Enable automatic sign-in across apps and websites

If your app that uses Smart Lock for Passwords shares a user database with your website—or if your app and website use federated sign-in providers such as Google Sign-In—you can associate the app with the website so that users save their credentials once and then automatically sign in to both the app and the website.

To associate an app with a website, declare associations by hosting a Digital Asset Links JSON file on your website, and adding a link to the Digital Asset Link file to your app's manifest.

Prerequisites

Your website's sign-in domain must be available through HTTPS.

Associate your app with your website

  1. Create a Digital Asset Links JSON file.

    For example, to declare that the website https://signin.example.com and an Android app with the package name com.example can share sign-in credentials, create a file named assetlinks.json with the following content:

    [{
      "relation": ["delegate_permission/common.get_login_creds"],
      "target": {
        "namespace": "web",
        "site": "https://signin.example.com"
      }
     },
     {
      "relation": ["delegate_permission/common.get_login_creds"],
      "target": {
        "namespace": "android_app",
        "package_name": "com.example",
        "sha256_cert_fingerprints": [
          "F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
        ]
      }
     }]
    

    The relation field is an array of one or more strings that describe the relationship being declared. To declare that apps and sites share sign-in credentials, specify the string delegate_permission/common.get_login_creds.

    The target field is an object that specifies the asset the declaration applies to. The following fields identify a website:

    namespace web
    site

    The website's URL, in the format https://domain[:optional_port]; for example, https://www.example.com.

    The domain must be fully-qualified., and optional_port must be omitted when using port 443 for HTTPS.

    A site target can only be a root domain: you cannot limit an app association to a specific subdirectory. Do not include a path in the URL, such as a trailing slash.

    Subdomains are not considered to match: that is, if you specify the domain as www.example.com, the domain www.counter.example.com is not associated with your app.

    The following fields identify an Android app:

    namespace android_app
    package_name The package name declared in the app's manifest. For example, com.example.android
    sha256_cert_fingerprints The SHA256 fingerprints of your app’s signing certificate. You can use the following command to generate the fingerprint:
    $ keytool -list -v -keystore my-release-key.keystore

    See the Digital Asset Links reference for details.

  2. Host the Digital Assets Link JSON file at the following location on the sign-in domain:

    https://domain[:optional_port]/.well-known/assetlinks.json

    For example, if your sign-in domain is signin.example.com, host the JSON file at https://signin.example.com/.well-known/assetlinks.json.

    The MIME type for the Digital Assets Link file needs to be JSON. Make sure the server sends a Content-Type: application/json header in the response.

  3. Declare the association in the Android app.

    1. Add the following line to the manifest file under <application>:

        <meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
      
    2. Add an asset_statements string resource to the strings.xml file. The asset_statements string is a JSON object that specifies the assetlinks.json files to load. You must escape any apostrophes and quotation marks you use in the string. For example:

        <string name="asset_statements" translatable="false">
        [{
          \"include\": \"https://signin.example.com/.well-known/assetlinks.json\"
        }]
        </string>
      

      Note: the https://signin.example.com/.well-know/assetlinks.json link must return a 200 HTTP response with a JSON MIME Content-Type header. Returning a 301/302 HTTP redirect or a non-JSON Content-Type will cause verification to fail. The following is an example showing a request and the related response headers.

        > GET /.well-known/assetlinks.json HTTP/1.1
        > User-Agent: curl/7.35.0
        > Host: signin.example.com
      
        < HTTP/1.1 200 OK
        < Content-Type: application/json
      
  4. Publish the app to Google Play Store. If you don't want to release the app publicly, you can publish it to an alpha/beta channel, which limits who can install it.

  5. Complete and submit the Smart Lock for Passwords affiliation form to request verification of your app association. Verification can take a few days.

When verification has completed, users of your app can save their credentials on either your app or your website and be automatically signed in to both.

Example: Associate multiple apps with a website

You can associate multiple apps with a website by specifying each app in the Digital Assets Link file. For example, to associate the com.example and com.example.pro apps with the site at https://signin.example.com/, specify both apps in the JSON file hosted at https://signin.example.com/.well-known/assetlinks.json:

[{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "web",
    "site": "https://signin.example.com"
  }
},{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example",
    "sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
    ]
  }
},{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example.pro",
    "sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
    ]
  }
}]

Then, declare the association in both apps:

  1. Add the following line to the manifest file under <application>:

    <meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
    
  2. Add the following string resource to the strings.xml file:

    <string name="asset_statements" translatable="false">
    [{
      \"include\": \"https://signin.example.com/.well-known/assetlinks.json\"
    }]
    </string>
    

Example: Associate apps with multiple websites

You can associate apps with multiple websites by specifying each website in the Digital Assets Link file and hosting the file on each website. For example, to associate the com.example and com.example.pro apps with the site at https://signin.example.com/ and https://m.example.com/, specify both apps and both sites in the JSON file hosted at https://signin.example.com/.well-known/assetlinks.json:

[{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "web",
    "site": "https://signin.example.com"
  }
},{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "web",
    "site": "https://m.example.com"
  },
},{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example",
    "sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
    ]
  }
},{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example.pro",
    "sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
    ]
  }
}]

Then, in the JSON file hosted at https://m.example.com/.well-known/assetlinks.json, include the primary Digital Asset Links file:

[{
  "include": "https://signin.example.com/.well-known/assetlinks.json"
}]

Finally, declare the association in both apps:

  1. Add the following line to the manifest file under <application>:

    <meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
    
  2. Add the following string resource to the strings.xml file:

    <string name="asset_statements" translatable="false">
    [{
      \"include\": \"https://signin.example.com/.well-known/assetlinks.json\"
    }]
    </string>