Token types

Google Cloud issues multiple types of tokens, which differ by their purpose and the parties they're exchanged between.

The following table gives an overview of the main token categories, within which are different token types.

Token category Communication path Purpose
Access tokens Authorization server Client Google API Lets clients call Google Cloud APIs.
Token-granting tokens Authorization server Client Lets clients obtain new or different tokens, possibly at a later point in time.
Identity tokens Authorization server Client Lets clients identify the user they're interacting with.

Access and identity tokens are bearer tokens. Bearer tokens are a general class of token that grant access to the party in possession of the token.

Using bearer tokens for authentication relies on the security provided by an encrypted protocol, such as HTTPS. If a bearer token is intercepted, it can be used by a bad actor to gain access.

If bearer tokens don't provide sufficient security for your use case, you can decrease the risk of token theft by using context-aware access, limiting the lifetime of access tokens, or by using a mutual Transport Layer Security (mTLS) solution such as Chrome Enterprise Premium.

Access tokens

Access tokens allow clients to make authenticated calls to Google Cloud APIs. Google Cloud supports multiple different types of access tokens, which have the following properties in common:

  • They authenticate a principal, which can be a user or a workload.

  • They're issued to one particular client.

  • They're short-lived and expire after at most a few hours.

  • They're restricted to certain OAuth scopes, endpoints, or resources. This means that an access token typically doesn't grant access to all of a user's resources, but only to a certain subset of them.

Access tokens can differ in the following ways:

  • Issuer: The party that issues the token.

  • Principal: The type of principal that the token can authenticate.

  • Restrictions: The restrictions that can be imposed on the token.

The following table lists the different types of access tokens:

Token type Issuer Principals Restrictions
User access token Google authorization server
  • User (managed user)
  • User (consumer account)
OAuth scope
Service account access token
  • Google authorization server
  • Google Cloud IAM authorization server
Service account OAuth scope
Domain-wide delegation token Google authorization server User (managed user) OAuth scope
Service account JSON Web Token (JWT) Client Service account OAuth scope or API
Federated access token Google Cloud IAM authorization server
  • Workforce identity pool principal
  • Workload identity pool principal
OAuth scope
Credential access boundary token Google Cloud IAM authorization server
  • User (managed user)
  • User (consumer account)
  • Service account
Specific Cloud Storage objects
Client-issued credential access boundary token Client Service account Specific Cloud Storage objects

The different types of access tokens also exhibit different security properties:

  • Format: Some access tokens are opaque, meaning they are in a proprietary format and can't be inspected. Other tokens are encoded as a JSON Web Token, which can be decoded by the client.

  • Introspectability: Some opaque tokens can be introspected using the Google Cloud API, whereas others can't.

  • Lifetime: Tokens differ in lifetime and to what extent they can be modified.

  • Revocability: Some tokens can be revoked. Other tokens remain valid until expiry.

The following table summarizes the differences between the access token types.

Token type Format Introspectable Lifetime Revocable
User access token Opaque Yes 1 hour Yes
Service account access token Opaque Yes 5 minutes–12 hours No
Domain-wide delegation token Opaque Yes 1 hour No
Service account JSON Web Token (JWT) JWT N/A 5 minutes–1 hour No
Federated access token Opaque No See Federated access tokens No
Credential access boundary token Opaque No See Credential access boundary tokens No
Client-issued credential access boundary token Opaque No N/A No

User access tokens

User access tokens authenticate a user and authorize a client to act on the user's behalf:

The authenticated principal is either a managed user account or a consumer account. The client can be a web application or a native application.

User access tokens are opaque. For diagnostic purposes, you can introspect an access token by using the following command, replacing ACCESS_TOKEN with a valid access token:

curl "https://oauth2.googleapis.com/tokeninfo?access_token=ACCESS_TOKEN"

This command produces output similar to the following example:

{
  "azp": "0000000000.apps.googleusercontent.com",
  "aud": "0000000000.apps.googleusercontent.com",
  "sub": "00000000000000000000",
  "scope": "openid https://www.googleapis.com/auth/userinfo.email",
  "exp": "1744687132",
  "expires_in": "3568",
  "email": "user@example.com",
  "email_verified": "true"
}

The output includes the following fields:

Field Name Description
aud Audience

The OAuth client that this token is for, identified by its OAuth client ID.

