In May 2016, we released the newest version of Google Identity Toolkit as Firebase Authentication, and in April 2019, we released Google Cloud's Identity Platform. These products include upgraded client SDKs, open source UI libraries, session management and integrated email sending service for forgotten password flows.

On June 30, 2020, the SDKs documented on this page and the API setting page will stop functioning. (The and endpoints, used by Identity Platform and Firebase Authentication, will continue to function.)

To migrate an existing project from Identity Toolkit, see the Identity Platform migration guide or Firebase Authentication migration guide.

Quick-start App for Node.js

This quick-start app lets you get started with Google Identity Toolkit on Node.js in about 30 minutes.

Before beginning you will need the following:


Step 1: Configure the Google Identity Toolkit API

This quickstart guide will set up a basic website that will allow username/password, Google, Yahoo, and (optionally) Facebook login.

  1. Go to the Google API Console API Library.
  2. From the project drop-down, select an existing project, or create a new one. The API Console groups your information by “project” which bundles associated websites, Android apps, and iOS apps. For the Identity Toolkit API, any websites or apps in the same project will share the same user database.
  3. Enable the Identity Toolkit API service:
    1. In the list of Google APIs, search for the Identity Toolkit API service.
    2. Select Identity Toolkit API from the results list.
    3. Select Enable API.
    When the process completes, Identity Toolkit API appears in the list of enabled APIs. To view the list, select APIs & Services on the left sidebar menu, then select the Enabled APIs tab.
  4. Next, you need to set up the screen Google will show the user when you request the user's email address. In the left-side menu under "APIs & Services", select Credentials, then select the OAuth consent screen tab.
    1. Choose an Email Address, enter your website/app's name as the Product Name, and select Save.
    Once saved, you end up on the Credentials tab.
  5. Next, set up your OAuth2 client ID for registering as an app that accepts Google for sign-in.
    1. In the Credentials tab, select the Create credentials drop-down, then select OAuth client ID.
    2. Under Application type, select Web application. A web server is currently required to enable full functionality, even for mobile-only applications, because some identity providers do not have native SDKs.
    3. Enter a client ID Name, then enter the Restrictions as decribed below:
      • Authorized JavaScript Origins
        For this quick-start app, set this to: http://localhost:8000
        This is the URL of your site. For example, if your site is, enter that in the box. (Note that you may add multiple entries if your site can be accessed at multiple URLs.)
      • Authorized redirect URIs
        For this quick-start app, set this to: http://localhost:8000/gitkit
        When you send your users to authenticate with an identity provider like Google or Yahoo, the identity provider needs a page to return to when authentication is complete. Typically this is called an Authorized Redirect or a Callback. With Identity Toolkit this will also be where your sign-in page is displayed. You may use whichever URL you would like. (Usually is fine unless you prefer something else)
    4. Once you've completed these fields, select Create.
  6. Now, create a service account.
    1. Select the Create credentials drop-down again (you should still be on the Credentials tab), then select Service account key.
    2. From the Service account drop-down, select an existing service account or create a new one.
    3. For Key type, select the P12 key option, then select Create. The file automatically downloads to your computer.
    4. In the resulting pop-up window, make note of the private key's password, then select Close. Put the *.p12 file you just downloaded in a directory of your choosing. This directory must be private (you can't let anyone get access to this), but accessible to your web server code.
  7. Next, create a Browser API key so that your app can access Google APIs.
    1. Select the Create credentials drop-down, then select API key.
    2. From the "Create a new key" pop-up, select Browser key, and optionally set your site's URL as the allowed referrer.
    3. Select Create.
  8. You're almost there! You just need to decide which sign-in options to support.
    1. On the left-side menu, return to the APIs list by selecting APIs & Services.
    2. Select the Enabled APIs tab.
    3. From the list of enabled APIs, find the Identity Toolkit API, then select the gear icon to the right of the name. This action opens your sign-in page configuration.
      • In the URL Configuration section of the screen, declare your URLs:
        • Widget URL
          From the drop-down, select a URL. This is the URL you entered earlier in the Client ID for Web application, under "Authorized Redirect URIs". This is the URL where your sign in page will appear, and it is also the URL you need to register with identity providers as your "Redirect URI".
          For this quick-start app, set this to: /gitkit
        • Sign-in Success URL
          This is where users are sent after they successfully sign in. This URL will need to validate the Identity Toolkit API token and then begin an authenticated session however you see fit. Many web application frameworks will generate a session cookie for you.
          For this quick-start app, set this to: /
        • Sign-out URL
          If you choose to use the User Card Widget, when the user clicks the sign out button, they are redirected to this URL.
          For this quick-start app, set this to: /
        • Send Email URL
          Sometimes it may be necessary to contact the user to confirm a password reset or email change. Because of email source verification in use by many email providers, these emails must originate from your server in order to avoid being marked as spam or suspicious. Identity Toolkit API will send a POST request to this URL with email address and the content of the message, and you will need to send the email.
          For this quick-start app, set this to: /sendemail
    4. In the Providers section, choose which identity providers that you want to support. Some identity providers require registration. Select the provider name or down arrow to view provider options/requirements.
    5. (Optional) Configure Facebook login
      1. Go to the Facebook developer page register or log in, then select My Apps->Add a New App
      2. Choose the "Website" platform
      3. At the "Setup SDK" part of the quickstart, enter your Site URL. For this demo, that will be http://localhost:8000/gitkit. Click next. You do not need to use their code snippet.
      4. Once the app is set up:
        • Go to the Dashboard for your app and enter the Facebook App ID as the Client ID.
        • In the API Console Identity Toolkit API configuration page, enable Facebook as a provider and enter the Facebook App ID and App Secret.
    6. (Optional) Configure Twitter login
      1. Go to the Twitter Application Management page and create a new app.
      2. Under "Callback URL" you will have to write the URL to where you will be hosting Identity Toolkit. For this demo that will be
      3. Once the app is created:
        • From your app dashboard go to "Keys and Access Tokens" and copy the Consumer key and Consumer secret.
        • Then, in the In the API Console Identity Toolkit API configuration page, enable Twitter as a provider and paste in your Consumer Key and Secret.
    7. Make sure to save your settings!
    8. There are two code snippets at the bottom of the page. The first snippet helps make the JavaScript configuration easy for your website. The second snippet should be saved in your server side code directory as gitkit-server-config.json.
    9. The server side configuration file needs to be further configured before use. Open the file for editing and change serviceAccountPrivateKeyFile setting to be equal to the path of the *.p12 or *.json file you downloaded earlier. You should use the full path, beginning with / and ending with the full name of the *.p12 or *.json file.

