\n- [Added API management](/endpoints/docs/frameworks/java/adding-api-management).\n\nConfiguring authentication\n--------------------------\n\nTo authenticate with a service account:\n\n1. Import the App Engine Endpoints API in your API class:\n\n import endpoints\n\n2. Add an issuer object for the service account to the\n [API decorator](/endpoints/docs/frameworks/python/decorators-reference#defining_the_api_endpointsapi).\n For example:\n\n ```\n @endpoints.api(\n name='echo',\n version='v1',\n issuers={'serviceAccount': endpoints.Issuer(\n 'YOUR_SERVICE_ACCOUNT_EMAIL',\n 'https://www.googleapis.com/robot/v1/metadata/x509/YOUR_SERVICE_ACCOUNT_EMAIL')},\n audiences={'serviceAccount': ['YOUR_AUDIENCE']})\n ```\n - Replace \u003cvar translate=\"no\"\u003eecho\u003c/var\u003e with the name of your API.\n - Replace \u003cvar translate=\"no\"\u003ev1\u003c/var\u003e with your API version.\n - Replace \u003cvar translate=\"no\"\u003eYOUR_SERVICE_ACCOUNT_EMAIL\u003c/var\u003e with your service account email.\n - Replace \u003cvar translate=\"no\"\u003eYOUR_AUDIENCE\u003c/var\u003e with the value in the `aud` field sent by the calling service.\n3. In each API method where you want to check for proper authentication,\n check for a valid `User` and raise error `401`if there isn't one, as\n shown in this sample method definition:\n\n user = endpoints.get_current_user()\n # If there's no user defined, the request was unauthenticated, so we\n # raise 401 Unauthorized.\n\n4. [Deploy the API](/endpoints/docs/frameworks/python/test-deploy). You need to\n redeploy the API whenever you add new clients."]]