OAuth clients can obtain access tokens for other OAuth clients that belong to the same project. The audience might differ from the authorized party.

azp Authorized party The OAuth client that requested the token, identified by its OAuth client ID.
email Primary email address

The user's primary email address.

This field is only present if the token includes the https://www.googleapis.com/auth/userinfo.email scope.

exp Expiry The expiry time of the token, in Unix epoch time format.
scope OAuth scopes The set of APIs that the client is allowed to access on behalf of the user, identified by OAuth scope.
sub Subject

The authenticated principal, identified by their unique ID.

This ID is equivalent to the ID exposed in the Directory API.

User access tokens automatically expire after one hour, but can be revoked earlier if needed.

By default, user access tokens are bearer tokens, which means they're not bound to any particular communication channel, network, or additional credential. You can optionally implement token binding by deploying certificate-based access so that user access tokens can only be used in conjunction with a valid mTLS client certificate.

Service account access tokens

Service account access tokens authenticate a service account. The tokens are opaque and you can introspect them using the https://oauth2.googleapis.com/tokeninfo API.

For a service account access token, the API returns output similar to the following example:

{
  "azp": "000000000000000000000",
  "aud": "000000000000000000000",
  "scope": "https://www.googleapis.com/auth/userinfo.email",
  "exp": "1744687132",
  "expires_in": "3568",
  "email": "service-account@example.iam.gserviceaccount.com",
  "email_verified": "true",
  "access_type": "online"
}

A service account token includes the following fields:

Field Name Description
aud Audience The service account that the token is for, equivalent to the authorized party.
azp Authorized party The service account that requested the token, identified by its unique ID.
email Primary email address

The service account's email address.

This field is only present if the token includes the https://www.googleapis.com/auth/userinfo.email scope.

exp Expiry The expiry time of the token, in Unix epoch time format.

Service account access tokens can't be revoked and stay valid until they expire.

By default, service account access tokens expire after one hour. By using the serviceAccounts.generateAccessToken method, you can request tokens with different lifetimes. Because longer token lifetimes can increase risk, you must configure the iam.allowServiceAccountCredentialLifetimeExtension constraint to allow clients to request service account access tokens with lifetimes longer than one hour.

Domain-wide delegation tokens

Domain-wide delegation tokens authenticate a user and authorize a service account to act on the user's behalf. The tokens are opaque and you can introspect them using the https://oauth2.googleapis.com/tokeninfo API.

For a domain-wide delegation token, the API returns output similar to the following example:

{
  "azp": "000000000000000000000",
  "aud": "000000000000000000000",
  "scope": "https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/userinfo.email",
  "exp": "1744688957",
  "expires_in": "3540",
  "email": "user@example.com",
  "email_verified": "true",
  "access_type": "offline"
}

A domain-wide delegation token includes the following fields:

Field Name Description
aud Audience The service account that the token is for, equivalent to the authorized party.
azp Authorized party The service account that requested the token, identified by its unique ID.
email Primary email address

The impersonated user's primary email address.

This field is only present if the token includes the https://www.googleapis.com/auth/userinfo.email scope.

exp Expiry The expiry time of the token, in Unix epoch time format.
scope OAuth scopes The set of APIs that the client is allowed to access on behalf of the impersonated user, identified by OAuth scope.

Domain-wide delegation tokens automatically expire after one hour, and they can't be revoked.

Service account JSON Web Tokens

Service account JSON Web Tokens (JWTs) authenticate a service account. Whereas service account access tokens are issued by an authorization server, service account JWTs can be issued by the client itself.

Sometimes these are called "self-signed" JWTs. They can be useful when you need to authenticate to some Google APIs without getting an access token from the authorization server—for example, when creating your own client libraries.

To issue a service account JWT, clients must perform the following steps:

  1. Prepare a JSON web signature payload that includes the service account's email address, an OAuth scope or API endpoint, and an expiry time.

