If your app that uses Smart Lock for Passwords shares a user database with your website—or if your app and website use federated sign-in providers such as Google Sign-In—you can associate the app with the website so that users save their credentials once and then automatically sign in to both the app and the website.
To associate an app with a website, declare associations by hosting a Digital Asset Links JSON file on your website, and adding a link to the Digital Asset Link file to your app's manifest.
By hosting a Digital Asset Links declaration on your website, you also enable your website to share autofill data with your app when running on Android 8.0 and newer.
Prerequisites
Your website's sign-in domain must be available through HTTPS.
Associate your app with your website
-
Create a Digital Asset Links JSON file.
For example, to declare that the website
https://signin.example.comand an Android app with the package namecom.examplecan share sign-in credentials, create a file namedassetlinks.jsonwith the following content:[{ "relation": ["delegate_permission/common.get_login_creds"], "target": { "namespace": "web", "site": "https://signin.example.com" } }, { "relation": ["delegate_permission/common.get_login_creds"], "target": { "namespace": "android_app", "package_name": "com.example", "sha256_cert_fingerprints": [ "F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B" ] } }]The
relationfield is an array of one or more strings that describe the relationship being declared. To declare that apps and sites share sign-in credentials, specify the stringdelegate_permission/common.get_login_creds.The
targetfield is an object that specifies the asset the declaration applies to. The following fields identify a website:namespacewebsiteThe website's URL, in the format
https://domain[:optional_port]; for example,https://www.example.com.The domain must be fully-qualified., and optional_port must be omitted when using port 443 for HTTPS.
A
sitetarget can only be a root domain: you cannot limit an app association to a specific subdirectory. Do not include a path in the URL, such as a trailing slash.Subdomains are not considered to match: that is, if you specify the domain as
www.example.com, the domainwww.counter.example.comis not associated with your app.The following fields identify an Android app:
namespaceandroid_apppackage_nameThe package name declared in the app's manifest. For example, com.example.androidsha256_cert_fingerprintsThe SHA256 fingerprints of your app’s signing certificate. You can use the following command to generate the fingerprint: $ keytool -list -v -keystore my-release-key.keystore
See the Digital Asset Links reference for details.
-
Host the Digital Assets Link JSON file at the following location on the sign-in domain:
https://domain[:optional_port]/.well-known/assetlinks.json
For example, if your sign-in domain is
signin.example.com, host the JSON file athttps://signin.example.com/.well-known/assetlinks.json.The MIME type for the Digital Assets Link file needs to be JSON. Make sure the server sends a
Content-Type: application/jsonheader in the response. -
Ensure that your host permits Google to retrieve your Digital Asset Link file. If you have a
robots.txtfile, it must allow the Googlebot agent to retrieve/.well-known/assetlinks.json. Most sites can simply allow any automated agent to retrieve files in the/.well-known/path so that other services can access the metadata in those files:User-agent: * Allow: /.well-known/ -
Declare the association in the Android app.
-
Add the following line to the manifest file under
<application>:<meta-data android:name="asset_statements" android:resource="@string/asset_statements" /> -
Add an
asset_statementsstring resource to thestrings.xmlfile. Theasset_statementsstring is a JSON object that specifies theassetlinks.jsonfiles to load. You must escape any apostrophes and quotation marks you use in the string. For example:<string name="asset_statements" translatable="false"> [{ \"include\": \"https://signin.example.com/.well-known/assetlinks.json\" }] </string>Note: the
https://signin.example.com/.well-known/assetlinks.jsonlink must return a 200 HTTP response with a JSON MIME Content-Type header. Returning a 301/302 HTTP redirect or a non-JSON Content-Type will cause verification to fail. The following is an example showing a request and the related response headers.> GET /.well-known/assetlinks.json HTTP/1.1 > User-Agent: curl/7.35.0 > Host: signin.example.com < HTTP/1.1 200 OK < Content-Type: application/json
-
-
Publish the app to Google Play Store. If you don't want to release the app publicly, you can publish it to an alpha/beta channel, which limits who can install it.
-
Complete and submit the Smart Lock for Passwords affiliation form to request verification of your app association. Verification can take a few days.
When verification has completed, users of your app can save their credentials on either your app or your website and be automatically signed in to both.
Example: Associate multiple apps with a website
You can associate multiple apps with a website by specifying each app in the
Digital Assets Link file. For example, to associate the com.example and
com.example.pro apps with the site at https://signin.example.com/, specify
both apps in the JSON file hosted at
https://signin.example.com/.well-known/assetlinks.json:
[{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "web",
"site": "https://signin.example.com"
}
},{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "android_app",
"package_name": "com.example",
"sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
]
}
},{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "android_app",
"package_name": "com.example.pro",
"sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
]
}
}]
Then, declare the association in both apps:
-
Add the following line to the manifest file under
<application>:<meta-data android:name="asset_statements" android:resource="@string/asset_statements" /> -
Add the following string resource to the
strings.xmlfile:<string name="asset_statements" translatable="false"> [{ \"include\": \"https://signin.example.com/.well-known/assetlinks.json\" }] </string>
Example: Associate apps with multiple websites
You can associate apps with multiple websites by specifying each website in the
Digital Assets Link file and hosting the file on each website. For example, to
associate the com.example and com.example.pro apps with the site at
https://signin.example.com/ and https://m.example.com/, specify
both apps and both sites in the JSON file hosted at
https://signin.example.com/.well-known/assetlinks.json:
[{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "web",
"site": "https://signin.example.com"
}
},{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "web",
"site": "https://m.example.com"
},
},{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "android_app",
"package_name": "com.example",
"sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
]
}
},{
"relation": ["delegate_permission/common.get_login_creds"],
"target": {
"namespace": "android_app",
"package_name": "com.example.pro",
"sha256_cert_fingerprints": [
"F2:52:4D:82:E7:1E:68:AF:8C:BC:EA:B0:A2:83:C8:FE:82:51:CF:63:09:6A:4C:64:AE:F4:43:27:20:40:D2:4B"
]
}
}]
Then, in the JSON file hosted at
https://m.example.com/.well-known/assetlinks.json, include the primary Digital
Asset Links file:
[{
"include": "https://signin.example.com/.well-known/assetlinks.json"
}]
Finally, declare the association in both apps:
-
Add the following line to the manifest file under
<application>:<meta-data android:name="asset_statements" android:resource="@string/asset_statements" /> -
Add the following string resource to the
strings.xmlfile:<string name="asset_statements" translatable="false"> [{ \"include\": \"https://signin.example.com/.well-known/assetlinks.json\" }] </string>