Set up seamless credential sharing across Android apps and websites

Stay organized with collections Save and categorize content based on your preferences.

Maximize user convenience by enabling cross-platform seamless credential sharing across your apps and websites. When multiple websites and Android apps share an account management backend, this feature allows users to save credentials once and have them automatically suggested on any linked website or Android app.

There are two supported methods to set up credential sharing:

• Play Console: Recommended for most developers when setting up credential sharing with Android apps. This method lets you configure credential sharing without needing to release a new version of your app. Note that even when using Play Console, you still need to publish a valid assetlinks.json file on your website.
• Digital Asset Links (DALs): Suitable for advanced use cases, such as supporting multiple apps or domains with more complex configurations.

Best practices

For optimal user experience and security, implement seamless credential sharing across these touchpoints:

• Sign-in form: Enable automatic credential filling.
• Sign-up form: Securely store new credentials for use across platforms.
• Password change form: Synchronize password updates across all platforms.
• Password reset form: Allow single password resets to update all platforms.
• Webview domains: Extend credential sharing to webview domains within your app that handle account management (host sign-in, sign-up, password change, or password reset forms).
• Android apps

This approach creates a unified credential management system, enhancing both user convenience and security.

When designing your account management websites, we suggest you follow these best practices for account management sites:

• Design your sign-up form in accordance with best practices
• Design your sign-in form in accordance with best practices
• Add a well-known URL for changing passwords

When designing your Android apps, we recommend you integrate your app with Android Credential Manager.

Set up credential sharing using Play Console

You can now enable seamless credential sharing directly from Play Console without publishing a new version of your Android app. This method simplifies the process by managing your credential sharing configurations through the Play Console interface.

Prerequisites

Before setting up credential sharing using Play Console, ensure you have:

• The necessary Play Console permissions to access the Deep links and App configuration sections. If you're not the account owner, ask your Play Console administrator to grant you the appropriate access.
• Ability to publish a /.well-known/assetlinks.json file on each respective domain, following the Digital Asset Links (DALs) syntax.

Enable credential sharing for a new domain

To set up seamless credential sharing in Play Console for a new domain, follow these steps:

1. Open Play Console and go to the Deep links page (Grow users > Deep links).
2. Under the App configuration tab, click Add domain.
3. Enter your website's domain.
4. Turn on the Enable credential sharing toggle.
5. Copy the generated JSON file and publish it at the specified location (https://YOUR_DOMAIN/.well-known/assetlinks.json according to the protocol), or add the relevant information to the existing assetlinks.json file.
6. Click Create website association.

If successful, you'll return to the Deep links page.

Enable credential sharing for an existing domain

To set up seamless credential sharing in Play Console for an existing domain, follow these steps:

1. Select the App configuration tab.
2. In the Domains section, under App configuration, click Turn on in the Credential sharing column.
3. Copy the generated JSON file and publish it at the specified location (or add the relevant information to the existing assetlinks.json file).
4. Click Turn on credential sharing.

If successful, you'll return to the Deep links page.

Set up credential sharing using only Digital Asset Links (DALs)

For complex setups involving multiple apps or websites, use Digital Asset Links (DALs) to configure credential sharing manually.

Prerequisites

Before setting up seamless credential sharing, ensure you have the following for each platform:

For each Android app:

• The Android application ID, as declared in the app's build.gradle file.
• The SHA256 fingerprints of the signing certificate.
• (Recommended) User sign-in implemented with the Credential Manager API.

For each website:

• Ability to publish a /.well-known/assetlinks.json file on each respective domain, following the Digital Asset Links (DALs) syntax.
• All account management domains (sign-in, sign-up, password change, or password reset forms) must be accessible over HTTPS.

Enable seamless credential sharing across Android apps and websites

To configure seamless credential sharing across apps and websites, you create and publish Digital Asset Links statement lists that declare which entities (websites or Android apps) are allowed to share credentials.

To declare a credential sharing relationship:

1. Create an assetlinks.json file with statements linking to the website and to the Android app, following the DALs statement list syntax:

   [
     {
       "relation":[
         "delegate_permission/common.get_login_creds"
       ],
       "target":{
         "namespace":"web",
         "site":URL
       }
     },
     {
       "relation":[
         "delegate_permission/common.get_login_creds"
       ],
       "target":{
         "namespace":"android_app",
         "package_name":"APP_ID",
         "sha256_cert_fingerprints":[
           "SHA_HEX_VALUE"
         ]
       }
     }
   ]
   

   Where URL is your site's URL, APP_ID is your Android application ID, and SHA_HEX_VALUE is the SHA256 fingerprint of your Android app signing certificate.

   The relation field describes the relationship being declared. To declare that apps and sites share sign-in credentials, specify the relationships as delegate_permission/common.get_login_creds. Learn more about Relation Strings in DALs.

   The target field is an object that specifies the asset the declaration applies to.

   The following fields identify a website:

   namespace

   web

   site

   The website's URL, in the format https://domain[:optional_port]; for example, https://www.example.com. The domain must be fully-qualified, and optional_port must be omitted when using port 443 for HTTPS. A site target can only be a root domain: you cannot limit an app association to a specific subdirectory. Don't include a path in the URL, such as a trailing slash. Subdomains are not considered to match: that is, if you specify the domain as www.example.com, the domain www.counter.example.com is not associated with your app.

   The following fields identify an Android app:

   namespace	android_app
   package_name	The package name declared in the app's manifest. For example, com.example.android
   sha256_cert_fingerprints	The SHA256 fingerprints of your app's signing certificate.

2. Host the Digital Asset Links JSON file at the following location on the sign-in domains: https://DOMAIN[:OPTIONAL_PORT]/.well-known/assetlinks.json , where DOMAIN is fully-qualified, and OPTIONAL_PORT must be omitted when using port 443 for HTTPS.

3. Declare the association in the Android app by embedding a statement in your Android app's res/values/strings.xml file that links to the statement list you created in Step 1. Add an object that specifies the assetlinks.json files to load. For example:

     <string name="asset_statements" translatable="false">
   [{
     \"include\": \"https://DOMAIN[:OPTIONAL_PORT]/.well-known/assetlinks.json\"
   }]
   </string>
   

   Replace DOMAIN and OPTIONAL_PORT (must be omitted when using port 443 for HTTPS)—for example https://www.example.com. Escape any apostrophes and quotation marks you use in the string.

   You can also add a JSON snippet in your strings.xml file as shown in the DALs documentation, but using the include statement lets you change statements without publishing a new version of your app.

4. Reference the statement in the manifest by adding the following line to your app's AndroidManifest.xml file under <application>:

   <meta-data android:name="asset_statements" android:resource="@string/asset_statements"/>
   

5. Publish the new version of your Android app to the Google Play Developer Console

After following these steps, you have successfully set up seamless credential sharing between your website and your Android app.

Note that this is not the only valid way to set up DALs for credential sharing, but this approach simplifies the future process of adding new entities to your seamless credential sharing network, promotes code reusability, and reduces the potential for errors during updates.