  2. Sign the payload using a service account key of the respective service account. Clients can sign the payload offline by using a user-managed service account key, or online by using the signJwt method and a Google-managed service account key. For more information, see Create a self-signed JSON Web Token

A decoded service account JWT looks similar to the following, with SIGNATURE replaced by the token's signature:

{
  "alg": "RS256",
  "kid": "290b7bf588eee0c35d02bf1164f4336229373300",
  "typ": "JWT"
}.{
  "iss": "service-account@example.iam.gserviceaccount.com",
  "sub": "service-account@example.iam.gserviceaccount.com",
  "scope": "https://www.googleapis.com/auth/cloud-platform",
  "exp": 1744851267,
  "iat": 1744850967
}.SIGNATURE

Instead of specifying an OAuth scope in the scope key, a service account JWT can specify an API endpoint in the aud key:

{
  "alg": "RS256",
  "kid": "290b7bf588eee0c35d02bf1164f4336229373300",
  "typ": "JWT"
}.{
  "iss": "service-account@example.iam.gserviceaccount.com",
  "sub": "service-account@example.iam.gserviceaccount.com",
  "aud": "https://cloudresourcemanager.googleapis.com/",
  "exp": 1744854799,
  "iat": 1744851199
}.SIGNATURE

A service account JWT includes the following fields:

Field Name Description
aud Audience API endpoints that the client is allowed to access. Only valid if scope isn't specified.
exp Expiry The expiry time of the token, in Unix epoch time format.
iat Issue time The time the token was issued, in Unix epoch time format.
iss Issuer The issuer of the token, which is the service account itself.
scope OAuth scopes The set of APIs that the client is allowed to access, identified by OAuth scope. Only valid if aud isn't specified.
sub Subject Authenticated principal, which is the service account itself.

Service account JWTs can be valid for up to one hour, and they can't be revoked.

Federated access tokens

Federated access tokens authenticate a workload pool principal or a workforce pool principal.

Workforce Identity Federation lets clients exchange an external token against a federated access token that authenticates a workforce pool principal. The workload identity pool principal is identified by a principal identifier similar to the following:

principal://iam.googleapis.com/locations/global/workforcePools/POOL/subject/raha@altostrat.com.

Workload Identity Federation lets clients exchange an external token against a federated access token that authenticates a workload pool principal. The workload identity pool principal is identified by a principal identifier similar to the following:

principal://iam.googleapis.com/projects/PROJECT/locations/global/workloadIdentityPools/POOL/subject/SUBJECT_ATTRIBUTE_VALUE

Federated access tokens are opaque and can't be introspected. The tokens can't be revoked and remain valid until expiry. The expiries for each token type are based on the following:

  • Workforce Identity Federation sets the token expiry based on the configuration of the workforce identity pool provider configuration.

  • Workload Identity Federation sets the token expiry so that it matches the expiry of the external token.

Credential access boundary tokens

Credential access boundary tokens authenticate a user or service account and include an access boundary. The access boundary restricts the token so that it can only be used to access a defined subset of Cloud Storage resources.

Credential access boundary tokens are sometimes referred to as downscoped because they're derived from an input token, but are more restricted in the resources they grant access to.

The expiry of credential access boundary tokens is derived from the expiry of the input token, which can be a user access token or service account access token. Credential access boundary tokens are opaque and they can't be introspected or revoked.

Client-issued credential access boundary tokens

Client-issued credential access boundary tokens are similar to credential access boundary tokens, but are optimized for scenarios in which clients need to obtain credential access boundary tokens with different access boundaries at high frequency.

Clients can create client-issued credential access boundary tokens locally by using the Cloud Client Libraries and an access boundary intermediary token, which they must refresh periodically.

Client-issued credential access boundary tokens are opaque and they can't be introspected or revoked.

Token-granting tokens

Token-granting tokens allow clients to obtain new or different tokens, possibly at a later time. Google Cloud supports multiple different types of token-granting tokens, and they all have the following in common:

  • They represent a prior authentication.

  • They authenticate a principal, which can be a Google identity (a user or workload) or an external identity.

  • They can be redeemed for an access token.

