In May 2016, we released the newest version of Google Identity Toolkit as Firebase Authentication, and in April 2019, we released Google Cloud's Identity Platform. These products include upgraded client SDKs, open source UI libraries, session management and integrated email sending service for forgotten password flows.

On June 30, 2020, the SDKs documented on this page and the API setting page will stop functioning. (The and endpoints, used by Identity Platform and Firebase Authentication, will continue to function.)

To migrate an existing project from Identity Toolkit, see the Identity Platform migration guide or Firebase Authentication migration guide.

Quick-start App for Go

This quick-start app lets you get started with Google Identity Toolkit on Go in about 30 minutes.

Before beginning you will need the following:

Google Cloud SDK

App Engine SDK for Go

Step 1: Configure the Google Identity Toolkit API

This quickstart guide will set up a basic website that will allow username/password, Google, Yahoo, and (optionally) Facebook login.

  1. Go to the Google API Console API Library.
  2. From the project drop-down, select an existing project, or create a new one. The API Console groups your information by “project” which bundles associated websites, Android apps, and iOS apps. For the Identity Toolkit API, any websites or apps in the same project will share the same user database.
  3. Enable the Identity Toolkit API service:
    1. In the list of Google APIs, search for the Identity Toolkit API service.
    2. Select Identity Toolkit API from the results list.
    3. Select Enable API.
    When the process completes, Identity Toolkit API appears in the list of enabled APIs. To view the list, select APIs & Services on the left sidebar menu, then select the Enabled APIs tab.
  4. Next, you need to set up the screen Google will show the user when you request the user's email address. In the left-side menu under "APIs & Services", select Credentials, then select the OAuth consent screen tab.
    1. Choose an Email Address, enter your website/app's name as the Product Name, and select Save.
    Once saved, you end up on the Credentials tab.
  5. Next, set up your OAuth2 client ID for registering as an app that accepts Google for sign-in.
    1. In the Credentials tab, select the Create credentials drop-down, then select OAuth client ID.
    2. Under Application type, select Web application. A web server is currently required to enable full functionality, even for mobile-only applications, because some identity providers do not have native SDKs.
    3. Enter a client ID Name, then enter the Restrictions as decribed below:
      • Authorized JavaScript Origins
        For this quick-start app, set this to: http://localhost:8080
        This is the URL of your site. For example, if your site is, enter that in the box. (Note that you may add multiple entries if your site can be accessed at multiple URLs.)
      • Authorized redirect URIs
        For this quick-start app, set this to: http://localhost:8080/gitkit
        When you send your users to authenticate with an identity provider like Google or Yahoo, the identity provider needs a page to return to when authentication is complete. Typically this is called an Authorized Redirect or a Callback. With Identity Toolkit this will also be where your sign-in page is displayed. You may use whichever URL you would like. (Usually is fine unless you prefer something else)
    4. Once you've completed these fields, select Create.
  6. Now, create a service account.
    1. Select the Create credentials drop-down again (you should still be on the Credentials tab), then select Service account key.
    2. From the Service account drop-down, select an existing service account or create a new one.
    3. For Key type, select the JSON key option, then select Create. The file automatically downloads to your computer.
    4. Put the *.json file you just downloaded in a directory of your choosing. This directory must be private (you can't let anyone get access to this), but accessible to your web server code.
  7. Next, create a Browser API key so that your app can access Google APIs.
    1. Select the Create credentials drop-down, then select API key.
    2. From the "Create a new key" pop-up, select Browser key, and optionally set your site's URL as the allowed referrer.
    3. Select Create.
  8. Finally, create a Server API key
    • Select the Create credentials drop-down, then select API key.
    • From the "Create a new key" pop-up, select Server key, and optionally set the allowed IP addresses.
    • Select Create.
  9. You're almost there! You just need to decide which sign-in options to support.
    1. On the left-side menu, return to the APIs list by selecting APIs & Services.
    2. Select the Enabled APIs tab.
    3. From the list of enabled APIs, find the Identity Toolkit API, then select the gear icon to the right of the name. This action opens your sign-in page configuration.
      • In the URL Configuration section of the screen, declare your URLs:
        • Widget URL
          From the drop-down, select a URL. This is the URL you entered earlier in the Client ID for Web application, under "Authorized Redirect URIs". This is the URL where your sign in page will appear, and it is also the URL you need to register with identity providers as your "Redirect URI".
          For this quick-start app, set this to: /gitkit
        • Sign-in Success URL
          This is where users are sent after they successfully sign in. This URL will need to validate the Identity Toolkit API token and then begin an authenticated session however you see fit. Many web application frameworks will generate a session cookie for you.
          For this quick-start app, set this to: /
        • Sign-out URL
          If you choose to use the User Card Widget, when the user clicks the sign out button, they are redirected to this URL.
          For this quick-start app, set this to: /signOut
        • Send Email URL
          Sometimes it may be necessary to contact the user to confirm a password reset or email change. Because of email source verification in use by many email providers, these emails must originate from your server in order to avoid being marked as spam or suspicious. Identity Toolkit API will send a POST request to this URL with email address and the content of the message, and you will need to send the email.
          For this quick-start app, set this to: /oobAction
    4. In the Providers section, choose which identity providers that you want to support. Some identity providers require registration. Select the provider name or down arrow to view provider options/requirements.
    5. (Optional) Configure Facebook login
      1. Go to the Facebook developer page register or log in, then select My Apps->Add a New App
      2. Choose the "Website" platform
      3. At the "Setup SDK" part of the quickstart, enter your Site URL. For this demo, that will be http://localhost:8080/gitkit. Click next. You do not need to use their code snippet.
      4. Once the app is set up:
        • Go to the Dashboard for your app and enter the Facebook App ID as the Client ID.
        • In the API Console Identity Toolkit API configuration page, enable Facebook as a provider and enter the Facebook App ID and App Secret.
    6. (Optional) Configure Twitter login
      1. Go to the Twitter Application Management page and create a new app.
      2. Under "Callback URL" you will have to write the URL to where you will be hosting Identity Toolkit. For this demo that will be
      3. Once the app is created:
        • From your app dashboard go to "Keys and Access Tokens" and copy the Consumer key and Consumer secret.
        • Then, in the In the API Console Identity Toolkit API configuration page, enable Twitter as a provider and paste in your Consumer Key and Secret.
    7. Make sure to save your settings!
    8. There are two code snippets at the bottom of the page. The first snippet helps make the JavaScript configuration easy for your website. The second snippet should be saved in your server side code directory as gitkit-server-config.json.
    9. The server side configuration file needs to be further configured before use. Open the file for editing and change serviceAccountPrivateKeyFile setting to be equal to the path of the *.p12 or *.json file you downloaded earlier. You should use the full path, beginning with / and ending with the full name of the *.p12 or *.json file.

