Stay organized with collections
Save and categorize content based on your preferences.
Select platform:
ARCore features such as the Geospatial
API and Cloud Anchors use the
ARCore API hosted on Google Cloud. When using these features, your application
uses credentials to access the ARCore API service.
This quickstart describes how to set up your application so that it can
communicate with the ARCore API service hosted on Google Cloud.
Create a new Google Cloud project or use an existing project
An iOS application can communicate with the ARCore API using two different
authorization methods: Keyless authorization, which is the
recommended method, and API Key authorization:
Keyless authorization uses a token signed to control access to the API. This
method requires a server owned by you to sign tokens and control access to
the API.
An API key is a string that identifies a Google Cloud project. API keys are
generally not considered secure as they are typically accessible to clients.
Consider using Token authorization to communicate with the ARCore API.
Keyless
ARCore supports the authorization of API calls in iOS using a (JSON Web
token). The token must be signed by a Google
Service account.
In order to generate tokens for iOS, you must have an endpoint on your server
that satisfies the following requirements:
Your own authorization mechanism must protect the endpoint.
The endpoint must generate a new token every time, such that:
Each user gets a unique token.
Tokens don't immediately expire.
Create a service account and signing key
Follow these steps to create a Google service account and signing key:
In Google Cloud, open the Credentials page. Credentials
Click Create Credentials > Service account.
Under Service account details, type a name for the new account, then click
Create.
On the Service account permissions page, go to the Select a role drop-down.
Select Service Accounts > Service Account Token Creator, then click
Continue.
On the Grant users access to this service account page, click Done.
On the Credentials
page, find the Service Accounts section and click the name of the account
you just created.
On the Service account details page, scroll down to the Keys section and
select Add Key > Create new key.
Select JSON as the key type and click Create.
This downloads a JSON file containing the private key to your machine. Store
the downloaded JSON key file in a secure location.
Create tokens on your server
To create new tokens (JWTs) on your server, use the standard JWT
libraries
and the JSON file that you securely downloaded from your new service account.
Create tokens on your development machine
To generate JWTs on your development machine, use the following
oauth2l command:
Specifying an empty cache location using the --cache flag is necessary to
ensure that a different token is produced each time. Be sure to trim the
resulting string. Extra spaces or newline characters will cause the API to
reject the token.
Sign the token
You must use the RS256 algorithm and the following claims to sign the JWT:
iss — The service account email address.
sub — The service account email address.
iat — The Unix epoch time when the token was generated, in seconds.
exp — iat + 3600 (1 hour). The Unix epoch time when the token expires,
in seconds.
aud — The audience. It must be set tohttps://arcore.googleapis.com/.
Non-standard claims are not required in the JWT payload, though you may find the
uid claim useful for identifying the corresponding user.
If you use a different approach to generate your JWTs, such as using a Google
API in a Google-managed environment, make sure to sign your JWTs with the claims
in this section. Above all, make sure that the audience is correct.
Pass the token in the ARCore session
Your app is now configured to use Keyless authentication.
Note the following when you pass a token into the session:
If you have used an API key to create the session, ARCore will ignore the
token and log an error.
If you no longer need the API key, delete it in the Google Developers
Console and remove it from your
app.
ARCore ignores tokens that contain spaces or special characters.
Tokens typically expire after one hour. If there is a possibility that your
token may expire while in use, obtain a new token and pass it to the API.
API Key
In Google Cloud, open the Credentials page. Credentials
Click Create credentials, then select API key from the menu. The
API key created dialog displays the string for your newly created key.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-10-31 UTC."],[[["\u003cp\u003eConfigure your application to communicate with the ARCore API service hosted on Google Cloud for features like Geospatial API and Cloud Anchors.\u003c/p\u003e\n"],["\u003cp\u003eSet up authorization using Keyless authorization (recommended) with JWT or API Key authorization, by enabling the ARCore API and creating necessary credentials.\u003c/p\u003e\n"],["\u003cp\u003eFor Keyless authorization, generate JWTs on your server or development machine with specific claims and pass the token in the ARCore session securely.\u003c/p\u003e\n"],["\u003cp\u003eFor API Key authorization, create an API key in Google Cloud and securely integrate it into your application while adhering to API key restrictions.\u003c/p\u003e\n"],["\u003cp\u003eOnce authorization is configured, explore ARCore features such as Geospatial API and Cloud Anchors that utilize it.\u003c/p\u003e\n"]]],["To access ARCore features like Geospatial API and Cloud Anchors, you must enable the ARCore API in your Google Cloud project. For iOS apps, keyless authorization (using JSON Web Tokens signed by a Google Service account) is recommended. This method involves creating a service account, generating a JSON key file, and creating tokens on your server with specific claims (iss, sub, iat, exp, aud). Alternatively, API keys can be used but are less secure. Your application can then pass the token or api key to the ARCore session.\n"],null,["# Use the ARCore API on Google Cloud\n\n**Select platform:** Android Unity (AR Foundation) iOS\n\nARCore features such as the [Geospatial\nAPI](/ar/develop/geospatial) and [Cloud Anchors](/ar/develop/cloud-anchors) use the\nARCore API hosted on Google Cloud. When using these features, your application\nuses credentials to access the ARCore API service.