  • They can't be used for making Google API calls, which distinguishes them from access tokens.

Token-granting tokens can differ in the following ways:

  • Issuer: The party that issues the token.

  • Principal: The type of principal identity that the token can authenticate.

  • Restrictions: The restrictions that can be imposed on the token.

The following table lists the different types of token-granting tokens.

Token type Issuer Redeemed access token type Principals Restrictions
Refresh token Google authorization server User access token
  • User (managed user)
  • User (consumer account)
OAuth scope
Authorization code Google authorization server User access token
  • User (managed user)
  • User (consumer account)
OAuth scope
Service account JSON Web Token assertion Client
  • Domain-wide delegation token
  • Service account access token
  • User (managed user)
  • Service account
OAuth scope
External JSON Web Token External identity provider Federated access token External principal None
External SAML assertion or response External identity provider Federated access token External principal None
Amazon Web Services (AWS) GetCallerIdentity token External identity provider Federated access token External principal None

The different types of token-granting tokens also exhibit different security properties:

  • Format: Some tokens are opaque. Other tokens can be decoded by the client.

  • Lifetime: Tokens differ in lifetime, and to what extent they can be modified.

  • Multi-use: Some token-granting tokens can only be used once. Other tokens can be used multiple times.

  • Revocability: Some tokens can be revoked. Other tokens remain valid until expiry.

The following table summarizes the differences between these properties for token-granting tokens:

Token type Format Lifetime Revocable Multi-use
Refresh token Opaque See Refresh tokens Yes Yes
Authorization code Opaque 10 minutes No No
Service account JSON Web Token assertion JWT 5 minutes–1 hour No Yes
External token or external JSON Web Token JWT Depends on identity provider Depends on identity provider Yes
External SAML assertion or response SAML Depends on identity provider Depends on identity provider Yes
Amazon Web Services (AWS) GetCallerIdentity token Text blob Depends on identity provider Depends on identity provider Yes

Refresh tokens

Refresh tokens are opaque tokens that let clients obtain ID tokens and access tokens for a user, if the user previously authorized a client to act on their behalf.

Refresh tokens are tied to a specific client and can only be used in combination with valid client credentials; for example, a client ID and client secret.

If the client's authorization includes one or more Google Cloud OAuth scopes, then the lifetime of the refresh token is subject to the Google Cloud session length control. Otherwise, refresh tokens remain valid until the user revokes their authorization or other token-revoking events occur.

Authorization codes

Authorization codes are opaque, short-lived tokens. The codes are only intended to be used during user authentication as an intermediary between the client and the Google authorization server.

Like refresh tokens, authorization codes are tied to a client and can only be used in combination with valid client credentials. Unlike refresh tokens, authorization codes can only be used once.

Service account JSON Web Token assertions

Service account JSON Web Tokens (JWTs) assertions assert the identity of a service account. Workloads can use service account JWT assertions to obtain service account access tokens or domain-wide delegation tokens. The service account JWT assertion is signed by a service account key.

A decoded service account JWT assertion looks similar to the following, with SIGNATURE replaced by the token's signature:

{
  "alg": "RS256",
  "kid": "290b7bf588eee0c35d02bf1164f4336229373300",
  "typ": "JWT"
}.{
  "iss": "service-account@example.iam.gserviceaccount.com",
  "scope": "https://www.googleapis.com/auth/devstorage.read_only",
  "aud": "https://oauth2.googleapis.com/token",
  "exp": 1744851267,
  "iat": 1744850967
}.SIGNATURE

Service account JWT assertions are structurally similar to service account JWTs: both types of tokens can be issued by the client itself, and are signed by a service account key. However, the two types of tokens use different payloads, as described in the following table.

Field Service account JWT Service account JWT assertion
aud Google Cloud API, omitted if scope is specified Must be https://oauth2.googleapis.com/token
exp Expiry Expiry
iat Issue time Issue time
iss Email address of the service account Email address of the service account
scope OAuth scopes, omitted if aud is specified OAuth scopes
sub Email address of the service account Email address of a user account for domain wide delegation, omitted otherwise

Service account JWT assertions can be valid up to one hour, and they can't be revoked.

