It's initialized using the json key file that's downloadable from developer
console, which should contain a private_key and client_email fields that it
uses.
Use it with AuthTokenMiddleware to authorize http requests:
use Google\Auth\Credentials\ServiceAccountCredentials;
use Google\Auth\Middleware\AuthTokenMiddleware;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;
$sa = new ServiceAccountCredentials(
'https://www.googleapis.com/auth/taskqueue',
'/path/to/your/json/key_file.json'
);
$middleware = new AuthTokenMiddleware($sa);
$stack = HandlerStack::create();
$stack->push($middleware);
the scope of the access request, expressed
either as an Array or as a space-delimited String.
jsonKey
string|array
JSON credential file path or JSON credentials
as an associative array
sub
string
an email address account to impersonate, in situations when
the service account has been delegated domain wide access.
targetAudience
string
The audience for the ID token.
useJwtAccessWithScope
When called, the ServiceAccountCredentials will use an instance of
ServiceAccountJwtAccessCredentials to fetch (self-sign) an access token
even when only scopes are supplied. Otherwise,
ServiceAccountJwtAccessCredentials is only called when no scopes and an
authUrl (audience) is suppled.
Returns
Type
Description
void
fetchAuthToken
Fetches the auth tokens based on the current state.
Parameters
Name
Description
httpHandler
callable|null
headers
array
[optional] Headers to be inserted
into the token endpoint request present.
Returns
Type
Description
array
{
A set of auth related metadata, containing the following
@type string $access_token
@type int $expires_in
@type string $token_type
}
getCacheKey
Return the Cache Key for the credentials.
For the cache key format is one of the following:
ClientEmail.Scope[.Sub]
ClientEmail.Audience[.Sub]
Returns
Type
Description
string
getLastReceivedToken
Returns an associative array with the token and
expiration time.
Returns
Type
Description
array
getProjectId
Get the project ID from the service account keyfile.
Returns null if the project ID does not exist in the keyfile.
Parameter
Name
Description
httpHandler
callable|null
Not used by this credentials type.
Returns
Type
Description
string|null
updateMetadata
Updates metadata with the authorization token.
Parameters
Name
Description
metadata
array
metadata hashmap
authUri
string
optional auth uri
httpHandler
callable|null
callback which delivers psr7 request
Returns
Type
Description
array
updated metadata hashmap
setSub
Parameter
Name
Description
sub
string
an email address account to impersonate, in situations when
the service account has been delegated domain wide access.
Returns
Type
Description
void
getClientName
Get the client name from the keyfile.
In this case, it returns the keyfile's client_email key.
Parameter
Name
Description
httpHandler
callable|null
Not used by this credentials type.
Returns
Type
Description
string
getPrivateKey
Get the private key from the keyfile.
In this case, it returns the keyfile's private_key key, needed for JWT signing.
Returns
Type
Description
string
getQuotaProject
Get the quota project used for this API request
Returns
Type
Description
string|null
getUniverseDomain
Get the universe domain configured in the JSON credential.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Google Auth Library Client - Class ServiceAccountCredentials (1.47.1)\n\nVersion latestkeyboard_arrow_down\n\n- [1.47.1 (latest)](/php/docs/reference/auth/latest/Credentials.ServiceAccountCredentials)\n- [1.47.0](/php/docs/reference/auth/1.47.0/Credentials.ServiceAccountCredentials)\n- [1.46.0](/php/docs/reference/auth/1.46.0/Credentials.ServiceAccountCredentials)\n- [1.45.2](/php/docs/reference/auth/1.45.2/Credentials.ServiceAccountCredentials) \nReference documentation and code samples for the Google Auth Library Client class ServiceAccountCredentials.\n\nServiceAccountCredentials supports authorization using a Google service\naccount.\n\n(cf \u003chttps://developers.google.com/accounts/docs/OAuth2ServiceAccount\u003e)\n\nIt's initialized using the json key file that's downloadable from developer\nconsole, which should contain a private_key and client_email fields that it\nuses.\n\nUse it with AuthTokenMiddleware to authorize http requests:\n\nuse Google\\\\Auth\\\\Credentials\\\\ServiceAccountCredentials;\nuse Google\\\\Auth\\\\Middleware\\\\AuthTokenMiddleware;\nuse GuzzleHttp\\\\Client;\nuse GuzzleHttp\\\\HandlerStack;\n\n$sa = new ServiceAccountCredentials(\n'\u003chttps://www.googleapis.com/auth/taskqueue\u003e',\n'/path/to/your/json/key_file.json'\n);\n$middleware = new AuthTokenMiddleware($sa);\n$stack = HandlerStack::create();\n$stack-\\\u003epush($middleware);\n\n$client = new Client(\\[\n'handler' =\\\u003e $stack,\n'base_uri' =\\\u003e '\u003chttps://www.googleapis.com/taskqueue/v1beta2/projects/\u003e',\n'auth' =\\\u003e 'google_auth' // authorize all requests\n\\]);\n\n$res = $client-\\\u003eget('myproject/taskqueues/myqueue');\n\nNamespace\n---------\n\nGoogle \\\\ Auth \\\\ Credentials\n\nMethods\n-------\n\n### __construct\n\nCreate a new ServiceAccountCredentials.\n\n### useJwtAccessWithScope\n\nWhen called, the ServiceAccountCredentials will use an instance of\nServiceAccountJwtAccessCredentials to fetch (self-sign) an access token\neven when only scopes are supplied. Otherwise,\nServiceAccountJwtAccessCredentials is only called when no scopes and an\nauthUrl (audience) is suppled.\n\n### fetchAuthToken\n\nFetches the auth tokens based on the current state.\n\n### getCacheKey\n\nReturn the Cache Key for the credentials.\n\nFor the cache key format is one of the following:\nClientEmail.Scope\\[.Sub\\]\nClientEmail.Audience\\[.Sub\\]\n\n### getLastReceivedToken\n\nReturns an associative array with the token and\nexpiration time.\n\n### getProjectId\n\nGet the project ID from the service account keyfile.\n\nReturns null if the project ID does not exist in the keyfile.\n\n### updateMetadata\n\nUpdates metadata with the authorization token.\n\n### setSub\n\n### getClientName\n\nGet the client name from the keyfile.\n\nIn this case, it returns the keyfile's client_email key.\n\n### getPrivateKey\n\nGet the private key from the keyfile.\n\nIn this case, it returns the keyfile's private_key key, needed for JWT signing.\n\n### getQuotaProject\n\nGet the quota project used for this API request\n\n### getUniverseDomain\n\nGet the universe domain configured in the JSON credential."]]
