The newest version of Google Identity Toolkit has been released as Firebase Authentication. It includes upgraded client SDKs, open source UI libraries, session management and integrated email sending service for forgotten password flows.

New projects should use Firebase Authentication. To migrate an existing project from Identity Toolkit to Firebase Authentication, see the migration guide.

Relyingparty: verifyAssertion

Verifies the assertion returned by the IdP.


HTTP request


Request body

In the request body, supply data with the following structure:

  "requestUri": string,
  "postBody": string,
  "pendingIdToken": string
Property name Value Description Notes
requestUri string The URI to which the IDP redirects the user back. It may contain federated login result params added by the IDP.
postBody string The post body if the request is a HTTP POST.
pendingIdToken string The GITKit token for the non-trusted IDP pending to be confirmed by the user.


If successful, this method returns a response body with the following structure:

  "kind": "identitytoolkit#VerifyAssertionResponse",
  "federatedId": string,
  "providerId": string,
  "localId": string,
  "emailRecycled": boolean,
  "emailVerified": boolean,
  "email": string,
  "inputEmail": string,
  "originalEmail": string,
  "oauthRequestToken": string,
  "oauthScope": string,
  "firstName": string,
  "lastName": string,
  "fullName": string,
  "nickName": string,
  "displayName": string,
  "idToken": string,
  "action": string,
  "language": string,
  "timeZone": string,
  "photoUrl": string,
  "dateOfBirth": string,
  "context": string,
  "verifiedProvider": [
  "needConfirmation": boolean
Property name Value Description Notes
kind string The fixed string "identitytoolkit#VerifyAssertionResponse".
federatedId string The unique ID identifies the IdP account.
providerId string The IdP ID. For white listed IdPs it's a short domain name e.g.,, and If the "providerId" param is set to OpenID OP identifer other than the whilte listed IdPs the OP identifier is returned. If the "identifier" param is federated ID in the createAuthUri request. The domain part of the federated ID is returned.
localId string The RP local ID if it's already been mapped to the IdP account identified by the federated ID.
emailRecycled boolean It's true if the email is recycled.
emailVerified boolean The value is true if the IDP is also the email provider. It means the user owns the email.
email string The email returned by the IdP. NOTE: The federated login user may not own the email.
inputEmail string It's the identifier param in the createAuthUri request if the identifier is an email. It can be used to check whether the user input email is different from the asserted email.
originalEmail string The original email stored in the mapping storage. It's returned when the federated ID is associated to a different email.
oauthRequestToken string The user approved request token for the OpenID OAuth extension.
oauthScope string The scope for the OpenID OAuth extension.
firstName string The first name of the user.
lastName string The last name of the user.
fullName string The full name of the user.
nickName string The nick name of the user.
displayName string The display name of the user.
idToken string The ID token.
action string The action code.
language string The language preference of the user.
timeZone string The timezone of the user.
dateOfBirth string The birth date of the IdP account.
context string The opaque value used by the client to maintain context info between the authentication request and the IDP callback.
verifiedProvider[] list When action is 'map', contains the idps which can be used for confirmation.
photoUrl string The URI of the public accessible profiel picture.
needConfirmation boolean Whether the assertion is from a non-trusted IDP and need account linking confirmation.