External JSON Web Tokens

External JSON Web Tokens (JWTs) are issued by an external identity provider such as Microsoft Entra ID, Okta, Kubernetes, or GitHub. They might differ in their structure and contents.

By configuring Workforce Identity Federation or Workload Identity Federation, you can set up a trust relationship between Google Cloud and an external identity provider. Workloads can then use external JWTs as token-granting tokens to obtain federated access tokens.

When you use Workforce Identity Federation, the resulting federated access token authenticates a workforce identity pool principal.

When you use Workload Identity Federation, the resulting federated access token authenticates a workload identity pool principal.

In both cases, the principal identifier is derived from one or more claims of the external JWT.

To be compatible with Workforce Identity Federation or Workload Identity Federation, external JWTs must satisfy specific requirements.

External SAML assertions or responses

External Security Assertion Markup Language (SAML) assertions are SAML 2.0 assertions that are issued by an external identity provider such as Microsoft Entra ID, Okta, or Active Directory Federation Services. These external SAML assertions can optionally be enclosed in a SAML 2.0 response or be encrypted.

Like with external JSON Web Tokens, you can configure Workforce Identity Federation or Workload Identity Federation so that workloads can use external SAML assertions or responses as token-granting tokens to obtain federated access tokens.

To be compatible with Workforce Identity Federation or Workload Identity Federation, external SAML assertions must satisfy specific requirements.

Amazon Web Services (AWS) GetCallerIdentity token

External AWS GetCallerIdentity tokens are text blobs that contain a signed request to the AWS GetCallerIdentity API. Similar to external JSON Web Tokens and SAML assertions, you can configure Workforce Identity Federation or Workload Identity Federation so that workloads can use these text blobs as a token-granting token to obtain federated access tokens.

Identity tokens

Identity (ID) tokens let clients identify the user that they're interacting with. Google Cloud supports multiple different types of identity tokens, and they all have the following in common:

  • They're formatted as JSON Web Tokens (JWTs) so that they can be decoded, verified, and interpreted by the client.

  • They authenticate a principal, which can be a user or a workload.

  • They're issued to one particular client.

  • They're short-lived and expire after at most one hour.

  • They're not revocable.

  • They can't be used for making Google API calls, which distinguishes them from access tokens.

  • They can't be used to obtain access tokens, which distinguishes them from token-granting tokens.

  • They can be used to authenticate calls between microservices, or to programmatically authenticate to Identity-Aware Proxy (IAP).

Identity tokens can differ in the following ways:

  • Audience: The party that's intended to decode and consume the token.

  • Issuer: The party that issues the token.

  • Lifetime: The tokens differ in lifetime, and to what extent they can be modified.

  • Principal: The type of principal identity that the token can authenticate.

The following table lists the different types of identity tokens.

Token type Issuer Audience Principal Lifetime
User ID token Google authorization server OAuth/OIDC client
  • User (managed user)
  • User (consumer account)
1 hour
Service account ID token Google Cloud IAM authorization server Free to choose any audience Service account 1 hour
Identity-Aware Proxy (IAP) assertion IAP
  • Backend
  • App Engine app
  • User (managed user)
  • User (consumer account)
  • Workforce identity pool principal
10 minutes
SAML assertion Google authorization server SAML app User (managed user) 10 minutes

User ID tokens

User ID tokens are JSON Web Tokens (JWTs) that authenticate a user. Clients can obtain a user ID Token by initiating an OIDC authentication flow.

User ID tokens are signed using the Google JSON Web Key Set (JWKS). The Google JWKS is a global resource, and the same signing keys are used for different types of users, including the following:

  • Managed user accounts

  • Consumer user accounts

  • Service accounts

A decoded user ID token looks similar to the following, with SIGNATURE replaced by the token's signature:

{
  "alg": "RS256",
  "kid": "c37da75c9fbe18c2ce9125b9aa1f300dcb31e8d9",
  "typ": "JWT"
}.{
  "iss": "https://accounts.google.com",
  "azp": "1234567890-123456789abcdef.apps.googleusercontent.com",
  "aud": "1234567890-123456789abcdef.apps.googleusercontent.com",
  "sub": "12345678901234567890",
  "at_hash": "y0LZEe-ervzRNSxn4R-t9w",
  "name": "Example user",
  "picture": "https://lh3.googleusercontent.com/a/...",
  "given_name": "Example",
  "family_name": "User",
  "hd": "example.com",
  "iat": 1745361695,
  "exp": 1745365295
}.SIGNATURE

An ID token includes the following fields:

Field Name Description
aud Audience

The OAuth client that this token is for, identified by its OAuth client ID.

