AI-generated Key Takeaways
-
Securely store your application's authorization credentials, typically found in a
client_secret_<client-id>.jsonfile, in a location only your application can access. -
Protect refresh tokens by storing them securely, providing a way to clear them from the device, and informing users they can deauthorize access to their Google account.
-
Clear all tokens from a device when you are finished using it permanently.
Here are some security and privacy guidelines for developers using the Google Assistant API in their projects.
API and application authorization
Any application that uses the Google Assistant API must have authorization
credentials that identify the application to Google's authentication server.
Typically, these credentials are stored in a downloaded client_secret_<client-id>.json
file. Make sure to store this file in a location that only your application
can access.
Your application may prompt the user to grant it access to their Google account. If granted, your application can request an access token for that user. These tokens expire, but can be refreshed.
Unprotected refresh tokens on a device pose a significant security risk. Make sure your application:
- Stores the refresh tokens in a secure place.
- Provides an easy way to clear tokens from the device. For example, provide a "Sign out" button that clears a token (if the application has a UI) or a command line script that the user can execute.
- Informs users that they can deauthorize access to their Google account. This revokes the refresh token; to use the application again, the user would need to re-authorize access.
When you are done using the device permanently, you should clear all of the tokens from it.
For more information, see Using OAuth 2.0 to Access Google APIs.