\n\nThis quickstart describes how to set up your application so that it can\ncommunicate with the ARCore API service hosted on Google Cloud.\n\nCreate a new Google Cloud project or use an existing project\n------------------------------------------------------------\n\nIf you have an existing project, select it.\n\n[Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n\nIf you don't have an existing Google Cloud project, create one.\n\n[Create new project](https://console.cloud.google.com/projectcreate)\n\nEnable the ARCore API\n---------------------\n\nTo use the ARCore API, you must enable it in your project.\n\n[Enable the ARCore API](https://console.cloud.google.com/apis/library/arcore)\n\n\u003cbr /\u003e\n\nSet up an authorization method\n------------------------------\n\nAn iOS application can communicate with the ARCore API using two different\nauthorization methods: Keyless authorization, which is the\nrecommended method, and API Key authorization:\n\n- Keyless authorization uses a token signed to control access to the API. This method requires a server owned by you to sign tokens and control access to the API.\n- An API key is a string that identifies a Google Cloud project. API keys are generally not considered secure as they are typically accessible to clients. Consider using Token authorization to communicate with the ARCore API.\n\n### Keyless\n\n\nARCore supports the authorization of API calls in iOS using a ([JSON Web\ntoken](https://jwt.io/)). The token must be signed by a Google\nService account.\n\nIn order to generate tokens for iOS, you must have an endpoint on your server\nthat satisfies the following requirements:\n\n- Your own authorization mechanism must protect the endpoint.\n\n- The endpoint must generate a new token every time, such that:\n\n - Each user gets a unique token.\n - Tokens don't immediately expire.\n\n### Create a service account and signing key\n\nFollow these steps to create a Google service account and signing key:\n\n1. In Google Cloud, open the Credentials page. \n [Credentials](https://console.cloud.google.com/apis/credentials)\n2. Click **Create Credentials \\\u003e Service account**.\n3. Under **Service account details** , type a name for the new account, then click **Create**.\n4. On the Service account permissions page, go to the **Select a role** drop-down. Select **Service Accounts \\\u003e Service Account Token Creator**, then click Continue.\n5. On the **Grant users access to this service account** page, click Done.\n6. On the [Credentials](https://console.cloud.google.com/apis/credentials) page, find the Service Accounts section and click the name of the account you just created.\n7. On the **Service account details** page, scroll down to the Keys section and select **Add Key \\\u003e Create new key**.\n8. Select **JSON** as the key type and click **Create**.\n\n This downloads a JSON file containing the private key to your machine. Store\n the downloaded JSON key file in a secure location.\n | **Note:** This file contains a private key which must not be exposed to the public. Do **not** commit it to source code repositories like GitHub.\n\n### Create tokens on your server\n\nTo create new tokens (JWTs) on your server, use the [standard JWT\nlibraries](https://jwt.io/#libraries-io)\nand the JSON file that you securely downloaded from your new service account.\n\n### Create tokens on your development machine\n\nTo generate JWTs on your development machine, use the following\n[`oauth2l`](https://github.com/google/oauth2l) command: \n\n```\noauth2l fetch --cache \"\" --jwt --json $KEYFILE --audience \"https://arcore.googleapis.com/\"\n```\n\nSpecifying an empty cache location using the `--cache` flag is necessary to\nensure that a different token is produced each time. Be sure to trim the\nresulting string. **Extra spaces or newline characters will cause the API to\nreject the token**.\n\n### Sign the token\n\nYou must use the `RS256` algorithm and the following claims to sign the JWT:\n\n- `iss` --- The service account email address.\n- `sub` --- The service account email address.\n- `iat` --- The Unix epoch time when the token was generated, in seconds.\n- `exp` --- `iat` + `3600` (1 hour). The Unix epoch time when the token expires, in seconds.\n- `aud` --- The audience. **It must be set to** `https://arcore.googleapis.com/`.\n\nNon-standard claims are not required in the JWT payload, though you may find the\n`uid` claim useful for identifying the corresponding user.\n\nIf you use a different approach to generate your JWTs, such as using a Google\nAPI in a Google-managed environment, make sure to sign your JWTs with the claims\nin this section. Above all, make sure that the audience is correct.\n\n### Pass the token in the ARCore session\n\nYour app is now configured to use Keyless authentication.\n\nNote the following when you pass a token into the session:\n\n- If you have used an API key to create the session, ARCore will ignore the\n token and log an error.\n\n If you no longer need the API key, delete it in the [Google Developers\n Console](https://console.developers.google.com/) and remove it from your\n app.\n- ARCore ignores tokens that contain spaces or special characters.\n\n- Tokens typically expire after one hour. If there is a possibility that your\n token may expire while in use, obtain a new token and pass it to the API.\n\n### API Key\n\n\n1. In Google Cloud, open the Credentials page. \n [Credentials](https://console.cloud.google.com/apis/credentials)\n2. Click **Create credentials** , then select **API key** from the menu. \n The API key created dialog displays the string for your newly created key.\n3. \n4. Review [documentation on API key restrictions](https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions) to secure your API key.\n\nYour app is now configured to use API keys.\n\nWhat's next\n-----------\n\nWith authorization configured, check out the following ARCore features that use\nit:\n\n- [Geospatial API](/ar/develop/geospatial)\n- [Cloud Anchor API](/ar/develop/cloud-anchors)"]]