OAuth clients can obtain access tokens for other OAuth clients that belong to the same project. In this case, the audience might differ from the authorized party.

azp Authorized party The OAuth client that performed the OIDC authentication flow, identified by its OAuth client ID.
exp Expiry The expiry time of the token, in Unix epoch time format.
hd Hosted domain

The primary domain of the user's Cloud Identity or Google Workspace account.

This claim is only present if the user is a managed user account and the client specified the hd parameter in the authentication request.

iss Issuer The issuer of the token. Always set to https://accounts.google.com.
sub Subject

The authenticated principal, identified by their unique ID.

This ID is equivalent to the ID exposed in the Directory API.

The exact set of claims included in an ID token depends on the scope parameter in the authentication request.

To identify whether a user is a managed user account, or to identify the Cloud Identity or Google Workspace account a user belongs to, clients must inspect the hd claim.

User ID tokens are valid for one hour, and can't be revoked.

Service account ID tokens

Service account ID tokens are JSON Web Tokens (JWTs) that authenticate a service account.

Unlike service account JWTs and service account JWT assertions, service account ID tokens aren't signed by a service account key. Instead, service account ID tokens are signed by the Google JSON Web Key Set (JWKS).

A decoded service account ID token looks similar to the following, with SIGNATURE replaced by the token's signature:

{
  "alg": "RS256",
  "kid": "c37da75c9fbe18c2ce9125b9aa1f300dcb31e8d9",
  "typ": "JWT"
}.{
  "aud": "example-audience",
  "azp": "112010400000000710080",
  "email": "service-account@example.iam.gserviceaccount.com",
  "email_verified": true,
  "exp": 1745365618,
  "iat": 1745362018,
  "iss": "https://accounts.google.com",
  "sub": "112010400000000710080"
}.SIGNATURE

A service account ID token includes the following fields:

Field Name Description
aud Audience Identifier of the party that this token is for. The value can be freely chosen by the token requester.
azp Authorized party The service account that requested the token, identified by its unique ID.
exp Expiry The expiry time of the token, in Unix epoch time format.
iss Issuer The issuer of the token, always set to https://accounts.google.com.
sub Subject The service account that requested the token, identified by its unique ID.

The exact set of claims included in an ID token depends on the way the ID token is requested. For example, ID tokens requested by the Compute Engine metadata server can optionally include additional claims that assert the identity of the VM. ID Tokens requested by using the IAM Credentials API can optionally contain the organization ID of the service account's project.

Unlike user ID tokens, service account ID tokens don't support the hd claim.

Service account ID tokens are valid for one hour, and can't be revoked.

Identity-Aware Proxy assertions

Identity-Aware Proxy (IAP) assertions are JSON Web Tokens (JWTs) that IAP passes to IAP-protected web applications in the x-goog-iap-jwt-assertion HTTP request header. IAP assertions authenticate a user and also serve as proof that a request was authorized by IAP.

