Authenticating with a service account

Prerequisites

This page assumes that you have already:

Configuring authentication

To authenticate with a service account:

Import the App Engine Endpoints API in your API class:
```
import endpoints
```
Add an issuer object for the service account to the API decorator. For example:
```
@endpoints.api(
    name='echo',
    version='v1',
    issuers={'serviceAccount': endpoints.Issuer(
        'YOUR_SERVICE_ACCOUNT_EMAIL',
        'https://www.googleapis.com/robot/v1/metadata/x509/YOUR_SERVICE_ACCOUNT_EMAIL')},
    audiences={'serviceAccount': ['YOUR_AUDIENCE']})
```
- Replace echo with the name of your API.
- Replace v1 with your API version.
- Replace YOUR_SERVICE_ACCOUNT_EMAIL with your service account email.
- Replace YOUR_AUDIENCE with the value in the aud field sent by the calling service.
In each API method where you want to check for proper authentication, check for a valid User and raise error 401if there isn't one, as shown in this sample method definition:
```
user = endpoints.get_current_user()
# If there's no user defined, the request was unauthenticated, so we
# raise 401 Unauthorized.
```
Deploy the API. You need to redeploy the API whenever you add new clients.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-24 UTC.