    Step 2: Configure the quick-start app

    1. Execute the following commands to install the necessary Node.js dependencies

      npm install googleapis
      npm install express
      npm install cookie-parser
      npm install body-parser
      npm install gitkitclient
    2. Download the Quickstart and unzip it. You can also view the code on Github.

    3. Convert the .p12 file you downloaded earlier to a .pem encoding. You can convert the file using the openssl tool:

      openssl pkcs12 -in <key.p12> -nocerts -passin pass:notasecret -nodes -out <key.pem>
    4. Copy the server-side configuration file gitkit-server-config.json that you created at the end of Step 1 into the quickstart folder.

    5. Edit this gitkit-server-config.json file and set serviceAccountPrivateKeyFile to the full path location of the *.pem file that you created earlier.

    6. Modify widget.html by making two modifications to the config variable as indicated in the comments. You will need to copy from the client side configuration file in Developer Console. Also change the 'JAVASCRIPT_ESCAPED_POST_BODY' string to decodeURIComponent('%%postBody%%'). An example is below.

      <!DOCTYPE html>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <!-- Copy and paste here the Client configuration from Developer Console into the config variable -->
      <script type="text/javascript" src="//"></script>
      <link type="text/css" rel="stylesheet" href="//" />
      <script type="text/javascript">
        var config =
          // Copy and paste client configuration here
        // The HTTP POST body should be escaped by the server to prevent XSS
            '#gitkitWidgetDiv', // accepts any CSS selector
      <!-- End modification -->
      <!-- Include the sign in page widget with the matching 'gitkitWidgetDiv' id -->
      <div id="gitkitWidgetDiv"></div>
      <!-- End identity toolkit widget -->
    7. Run the app with the following command

      node example-app.js

    Visit http://localhost:8000 to use the demo app.

    Next steps