Unlike user ID tokens and service account ID tokens, IAP assertions aren't signed using the Google JSON Web Key Set (JWKS). Instead, IAP assertions are signed using a separate JWKS, the IAP JWKS. This JWKS is a global resource, and the same signing keys are used for different types of users, including the following:

  • Managed user accounts

  • Consumer accounts

  • Service accounts

  • Workforce identity pool principals

A decoded IAP assertion looks similar to the following, with SIGNATURE replaced by the token's signature:

{
  "alg": "ES256",
  "typ": "JWT",
  "kid": "4BCyVw"
}.{
  "aud": "/projects/0000000000/global/backendServices/000000000000",
  "azp": "/projects/0000000000/global/backendServices/000000000000",
  "email": "user@example.com",
  "exp": 1745362883,
  "google": {
    "access_levels": [
      "accessPolicies/0000000000/accessLevels/Australia"
    ]
  },
  "hd": "example.com",
  "iat": 1745362283,
  "identity_source": "GOOGLE",
  "iss": "https://cloud.google.com/iap",
  "sub": "accounts.google.com:112010400000000710080"
}.SIGNATURE

If you configure IAP to use Workforce Identity Federation instead of Google identities, IAP assertions look slightly different:

{
  "alg": "ES256",
  "typ": "JWT",
  "kid": "4BCyVw"
}.{
  "aud": "/projects/0000000000/global/backendServices/000000000000",
  "azp": "/projects/0000000000/global/backendServices/000000000000",
  "email": "user@example.com",
  "exp": 1745374290,
  "google": {
    "access_levels": [
      "accessPolicies/0000000000/accessLevels/Australia"
    ]
  },
  "iat": 1745373690,
  "identity_source": "WORKFORCE_IDENTITY",
  "iss": "https://cloud.google.com/iap",
  "sub": "sts.google.com:AAFTZ...Q",
  "workforce_identity": {
    "iam_principal": "principal://iam.googleapis.com/locations/global/workforcePools/example/subject/user-0000000000",
    "workforce_pool_name": "locations/global/workforcePools/example"
  }
}.SIGNATURE

An IAP assertion includes the following fields:

Field Name Description
aud Audience The backend service, App Engine application, or Cloud Run service that the IAP assertion is intended for.
iss Issuer The issuer of the token, always set to https://cloud.google.com/iap
sub Subject

The authenticated principal, identified by their unique ID.

If IAP is configured to use Google identities, this ID is equivalent to the ID exposed in the Directory API.

For further details about the IAP assertion claims, see Verifying the JWT payload.

IAP assertions are valid for 10 minutes, and can't be revoked.

SAML assertions

Security Assertion Markup Language (SAML) assertions authenticate a managed user account and authorize them to access a custom SAML app. SAML assertions are issued and signed by Cloud Identity and can only be used to authenticate managed user accounts.

Unlike ID tokens which are signed by using global key, SAML assertions are signed by using a key that is specific to a Cloud Identity or Google Workspace account.

A decoded SAML response assertion looks similar to the following:

<saml2:Assertion
  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="..."
  IssueInstant="2025-04-23T22:47:20.881Z"
  Version="2.0">
  <saml2:Issuer>
    https://accounts.google.com/o/saml2?idpid=C0123456789
  </saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
  <saml2:Subject>
    <saml2:NameID
      Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
        user@example.com
    </saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml2:SubjectConfirmationData
        NotOnOrAfter="2025-04-23T22:52:20.881Z"
        Recipient="https://app.example.com/"/>
    </saml2:SubjectConfirmation>
  </saml2:Subject>

  <saml2:Conditions
    NotBefore="2025-04-23T22:42:20.881Z"
    NotOnOrAfter="2025-04-23T22:52:20.881Z">
    <saml2:AudienceRestriction>
      <saml2:Audience>example-app</saml2:Audience>
    </saml2:AudienceRestriction>
  </saml2:Conditions>

  <saml2:AuthnStatement
    AuthnInstant="2025-04-23T22:46:44.000Z"
    SessionIndex="...">
    <saml2:AuthnContext>
      <saml2:AuthnContextClassRef>
        urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
      </saml2:AuthnContextClassRef>
    </saml2:AuthnContext>
  </saml2:AuthnStatement>
</saml2:Assertion>

A SAML assertion includes the following fields:

Field Name Description
Audience Audience Entity ID of the SAML app.
Issuer Issuer Issuer of the token, specific to a Cloud Identity or Google Workspace account.
NameID Subject The authenticated principal. The format of the identifier depends on the SAML app's configuration.

The exact set of attributes included in a SAML assertion depends on the SAML app's configuration.

SAML assertions are valid for 10 minutes, and can't be revoked.