The newest version of Google Identity Toolkit has been released as Firebase Authentication. It includes upgraded client SDKs, open source UI libraries, session management and integrated email sending service for forgotten password flows.
New projects should use Firebase Authentication. To migrate an existing project from Identity Toolkit to Firebase Authentication, see the migration guide.
From the project drop-down, select an existing
or create a new one. The API Console groups your information by
“project” which bundles associated websites, Android apps, and iOS apps.
For the Identity Toolkit API, any websites or apps in the same project will share
the same user database.
Enable the Identity Toolkit API service:
In the list of Google APIs, search for the Identity Toolkit API service.
Select Identity Toolkit API from the results list.
Select Enable API.
When the process completes, Identity Toolkit API appears in the list of enabled APIs.
To view the list, select APIs & Services on the left sidebar menu, then select the
Enabled APIs tab.
Next, you need to set up the screen Google will show the user when you request
the user's email address. In the left-side menu under "APIs & Services",
select Credentials, then select the OAuth consent screen tab.
Choose an Email Address, enter your website/app's name as the
Product Name, and select Save.
Once saved, you end up on the Credentials tab.
Next, set up your OAuth2 client ID for registering as an app that accepts
Google for sign-in.
In the Credentials tab, select the Create credentials
drop-down, then select OAuth client ID.
Under Application type, select Web application. A web server is
currently required to enable full functionality, even for mobile-only applications,
because some identity providers do not have native SDKs.
Enter a client ID Name, then enter the Restrictions as
This is the URL of your site. For example, if your site is
https://yoursite.com, enter that in the box. (Note that you may add multiple
entries if your site can be accessed at multiple URLs.)
Authorized redirect URIs
When you send your users to authenticate with an identity provider like
Google or Yahoo, the identity provider needs a page to return to when
authentication is complete. Typically this is called an Authorized Redirect
or a Callback. With Identity Toolkit this will also be where your sign-in
page is displayed. You may use whichever URL you would like.
(Usually https://yoursite.com/callback is fine unless you prefer something
Once you've completed these fields, select Create.
Now, create a service account.
Select the Create credentials drop-down again (you should still be on the
Credentials tab), then select Service account key.
From the Service account drop-down, select an existing service account
or create a new one.
For Key type, select the
key option, then select Create. The file automatically downloads
to your computer.
In the resulting pop-up window, make note of the private key's
password, then select Close. Put the *.p12 file you just downloaded in a
directory of your choosing. This directory must be private (you can't let
anyone get access to this), but accessible to your web server code.
Next, create a Browser API key so that your app can access Google APIs.
Select the Create credentials drop-down, then select
From the "Create a new key" pop-up, select Browser key, and optionally
set your site's URL as the allowed referrer.
You're almost there! You just need to decide which sign-in options to support.
On the left-side menu, return to the APIs list by selecting APIs & Services.
Select the Enabled APIs tab.
From the list of enabled APIs, find the Identity Toolkit API, then select the
gear icon to the right of the name. This action opens your sign-in page
In the URL Configuration section of the screen, declare your URLs:
From the drop-down, select a URL. This is the URL you entered earlier in
the Client ID for Web application, under "Authorized Redirect URIs".
This is the URL where your sign in page will appear, and it is also
the URL you need to register with identity providers as your
Sign-in Success URL
This is where users are sent after they successfully sign in. This
URL will need to validate the Identity Toolkit API token and then
begin an authenticated session however you see fit. Many web application
frameworks will generate a session cookie for you.
If you choose to use the User Card Widget, when the user clicks
the sign out button, they are redirected to this URL.
Send Email URL
Sometimes it may be necessary to contact the user to confirm a
password reset or email change. Because of email source verification
in use by many email providers, these emails must originate from your
server in order to avoid being marked as spam or suspicious.
Identity Toolkit API will send a POST request to this URL with email
address and the content of the message, and you will need to send
In the Providers section, choose which identity providers that you
want to support. Some identity providers require registration. Select the
provider name or down arrow to view provider options/requirements.
Under "Callback URL" you will have to write the URL to where you will
be hosting Identity Toolkit. For this demo that will be
Once the app is created:
From your app dashboard go to "Keys and Access Tokens" and copy the
Consumer key and Consumer secret.
Then, in the In the API Console Identity Toolkit API configuration page,
enable Twitter as a provider and paste in your Consumer Key and Secret.
Make sure to save your settings!
There are two code snippets at the bottom of the page. The first
The second snippet should be saved in your server side code directory as
The server side configuration file needs to be further configured before
use. Open the file for editing and change serviceAccountPrivateKeyFile
setting to be equal to the path of the *.p12 or *.json file you downloaded earlier.
You should use the full path, beginning with / and ending with
the full name of the *.p12 or *.json file.