The Google Workspace Client-side Encryption API is currently in Restricted Beta. Apply for access

Authentication tokens

Bearer token (JWT: RFC 7516) issued by the identity partner (IdP) to attest a user's identity.

JSON representation
{
  "aud": string,
  "email": string,
  "exp": string,
  "iat": string,
  "iss": string,
  ...
}
Fields
aud

string

The audience, as identified by the IdP. Should be checked against the local configuration.

email

string (UTF-8)

The user's email address.

exp

string

Expiration time.

iat

string

Issuance time.

iss

string

The token issuer. Should be validated against the trusted set of authentication issuers.

...

Your KACLS is free to use any other claims (location, custom claim, etc) to evaluate the perimeter.