    Step 2: Configure the quick-start app

    1. Download the Google Identity Toolkit Go quickstart and unzip it into your Go workspace.

    You can also find the source code for this quick-start or the client library on Github.

    1. Convert the .p12 file you downloaded earlier to a .pem encoding. You can convert the file using the openssl tool:

      openssl pkcs12 -in <key.p12> -nocerts -passin pass:notasecret -nodes -out <key.pem>
    2. Set the Identity Toolkit configurations.

      1. In the favweekday.go file, find the const declarations for Identity Toolkit.
      2. Replace the placeholder strings with the following values
        • browserAPIKey: API KEY value under the Key for browser applications
        • serverAPIKey: API KEY value under the Key for server applications
        • clientID: your OAuth CLIENT ID under the Client ID for web application
        • serviceAccount: the EMAIL ADDRESS for your OAuth Service Account
        • privateKeyPath: the path to your PEM encoded private key file

      Note that the service account and private key are needed for running the app in dev appserver. If you deploy it to App Engine, they are not required so that you can keep the private key in a safe location in your dev environment and don't need to upload it.

      There are also three keys used in this sample app for session cookie authentication, encryption and XSRF token signing. They are only for demonstration and not secure. Be sure to use real secure keys in your prod app.

    3. Run the script, which fetches the libraries this sample app needs.

    4. Run the sample app (assuming your current working directory is favweekday). --enable_sendmail=yes .
    5. (Optional) Deploy the sample app

      1. Update the application field in app.yaml to use your App Engine app ID
      2. Execute the deploy command

        goapp deploy

    Next steps