Console
    Contact Us Start free

    Method: projects.serviceAccounts.signJwt

    Signs a JWT using a service account's system-managed private key.

    HTTP request

    POST https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:signJwt

    The URL uses gRPC Transcoding syntax.

    Path parameters

    Parameters
    name

    string

    Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID} . The - wildcard character is required; replacing it with a project ID is invalid.

    Authorization requires the following IAM permission on the specified resource name :

    • iam.serviceAccounts.signJwt

    Request body

    The request body contains data with the following structure:

    JSON representation 
     { 
 "delegates" 
 : 
 [ 
 string 
 ] 
 , 
 "payload" 
 : 
 string 
 }
    Fields
    delegates[]

    string

    The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

    The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID} . The - wildcard character is required; replacing it with a project ID is invalid.
    payload

    string

    Required. The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. For example: {"sub": "user@example.com", "iat": 313435}

    If the JWT Claims Set contains an expiration time ( exp ) claim, it must be an integer timestamp that is not in the past and no more than 12 hours in the future.

    Response body

    If successful, the response body contains data with the following structure:

    JSON representation 
     { 
 "keyId" 
 : 
 string 
 , 
 "signedJwt" 
 : 
 string 
 }
    Fields
    keyId

    string

    The ID of the key used to sign the JWT. The key used for signing will remain valid for at least 12 hours after the JWT is signed. To verify the signature, you can retrieve the public key in several formats from the following endpoints:

    • RSA public key wrapped in an X.509 v3 certificate: https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}
    • Raw key in JSON format: https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}
    • JSON Web Key (JWK): https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}
    signedJwt

    string

    The signed JWT. Contains the automatically generated header; the client-supplied payload; and the signature, which is generated using the key referenced by the kid field in the header.

    After the key pair referenced by the keyId response field expires, Google no longer exposes the public key that can be used to verify the JWT. As a result, the receiver can no longer verify the signature.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/iam
    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: