Authenticate with a backend server

If you use Google Sign-In with an app or site that communicates with a backend server, you might need to identify the currently signed-in user on the server. To do so securely, after a user successfully signs in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity of the ID token and retrieve the user's ID from the sub claim of the ID token. You can use user IDs transmitted in this way to safely identity the currently signed-in user on the backend.

Send the ID token to your server

After a user successfully signs in, get the user's ID token:

function onSignIn(googleUser) {
  var id_token = googleUser.getAuthResponse().id_token;

Then, send the ID token to your server with an HTTPS POST request:

var xhr = new XMLHttpRequest();'POST', '');
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.onload = function() {
  console.log('Signed in as: ' + xhr.responseText);
xhr.send('idtoken=' + id_token);

Verify the integrity of the ID token

After you receive the ID token by HTTPS POST, you must verify the integrity of the token. To verify that the token is valid, ensure that the following criteria are satisfied:

  • The ID token is properly signed by Google. Use Google's public keys (available in JWK or PEM format) to verify the token's signature.
  • The value of aud in the ID token is equal to one of your app's client IDs. This check is necessary to prevent ID tokens issued to a malicious app being used to access data about the same user on your app's backend server.
  • The value of iss in the ID token is equal to or
  • The expiry time (exp) of the ID token has not passed.
  • If your authentication request specified a hosted domain, the ID token has a hd claim that matches your G Suite hosted domain.

Rather than writing your own code to perform these verification steps, we strongly recommend using a Google API client library for your platform, or calling our tokeninfo validation endpoint.

Calling the tokeninfo endpoint

The easiest way to validate an ID token is to use the tokeninfo endpoint. Calling this endpoint involves an additional network request that does most of the validation for you, but introduces some latency and the potential for network errors.

To validate an ID token using the tokeninfo endpoint, make an HTTPS POST or GET request to the endpoint, and pass your ID token in the id_token parameter. For example, to validate the token "XYZ123", make the following GET request:

If the token is properly signed and the iss and exp claims have the expected values, you will get a HTTP 200 response, where the body contains the JSON-formatted ID token claims. Here's an example response:

 // These six fields are included in all Google ID Tokens.
 "iss": "",
 "sub": "110169484474386276334",
 "azp": "",
 "aud": "",
 "iat": "1433978353",
 "exp": "1433981953",

 // These seven fields are only included when the user has granted the "profile" and
 // "email" OAuth scopes to the application.
 "email": "",
 "email_verified": "true",
 "name" : "Test User",
 "picture": "",
 "given_name": "Test",
 "family_name": "User",
 "locale": "en"

Once you get these claims, you still need to check that the aud claim contains one of your app's client IDs. If it does, then the token is both valid and intended for your client, and you can safely retrieve and use the user's unique Google ID from the sub claim.

If you are a G Suite customer, you might also be interested in the hd claim, which indicates the hosted domain of the user. This can be used to restrict access to a resource to only members of certain domains. The absence of this claim indicates that the user does not belong to a G Suite hosted domain.

Using a Google API Client Library

Using one of the Google API Client Libraries is the recommended way to validate Google ID tokens in a production environment.


To validate an ID token in Java, use the GoogleIdTokenVerifier object. For example:



GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
    // If you retrieved the token on Android using the Play Services 8.3 API or newer, set
    // the issuer to "". Otherwise, set the issuer to
    // "". If you need to verify tokens from multiple sources, build
    // a GoogleIdTokenVerifier for each issuer and try them both.

// (Receive idTokenString by HTTPS POST)

GoogleIdToken idToken = verifier.verify(idTokenString);
if (idToken != null) {
  Payload payload = idToken.getPayload();

  // Print user identifier
  String userId = payload.getSubject();
  System.out.println("User ID: " + userId);

  // Get profile information from payload
  String email = payload.getEmail();
  boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());
  String name = (String) payload.get("name");
  String pictureUrl = (String) payload.get("picture");
  String locale = (String) payload.get("locale");
  String familyName = (String) payload.get("family_name");
  String givenName = (String) payload.get("given_name");

  // Use or store profile information
  // ...

} else {
  System.out.println("Invalid ID token.");

The GoogleIdTokenVerifier.verify() method verifies the JWT signature, the aud claim, the iss claim, and the exp claim. You must also verify the the hd claim (if applicable) with the Payload.getHostedDomain() method. If multiple clients access the backend server, manually verify the aud claim.


To validate an ID token in Python, use the oauth2client.client.verify_id_token function. For example:

from oauth2client import client, crypt

# (Receive token by HTTPS POST)

    idinfo = client.verify_id_token(token, CLIENT_ID)
    # If multiple clients access the backend server:
    if idinfo['aud'] not in [ANDROID_CLIENT_ID, IOS_CLIENT_ID, WEB_CLIENT_ID]:
        raise crypt.AppIdentityError("Unrecognized client.")
    if idinfo['iss'] not in ['', '']:
        raise crypt.AppIdentityError("Wrong issuer.")
    if idinfo['hd'] != APPS_DOMAIN_NAME:
        raise crypt.AppIdentityError("Wrong hosted domain.")
except crypt.AppIdentityError:
    # Invalid token
userid = idinfo['sub']

The oauth2client.client.verify_id_token function verifies the JWT signature, the aud claim, and the exp claim. You must also verify the iss claim and the hd claim (if applicable) by examining the object that verify_id_token returns. If multiple clients access the backend server, also manually verify the aud claim.

You can also verify ID tokens with the Google API Client Library for PHP, Node.js, and other languages.