Method: projects.locations.collections.engines.sessions.validateUserAuthorization

Validates an A2A 3-legged-OAuth (3LO) downstream-auth consent flow after the user returns from the third-party consent screen, and finalizes the downstream credential with Auth Manager.

HTTP request

POST https://discoveryengine.googleapis.com/v1alpha/{session=projects/*/locations/*/collections/*/engines/*/sessions/*}:validateUserAuthorization

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
session

string

Required. The resource name of the assist Session that initiated the consent flow. Used together with downstreamConnector to recover the server-stored consent_nonce. Format: projects/{project}/locations/{location}/collections/{collection}/engines/{engine}/sessions/{session}

Request body

The request body contains data with the following structure:

JSON representation
{
  "userIdValidationState": string,
  "downstreamConnector": string
}
Fields
userIdValidationState

string (bytes format)

Required. The opaque, encrypted validation state returned by Auth Manager in the consent redirect. Forwarded verbatim to FinalizeCredentials.

A base64-encoded string.

downstreamConnector

string

Required. The downstream connector (auth provider) resource name from the consent redirect (auth_provider_name). Named downstreamConnector to disambiguate from the "connector" in the remote agent.

Response body

If successful, the response body is empty.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/discoveryengine.readwrite
  • https://www.googleapis.com/auth/discoveryengine.serving.readwrite

For more information, see the Authentication Overview.