Sending a client-side access token to your server
In cases where using the one-time-code flow is not practical, you can send the server an access token from your client. The OAuth 2.0 access tokens that are used by the Google+ sign-in button are bearer tokens. Bearer tokens grant short-lived access to any application that uses them.
If you are going to send your tokens from client to server, you must follow these guidelines:
- Send access tokens over SSL secured connections (https).
- Send the access token in the header or as POST data. Do not send as query parameters on GET requests. Most Ajax libraries make this easy.
- Verify the token on the server by calling tokeninfo to verify that the token you receive is for the correct user and the correct client ID.
There are other vulnerabilities with sending bearer tokens, so we do not recommend this approach if you can use code flow.